Monitoring and Managing Risk Effectively
A Challenge for Boards, Executives, and Risk Management Professionals
Organizations take risks all the time but fail to monitor and manage risk effectively. Organizations need to understand how to monitor risk-taking, whether they are taking the right risks, and whether risk is managed effectively. A cavalier approach to risk-taking is a result of a poorly defined risk culture. It results in disaster, providing case studies for future generations on how poor risk management leads to the demise of corporations — even those with strong brands. Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, projects, strategy, processes, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as risk management professionals throughout the business.
Organizations Need to Understand the Interrelationship of Risk and Its Impact
Risk management is often misunderstood, misapplied, and misinterpreted as a result of scattered and uncoordinated approaches. For some organizations, risk management is only an expanded view of routine financial controls, is nothing more than a deeper look into internal controls with some heat maps thrown in, and does not truly provide an enterprise view of risk. Despite this misperception, organizations remain keenly interested in how to improve risk management.
Risk is pervasive throughout organizations; there are a variety of departments that manage risk with varying approaches, models, needs, and views on what risk is and how it should be measured and managed. These challenges come at project and department levels, and build as organizations develop operational and enterprise risk management strategies.
Risk management silos — where distributed business units and processes maintain their own data, spreadsheets, analytics, modeling, frameworks, and assumptions — pose a major challenge. Documents and spreadsheets are not equipped to capture the complex interrelationships that span global operations, business relationships, lines of business, and processes. Individual business areas focus on their view of risk and not the aggregate picture, unable to recognize substantial and preventable losses. When an organization approaches risk in scattered silos that do not collaborate, there is no opportunity to be intelligent about risk as risk intersects, compounds, and interrelates to create a larger risk exposure than each silo is independently aware of. A siloed approach fails to deliver insight and context and renders it nearly impossible to make a connection between risk management and business strategy, objectives, and performance.
It can be bewildering to make sense of risk management and its varying factions across enterprise, operational, project, legal/ regulatory, third party, strategic, insurance, and hazard risks. This makes enterprise and operational risk management a challenge when risk management strategy forces everyone into one flat view of risk to conform and have significant issues in risk normalization and aggregation as they roll-up risk into enterprise risk reporting.
Selecting the Correct Risk Technology Is Crucial to Success
In addressing this, many organizations look to risk management/GRC platforms to provide the range of capabilities they are looking for. This is done particularly when they have enterprise or operational risk management strategies to provide an integrated view of risk across the organization. Indeed, for many industries risk management is so fundamental to the success of their business model that it is indoctrinated throughout their core policies and operating procedures.
Organizations have adopted a wide range of technologies for risk management. Some are broad enterprise or operational risk platforms. Some solutions can be very narrow and limiting in which different departments lose capabilities they need, while other solutions can be very broad and adaptable. There are a variety of very focused risk solutions that excel at specific areas of risk management. These include:
- Solutions focused on specific risks. These are solutions designed to manage and assess risk deeply on a very specific risk area. Such as, commodity risk, foreign exchange risk, privacy risk, model risk, and dozens of other risk areas.
- Solutions focused on department/function risk management needs. These are solutions that are aimed at managing risks within a common department/functional area providing a common platform that specializes in risk within that area. Such as, information security, health & safety, corporate compliance, audit, finance, treasury, and more.
- Solutions aimed at project risk management. These are solutions that help the organization manage risk in projects.
- Solutions aimed at finance/treasury risk management. These are solutions aimed at managing an array of financial and treasury risks such as capital, market, liquidity, and credit risks.
- Solutions aimed at operational risk management. These are solutions aimed at managing operational risks across departments to provide an integrated view of risk across business operations.
- Solutions aimed at enterprise risk management. These are solutions that take an integrated view of strategic, finance/treasury, and operational risks (legal and compliance risk being part of operational risk). However, many solutions that advertise themselves as enterprise risk management really are only doing operational or department risk management.
- Tools for risk management. Then there are a range of solutions that assist in risk management, but do not fit in one of the other areas. They are tools to do surveys/questionnaires/assessments. Or they assist in modeling risk such as Monte Carlo tools or Bayesian modeling.
Providing 360° Contextual Awareness of Risk
Managing risk effectively requires multiple inputs and methods of modeling and analyzing risk. This requires information gathering — risk intelligence — so the organization has a full perspective and can make better business decisions. This is an important part of developing a risk analysis framework. Mature risk management is built on an information architecture that can show the relationship between objectives, risks, controls, loss, and events.
In light of this, organizations must evaluate:
- Does the organization understand the risk exposure to each individual process/project and how it interrelates with other risks and aggregates in an enterprise perspective or risk?
- How does the organization know it is taking and managing risk effectively to achieve optimal operational performance and meet strategic objectives?
- Can the organization accurately gauge the impact risk has on strategy, performance, project, process, department, division, and enterprise levels?
- Does the organization have the information it needs to quickly respond to and avoid risk exposure, and also to seize risk-based opportunities?
- Does the organization monitor key risk indicators across critical projects and processes?
- Is the organization optimally measuring and modeling risk?
Gathering multiple perspectives on risk is critical for producing effective relational diagrams, decision trees, heat maps, and scenarios. This risk intelligence comes from:
- The external perspective: Monitoring the external environment for geopolitical, environmental, competitive, economic, regulatory, and other risk intelligence sources.
- The internal perspective: Evaluating the internal environment of objectives, projects, risks, controls, audits, loss, performance and risk indicators, and other internal data points.
The bottom line: Organizations are best served to take a federated approach to risk management that allows different projects, processes, and departments to have their view of risk that can roll into enterprise and operational risk management and reporting. This is done through a common information and technology architecture to support overall risk management activities from the project level up through an enterprise view. Whether for a project or department risk management need, or to manage enterprise and operational risk across the organization, risk management solutions are in demand. Organizations need to clearly understand the breadth and depth of their risk management technology requirements and select the solution that is agile and flexible to meet the range of the organizations risk management needs today and into tomorrow.
Watch on demand GRC 20/20’s guidance on the Risk Management technology market and what makes a basic, common, and advanced risk management solution or platform . . .