Integrated Risk Management is the Mantra to Manage Interconnected RisksRisk Management | 5 Min Read |26 May 21|by Sumith Sagar
In today's business world, silos are coming crashing down. The business landscape has been redefined as a result of digitalization and the evolution of the internet, mobile computing, and data sciences have led to a greater interconnectedness of operating markets across geopolitical borders.
The unprecedented after-effects of COVID-19 also made us realize that the world we live in today has a high degree of interdependency. For instance, this slow shift toward working remotely on a permanent basis could result in some long-term impacts on different industry sectors simply because everything is connected. A disruption anywhere on the transaction chain has the potential to create a domino effect and send ripples down the market. If businesses fail to understand and analyze the interconnections, they can make myopic decisions that could cause organizations to fail in developing and executing effective recovery strategies.
Despite the ongoing effort to adopt new technologies and tools to implement a pervasive approach to risk management, business leaders and risk teams are still unable to fully understand the interconnectedness of risks. In our recent webinar, risk professionals and leaders discussed why that happens and how businesses can take a holistic and integrated approach to make risk management processes more efficient and effective.
What impedes businesses from being able to understand and analyze interrelated risks?
- Even if risk management is perceived as a critical function, some executives push back on risk management efforts because they simply don’t have enough information to put the risks into proper perspective. They may understand that a risk exists but might not have a detailed understanding of what it could mean or its potential impact on the organization’s long-term success. Therefore, a lack of a strong organizational risk identification and analysis program can lead to poor risk management practices within business units.
- Lack of top-down (business level) and bottom-up (process level) risk assessments: Organizations often lack a bi-directional risk identification and assessment strategy. One where the senior management identifies the strategic priorities and risks while the bottom identifies related operational breakdowns and patterns to inform the top. This type of approach allows both the business level and process level functions to make adjustments as needed within their operational plans and strategies.
- Risk management strategies are reactive and not proactive: Risk management is often treated as a compliance problem that can be solved by drafting a set of rules and making sure that all employees follow them. Instead of tying risk management with strategic planning to develop appropriate mitigation strategies, businesses view risk management as more of a check the box, rather than as a proactive decision support to identify gaps and blind spots.
- Lack of framework for analysis and aggregation of risk themes: Data alone doesn’t guarantee that a business can make effective decisions about risk. This is, in fact, a major challenge for organizations—while risk data is available, they lack the expertise to mine valuable insights and understand the interconnectedness of risks. Organizations need to break down data for granular insights that the board can understand and use. Reports based on risk data should be accurate, clear, and complete. They should contain the correct content and be presented to the appropriate decision-makers in a time that allows for an appropriate response. High-quality risk management reports rely on the existence of strong risk data aggregation capabilities, and sound infrastructure and governance ensure the information flow from one to the other.
Even today, businesses implement control without understanding the implications of how it impacts different business areas. Implementing controls within a siloed system can lead to overabundance, overlap, and duplicated controls which are unnecessarily expensive, time-consuming, and eventually reduce efficiency. Therefore, it is absolutely critical to have an integrated approach to risk management where you’re not spending 80% of your time in data collection and only 20% in analysis.
Risk management needs to evolve and help businesses obtain a deeper understanding of all aspects of the risks they face as well as the intricate spider web of interconnections they create because these links among risks can amplify the overall impact, indirectly or indirectly.
Checklist for an Effective Risk Management Program
- Establish a formal risk identification and assessment program for emerging risk identification based on business environmental changes.
- Define and implement risk and performance measurements based on objectives.
- Facilitate and foster increased data sharing and communication between business divisions.
- Define and implement an enterprise risk taxonomy with a common risk language across the organization.
- Derive a greater insight into risk interrelations through cause-impact understanding.
- Implement a tool for risk aggregation to identify themes, patterns, and hotspots across the organization.
- Improve risk management automation to avoid repetitive data-gathering tasks using data and analytics-based risk assessment.
- Enable continuous monitoring to preemptively notify teams of imminent risk events.
- The idea behind Integrated Risk Management is not to discard everything that we do today around identifying, assessing, and managing risks, but to do so in a manner that helps the business understand the relationship and connectivity between different risk areas so that they can be identified and managed proactively.
And, in order for IRM to be effective, people, processes, technology, and perhaps even data need to come together and work as part of a common ecosystem with a common purpose and goal in mind.
However, risk identification and assessment programs by themselves do not serve the full purpose without having quantifiable measures put in place to support risk identification. This requires some carefully thought-out measurement components to be designed and implemented that would provide useful insight on the risk.
While many of us would like to believe that enabling technology for IRM is primarily about implementing an enterprise GRC tool, it requires some broader thinking. IRM is an extension of your GRC program where risk management practice is seamlessly embedded into compliance, cybersecurity, vendor risk management, and business continuity planning.
Businesses need to understand and break down the complex interrelationships. And that means risk identification needs to happen, where risk happens.
Our MetricStream Platform can help you cut across organizational silos by standardizing risk and control taxonomies and enabling stakeholders to effectively coordinate and unify risk management activities across all business functions. Organizations can use our product to align their assurance programs and gain comprehensive visibility into both risk exposure and relationships. Reach out to us to know how to achieve forward-looking risk visibility with predictive risk metrics and indicators in your Risk Management program today!