Challenges in Risk Management

Written by The GRC Pundit

Published on2019-05-28Updated on2019-05-28Discussion1 Comment on Challenges in Risk Management

Providing 360° Contextual Awareness of Risk

The physicist, Fritjof Capra, made an insightful observation on living organisms and ecosystems that also rings true when applied to risk management: 

The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.

Fritjof Capra

Capra’s point is that biological ecosystems are complex, interconnected, and require a holistic understanding of the intricacy in interrelationships as an integrated whole, rather than a dissociated collection of parts. Change in one segment of an ecosystem has cascading effects and impacts to the entire ecosystem. Consider the interconnectedness of a cycle of risk in the context of a draught and a forest fire. A drought increases the risk of a forest fire. If a fire should start this further contaminates the water as a byproduct of the fire. As the forest regrows it further reduces the water supply to sustain this growth which could cause more drought conditions.

This is true in risk management. What complicates this is the exponential effect of risk on the organization. Business operates in a world of chaos. Applying chaos theory to business is like the ‘butterfly effect’, in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops, and influences what ends up being a significant issue. Dissociated data, systems, and processes can leave the organization with fragments of truth that fail to see the big picture of performance, risk, and controls across the enterprise, as well as how it supports their strategy and objectives. The organization has to have holistic visibility and 360° contextual awareness into risk relationships across the enterprise. Complexity of business and intricacy, and interconnectedness of risk data, requires that the organization implement a risk management strategy.

Organizations take risks all the time but fail to monitor and manage these risks effectively in an environment that demands agility. Too often risk management is seen as a compliance exercise and not truly integrated with the organization’s strategy, decision- making, and objectives. A cavalier approach to risk-taking is a result of a poorly defined risk culture. It results in inevitable failure of risk management, providing case studies for future generations on how poor risk management leads to the demise of organizations – even those with strong brands. 

Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping this risk, complexity, and change in sync is a significant challenge for boards, executives, as well as risk management professionals throughout all levels of the business. This challenge is even greater when risk management is buried in the depths of departments and approached from a compliance or audit angle, and not as an integrated discipline of decision-making that has a symbiotic relationship on performance and strategy. Organizations need to understand how to monitor risk-taking, measure that the associated risks being taken are the right risks, and review whether the risks are managed effectively.

Risk management in the modern organization is:

• Distributed.Even the smallest of organizations can have distributed operations complicated by a web of global supplier, agent, business partner, and client relationships. The traditional brick and mortar business with physical buildings and conventional employees has been replaced with an interconnected mesh of relationships and interactions which define the organization.  Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy.
• Dynamic.Organizations are in a constant state of flux as distributed business operations and relationships grow and change. At the same time, the organization is trying to remain competitive with shifting business strategies, technologies, and processes while also keeping pace with change to risk environments around the world. The multiplicity of risk environments that organizations have to monitor span regulatory, geopolitical, market, credit, and operational risks. Managing risk and business change on numerous fronts has buried many organizations.
• Disrupted.The explosion of data in organizations has brought on the era of “Big Data” and with that “Big Risk Data.” Organizations are attempting to manage high volumes of structured and unstructured data across multiple systems, processes, and relationships to see the big picture of performance, risk, and compliance. The velocity, variety, veracity, and volume of risk data is overwhelming – disrupting the organization and slowing it down at a time when it needs to be agile and fast.
• Accountable.There is growing awareness among executives and directors that risk management needs to be taken seriously. It is part of their fiduciary obligations to oversee risk management as an integrated part of business strategy and execution. Furthermore, regulations that are increasing personal liability within these roles, such as the UK Senior Managers and Certification Regime (among other similar regulations), put an emphasis on business leaders taking greater interest and accountability for risk, control, and compliance.

Understanding the Interrelationship of Risk and its Impact

Risk management is often misunderstood, misapplied, and misinterpreted as a result of scattered and uncoordinated approaches that get in the way of sharing data. Risk is pervasive; there are a variety of departments that manage risk with varying approaches, models, needs, and views on what risk is and how it should be measured and managed. These challenges come at department and process levels, and continue to build as organizations develop operational and enterprise risk management strategies that span these departments. 

For some organizations, risk management is only an expanded view of routine financial controls, resulting in nothing more than a deeper look into internal controls with some heat maps thrown in, and does not truly provide an enterprise view of risk aligned with strategy and objectives. Completing a risk assessment process and ticking the box has got in the way of true risk analysis and understanding. 

Risk management is about the risk of not achieving objectives, therefore making the ability to link and measure risk to strategic objectives critical; as is monitoring performance against those objectives. The outcome of this is improved decision-making, better return on investment across the business, improved profitability, and a better customer experience.

Risk management silos — where distributed business units and processes maintain their own data, spreadsheets, analytics, modeling, frameworks, and assumptions — pose a major challenge to achieving this. Documents and spreadsheets are not equipped to capture the complex interrelationships that span global operations, business relationships, lines of business, and processes. Individual business areas focus on their view of risk and not the aggregate picture, unable to recognize substantial and preventable losses. When an organization approaches risk in scattered silos that do not collaborate, there is little opportunity to be intelligent about risk. This is due to the fact that it intersects, compounds, and interrelates to create a larger risk exposure than each silo is independently aware of. A siloed approach fails to deliver insight and context and renders it nearly impossible to make a connection between risk management and decision- making, business strategy, objectives, and performance. Risk accountability is frequently distributed across different board level owners. Today it is critical that these roles are all working off the same data and that this risk data is clean, reliable, and timely.

