Understanding the Interrelationship of Risk and its Impact on Operations
This past week has seen a global risk event in the Crowdstrike/Microsoft outage that illustrates the need for organizations to address risk and resilience management . . .
Risk management is often misunderstood, misapplied, and misinterpreted due to scattered and uncoordinated approaches that get in the way of sharing data. Various departments manage risk with different approaches, models, requirements, and perspectives on risk and how it should be measured and managed. Risk management silos — where distributed business units and processes maintain their own data, spreadsheets, analytics, modeling, frameworks, and assumptions — pose a significant challenge for enterprise risk visibility and fails to provide actual value to the business in pursuit of objectives. Documents and spreadsheets are not equipped to capture the complex interrelationships that span global operations, business relationships, lines of business, and processes. Individual business areas focus on their view of risk, not the aggregate picture, and cannot recognize substantial and preventable losses. When an organization approaches risk in scattered silos that do not collaborate, there is little opportunity to be intelligent about risk.
A siloed approach to risk management fails to deliver insight and context and makes it nearly impossible to connect risk management and decision-making, business strategy, objectives, and performance. This is because risk intersects, compounds, and interrelates with other risk areas to create a more significant risk exposure than each silo is independently aware of. Today, it is critical that all these roles work off the same data and that this risk data is clean, reliable, timely, and thus actionable and meaningful.
Keeping risk, complexity, and change in sync is a challenge not only when risk management is buried in the depths of departments but also when risk management is approached as a compliance or audit function and not as an integrated discipline of decision-making that has a symbiotic relationship with performance and strategy. Unfortunately, risk management is only an expanded view of routine financial controls for some organizations, resulting in nothing more than a deeper look into internal controls with some heat maps thrown in. It does not truly provide an enterprise view of risk aligned with strategy and objectives. Completing a risk assessment process and ticking the box has gotten in the way of proper risk analysis and understanding.
ISO 31000 defines risk as the effect of uncertainty on objectives. Risk management is about managing uncertainty. Organizations need to link and measure risk to strategic objectives. Good risk management results in improved decision-making and fewer surprises when achieving the organization’s objectives.
Today’s organization needs to be agile in managing risk and its impact on the organization’s objectives from the moment it is developing on the horizon, as well as resilient in recovering from risk events when they materialize. Organizations need to understand how to monitor risk-taking, measure whether the associated risks are the right risks to achieve objectives, and review whether the risks are managed effectively to ensure the organization’s agility and resilience. Amidst this uncertainty, effectively managing risk and building resilience has become imperative for organizational success.
To manage risk effectively, organizations must adopt a holistic approach encompassing a top-down strategic view aligned with objectives and a bottom-up operational perspective embedded within processes and activities. This aligns with the OCEG definition of GRC where “GRC is a capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].”
However, the modern organization faces many challenges in addressing an integrated risk and resilience management approach. These include:
- Lack of risk agility. Organizations often struggle to respond promptly to emerging risks due to rigid processes and hierarchies. Failure to adapt quickly to changing circumstances can lead to missed opportunities or unanticipated threats.
- Fragmented and inaccurate risk data. Siloed data across disparate systems makes obtaining a comprehensive view of risks challenging. Inaccurate or outdated data undermines the reliability of risk assessments and decision-making processes.
- Limited visibility. Limited visibility into interconnected risks and dependencies hampers the ability to anticipate and mitigate potential impacts. Organizations are vulnerable to cascading failures without a clear understanding of the entire risk landscape.
- Inefficient manual processes for risk management. Manual and disjointed risk management processes result in inefficiencies and delays. Hundreds or thousands of out-of-sync documents, spreadsheets, and emails encumber these. The lack of automation and standardized workflows impedes timely identification and response to risks.
- Inadequate risk reporting. Traditional risk reporting methods often fail to provide actionable insights or meaningful context. Poorly structured reports obscure critical risk information and hinder informed decision-making.
- Limited scalability. Scalability challenges arise when existing risk management practices cannot accommodate growth or organizational changes. Scaling risk management efforts across multiple business units or geographies becomes increasingly complex.
- Resource intensiveness. Resource constraints, both in terms of personnel and technology, hinder effective risk management efforts. Limited resources result in suboptimal risk mitigation strategies and increased vulnerability. Too often, GRC 20/20 hears that 80% of risk staff time is spent managing documents, spreadsheets, and emails rather than managing risk.
- Ineffective collaboration. Siloed organizational structures and cultural barriers inhibit collaboration and information sharing. Lack of cross-functional collaboration undermines the ability to identify and address systemic risks.
- Resilience planning gaps. Inadequate focus on resilience planning leaves organizations vulnerable to disruptions. Failure to anticipate and prepare for potential risk events can lead to significant operational disruptions and financial losses.
- Difficulties in business change management. Resistance to change and organizational inertia pose challenges to keeping risk current as the business continuously evolves.
The Bottom Line: The goal is comprehensive, straightforward insight into risk and resilience management to identify, analyze, manage, and monitor risk in the context of the organization’s objectives and how it impacts strategy, performance, operations, processes, and services. It requires the ability to continuously monitor changing contexts and capture changes in the organization’s risk profile from internal and external events as they occur that can impact objectives. This enables risk agility to forecast and plan what is coming at the organization to prepare and navigate it. It also gives a detailed understanding of how the organization operates and how it breaks to ensure resilience when risk becomes a reality. Successful risk and resilience management requires the organization to provide an integrated strategy, process, information, and technology architecture.
This post is an excerpt from GRC 20/20’s latest research paper: Risk & Resilience Management by Design and Illustrated in Risk & Resilience Technology Illustrated.
Michael, right to the point! I agree about the need for a comprehensive risk function, and from a vendor’s perspective, we see that unfortunately, too many strategies and risk frameworks are still automated in spreadsheets.
One of the fundamental problems with risk management is that it is poorly cascaded to the lower levels. Senior management can invest a lot of effort into building comprehensive frameworks, but it’s crucial to cascade them down to the level of engineers. This means not just mandating orders from the top down but making those engineers real co-authors of certain controls and strategies.
For instance, in the case of a hypothetical CrowdStrike-like scenario, such an engineer might have suggested deploying updates gradually—starting with a sandbox, then regional deployment, and finally, global deployment. Yes, it’s slower and requires more resources, but it could minimize the impact.
The positive side of this particular risk event is that it has driven many relevant discussions.