Challenge to Boards, Executives, and Risk Management Professionals
Organizations take risks all the time but fail to monitor and manage risk effectively. Further, risk management is too often seen as a compliance exercies and not truly integrated with decision making and objectives of the organization. A cavalier approach to risk-taking is a result of a poorly defined risk culture. It results in disaster, providing case studies for future generations on how poor risk management leads to the demise of corporations — even those with strong brands.
Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, projects, strategy, processes, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as risk management professionals throughout the business. Particularly when risk management is approached from a compliance or audit anlge and not as an integrated displine of decision making that has a symbiotic relationship on performance. Organizations need to understand how to monitor risk-taking, whether they are taking the right risks, and whether risk is managed effectively.
The modern organization is:
- Distributed. Even the smallest of organizations can have distributed operations complicated by a web of global supplier, agent, business partner, and client relationships. The traditional brick and mortar business with physical buildings and conventional employees have been replaced with an interconnected mesh of relationships and interactions which define the modern organization. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy.
- Dynamic. Organizations are in a constant state of flux as distributed business operations and relationships grow and change. At the same time, the organization is trying to remain competitive with shifting business strategies, technologies, and processes while also keeping pace with change to risk environments around the world. The multiplicity of risk environments that organizations have to monitor span regulatory, geo-political, market, credit, and operational risks. Managing risk and business change on numerous fronts has buried many organizations.
- Disrupted. The explosion of data in organizations has brought on the era of “Big Data” and with that “Big Risk Data.” Organizations are attempting to manage high volumes of structured and unstructured data across multiple systems, processes, and relationships to see the big picture of performance, risk, and compliance. The velocity, variety, veracity, and volume of risk data is overwhelming – disrupting the organization and slowing it down at a time when it needs to be agile and fast.
Understand the Interrelationship of Risk and Its Impact
Risk management is often misunderstood, misapplied, and misinterpreted as a result of scattered and uncoordinated approaches. Risk is pervasive; there are a variety of departments that manage risk with varying approaches, models, needs, and views on what risk is and how it should be measured and managed. These challenges come at department and process levels, and build as organizations develop operational and enterprise risk management strategies.
For some organizations, risk management is only an expanded view of routine financial controls with the result nothing more than a deeper look into internal controls with some heat maps thrown in, and does not truly provide an enterprise view of risk. Despite this, organizations remain keenly interested in how to improve risk management.
Risk management silos — where distributed business units and processes maintain their own data, spreadsheets, analytics, modeling, frameworks, and assumptions — pose a major challenge. Documents and spreadsheets are not equipped to capture the complex interrelationships that span global operations, business relationships, lines of business, and processes. Individual business areas focus on their view of risk and not the aggregate picture, unable to recognize substantial and preventable losses. When an organization approaches risk in scattered silos that do not collaborate, there is no opportunity to be intelligent about risk as it intersects, compounds, and interrelates to create a larger risk exposure than each silo is independently aware of. A siloed approach fails to deliver insight and context and renders it nearly impossible to make a connection between risk management and decision making, business strategy, objectives, and performance.
It can be bewildering to make sense of risk management and its varying factions across enterprise, operational, project, legal/regulatory, third-party, strategic, insurance, and hazard risks. This makes enterprise and operational risk management a challenge when risk management strategy forces everyone into one flat view of risk to conform and have significant issues in risk normalization and aggregation as they roll-up risk into enterprise risk reporting.
Providing 360° Contextual Awareness of Risk
Managing risk effectively requires multiple inputs and methods of modeling and analyzing risk. This requires information gathering — risk intelligence — so the organization has a full perspective and can make better business decisions. This is an important part of developing a risk analysis framework. Mature risk management is built on a risk management process, information, and technology architecture that can show the relationship between objectives, risks, controls, loss, and events.
In light of this, organizations should consider:
- Does the organization understand the risk exposure to each individual process/project and how it interrelates with other risks and aggregates in an enterprise perspective or risk?
- How does the organization know it is taking and managing risk effectively to achieve optimal operational performance and meet strategic objectives?
- Can the organization accurately gauge the impact risk has on strategy, performance, project, process, department, division, and enterprise levels?
- Does the organization have the information it needs to quickly respond to and avoid risk exposure, and also to seize risk-based opportunities?
- Does the organization monitor key risk indicators across critical projects and processes?
- Is the organization optimally measuring and modeling risk?
Gathering multiple perspectives on risk is critical for producing effective relational diagrams, decision trees, heat maps, and scenarios. This risk intelligence comes from:
- The external perspective. Monitoring the external environment for geopolitical, environmental, competitive, economic, regulatory, and other risk intelligence sources.
- The internal perspective. Evaluating the internal environment of objectives, projects, risks, controls, audits, loss, performance and risk indicators, and other internal data points.
The bottom line: Organizations are best served to take a federated approach to risk management that allows different projects, processes, and departments to have their view of risk that can roll into enterprise and operational risk management and reporting that supports business objectives and is integrated with decision making. This is done through a common risk management strategy, process, information, and technology architecture to support overall risk management activities from the process level up through an enterprise view. Organizations need to clearly understand the breadth and depth of their risk management strategy and process requirements and select the right information and technology architecture that is agile and flexible to meet the range of risk management needs today and into tomorrow.
This post is an excerpt from GRC 20/20’s latest Strategy Perspective research: Risk Management by Design: A Blueprint for Federated Enterprise Risk Management
- Have a question about Risk Management Solutions and Strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .
- Risk Management by Design Workshop. Engage GRC 20/20 to facilitate and teach the Risk Management by Design Workshop in your organization.
- Looking for Risk Management Solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over 500 requirements for risk management solutions.
GRC 20/20’s Risk Management Research includes . . .
Register for the upcoming Research Briefing presentation:
Access the on-demand Research Briefing presentation:
Strategy Perspectives (written best practice research papers):
Solution Perspectives (written evaluations of solutions in the market):
Case Studies (written evaluations of specific strategies and implementations within organizations):