It can be bewildering to make sense of risk management and its varying factions across strategic, financial, credit, market, conduct, operational, project, legal, regulatory, third-party, strategic, insurance, and hazard risks. It makes enterprise and operational risk management a challenge if a risk management strategy forces everyone into one flat view of risk, confirming to have significant issues in risk normalization and aggregation as they roll-up risk into enterprise risk reporting. This is exponentially compounded when risk velocity is considered: when risk materializes into an event it moves very quickly. Are organizations agile enough to react?

The Risk Central Nervous System

Organizations need to develop a risk management capability aligned with strategy, performance, and objectives that operate as a risk central nervous system. Consider the following from Steve Balmer:

If you think of the human body, what does our nervous system let us do? It lets us hear, see, take input. It lets us think, analyze, and plan. It lets us make decisions and communicate and take action. Every company has a nervous system: companies take inputs, they think, they plan, they communicate, they take action.

Steve Balmer, former CEO Microsoft

A nervous system connects with other major systems of the body, and provides among others analytical capability, strategic thinking, and quick response to the environment. 

In the same context, organizations need a command and control hub that provides the analytical capability to measure and monitor a connected view of risk across:

• Strategy
• Operations
• Compliance & Regulatory
• Reputational
• Conduct
• Market
• Insurance
• Credit
• Liquidity

Managing risk effectively requires multiple inputs and methods of modeling and analyzing risk. This requires information gathering — risk intelligence — so the organization has a full perspective and can make better business decisions. This is an important part of developing a risk analysis framework. Mature risk management is built on a risk management process, information, and technology architecture that can show the relationship between objectives, risks, controls, loss, and events. The demand is for predictive analytics to extract from this mass amount of data what exactly will help to prevent future significant losses, events, as well as incidents, and further help strategic business objectives succeed.

This means enabling a federated and connected view of risk that leverages artificial intelligence, machine learning, and robotic process automation to make the risk management process more efficient, effective, and agile. This in turn enables organizations to spend more time focusing on the analysis of risk in the context of the organization, its strategy, and objectives. Technology makes it easier to share data, while still maintaining independence of thought and action across the organization. 

In light of this, organizations should consider: 

• How does the organization know it is taking and managing risk effectively to achieve optimal operational performance, and meet its strategic objectives? 
• Which objectives could fail as a result of current risks?
• How does the organization make the right business decisions?
• What impact does risk have on products and services? 
• What is the impact or potential impact on customers?
• Do businesses understand the interrelationships and correlations between risks? 
• Does the organization understand the relationships generally between cause and effect, processes, end-to-end process flows, and products and services? 
• Does the organization understand the risk exposure to each individual objective or process, and how it interrelates with other risks to aggregate into an enterprise perspective of risk? 
• Can the organization accurately gauge the impact risk has on strategy, performance, project, process, department, division, and enterprise levels? 
• Does the organization have the information it needs to quickly respond to and avoid risk exposure, and also to seize risk-based opportunities? 
• Does the organization monitor key risk indicators across critical projects and processes? 
• Is the organization optimally measuring and modeling risk?

Gathering multiple perspectives on risk is critical for producing effective relational diagrams, decision trees, heat maps, and scenarios. This risk intelligence comes from: 

• The external perspective.Monitoring the external environment for geopolitical, environmental, competitive, economic, regulatory, and other risk intelligence sources. 
• The internal perspective.Evaluating the internal environment of objectives, projects, risks, controls, audits, loss, performance and risk indicators, and other internal data points. 

The bottom line: Organizations are best served to take a federated approach to risk management that allows different projects, processes, and departments to have their own view of risk. This can then roll into enterprise and operational risk management and reporting that supports business objectives while being integrated with decision-making processes. This can be done through a common risk management strategy, process, information, and technology architecture that supports overall risk management activities from the process level up through an enterprise view. 

Organizations need to clearly understand the breadth and depth of their risk management strategy and process requirements, and from there select the right information and technology architecture that is agile and flexible to meet the range of risk management needs for today, and into tomorrow. 

Upcoming Risk Management Webinar Series

The Evolution of Risk: Impacting Change Across the Organization

• PART 1: Overcoming Top Challenges in Risk Management, May 29 @ 11:00 am – 12:00 pm CDT
• PART 2: Developing an Enterprise Risk Management Strategy & Policy, June 19 @ 11:00 am – 12:00 pm CDT
• PART 3: Understanding the Lifecycle & Process of Risk Management in the Rhythm of Business, July 23 @ 11:00 am – 12:00 pm CDT
• PART 4: How Technology Makes Risk Management Efficient, Effective, & Agile (and How to Build a Business Case), August 20 @ 11:00 am – 12:00 pm CDT

Upcoming Risk Management by Design Workshops

• Risk Management by Design, London, United Kingdom, June 12
• Risk Management by Design, South Africa, September 11
• Risk Management by Design, Dublin, Ireland, October 22

Other GRC 20/20 by Design Workshops

• Enterprise GRC by Design, Baltimore, USA, June 2
• Policy Management by Design, London, United Kingdom, June 13
• Third Party Management by Design, Seattle, USA, September 24
• Third Party Management by Design, Minneapolis, USA, September 26
• Third Party Management by Design, Charlotte, USA, October 7
• Policy Management by Design, New York, USA, October 24