2023 GRC Trends: Resilience (continued) . . .
In the previous post, 2023 Governance, Risk Management & Compliance, we reviewed the top five 2023 GRC trends. Then we dove deep into the first trend of the need for GRC agility, and then explored GRC resilience . . . and we continue with resilience before we move on to the third trend of five, integrity . . .
I know, I know . . . I already posted on resilience. But I have more to say.
But first, some backstory. A good research analyst engages and talks to those in the trenches doing governance, risk management, and compliance. An analyst that is on an Ivory Tower and makes people/organizations scurry up the tower to seek wisdom is not part of the real world. Good research, including market research, is rolling up the sleeves and getting involved. In my travels, I make sure to book meetings with organizations to see what they are doing. What keeps them up at night in the context of GRC. How do they solve those nightmares and challenges with strategy, process, and technology. I love getting involved in RFPs and being involved. I love keeping solution providers honest in RFPs.
Last week I had one, actually several, of those amazing interactions while in London. One really stood out on the topic of risk and resilience management that really stood out with a global hospitality firm.
First, resilience is critical to them. Reading my blogs on the topic and engaging their business, they have shifted their department focus to a focus on resilience. Risk, Resilience & Assurance that is.
A key element of the resilience trend I previously wrote on that they commented on is that their line of business embraces it. Risk is often passed around like a hot potato. Who wants to own and be accountable for risk? But resilience is something the board, executives, and the line of business understand and desire. Who does not desire a resilient business? They have found that the business is more apt to be engaged and own resilience over risk management.
Even with resilience as a core message of engagement, it is about maturing risk management in the business itself and enhancing risk culture throughout the organization. They desire risk management to be a business enabler of strategic value to the organization. Even ESG they are approaching through the concept of strategic resilience. Their risk and resilience management strategy is not to mitigate risk but to facilitate management ownership, accountability, and management of risk.
Some of their concerns in this risk and resilience topic:
- Too big of a risk team. Risk and resilience should be business facilitators of risk management. If they have too big of a risk team, they end up owning the risk, at least in perception.
- Are they touching the important parts of the business. Risk and resilience need to be engaged with the business, and the business evolves. It is important to be continuously evaluating business engagement in the midst of change.
- Doing the same thing. If they are doing the same thing every month or quarter they are in a routine of assessments. Risk is dynamic and changes. They need to be constantly evolving.
- LEAVING A LEGACY. I love this one. They want to leave a legacy of risk management excellence for the next generation to build upon.
- Agility and the horizon. Keeping abreast of what is developing on the horizon that can impact them. Forecasting and doing scenarios on the complexity and intersection of risk on inflation, interest, economy, geo-political, operational, regulatory, and more.
- Servant leadership. Ensuring they engage the business with a servant leadership attitude on risk management.
One of the things that have been developing that they are keenly interested in is the U.K. Government’s requirement for entities to publish resilience statements. Related to UK SOX, the UK BEIS (Department for Business, Energy and Industrial Strategy) requires resilience statements to improve how organizations identify, manage and report on their resilience risks that are most material to their business. This applies to Public Interest Entities (PIEs) with 750 or more employees and £750 million or more in annual turnover. This requires companies to engage in short and medium-term resilience risk assessment and management, as well as reverse stress testing and reporting for resilience.