The idea of IRM programs is not to replace everything that has happened before, but rather to understand the relationship between various risk profiles, so that new risks can be proactively identified. The IRM program of the future looks to leverage existing risk management infrastructure, maintaining its federation and independence as required. However, it also seeks to build an overarching integrative layer that establishes the relationships between different risks. It then focuses on streamlining risk assessment and mitigation plans in an agile and unified manner across business functions and risk groups. Through this approach, risk information is available instantly, in digestible and logical pieces, enabling the board of directors and senior leaders to make informed risk-based decisions.
To build a future-ready integrated risk management program, here are some best practices to follow:
The first step in an IRM program is to establish a common understanding of its outcomes across various risk functions. That is done by defining corporate objectives, and then contextualizing them within the constraints defined by regulatory requirements, as well as the organization’s risk appetite.
The constraints and objectives together are translated into a set of policies and standards which then become the guardrails for the organization to operate within. They also serve as the bedrock for risk management processes that cascade down across the three lines of defense. These processes help measure and manage risks through appropriate controls and issue remediation efforts.
By establishing an IRM framework, organizations can draw in information from the ecosystem of tools used to monitor and manage risk. Various risk programs for both financial and non-financial risks can now communicate with each other through a common point of contextualization i.e., business objectives.
The IRM framework leverages the ecosystem of risk monitoring tools through an integrated issue and action management capability where identified risks and their treatment plans are captured and aggregated. This can be linked to the risk universe to uncover commonalities between the issues identified.
The integration of issues and actions with the common risk universe can be used to define a risk treatment plan with a coordinated effort from various risk groups (spread across risk functions, regional entities, legal entities, and business functions).
For integrated issue management to be truly effective, organizations need to identify risk events in real time, perhaps even pre-emptively. For example, a leading financial exchange tracks “rumors” on “pump and dump” schemes for certain stocks through a real-time social media risk monitoring tool. These rumors are flagged as issues within the IRM program. Based on the relationships defined within this program, accountability is assigned to risk officers and market surveillance teams. Immediately, risk mitigation actions are coordinated by consumer protection teams. The perpetrators of the rumors are informed, and compliance teams take action to prevent these market participants from participating in the trade of these stocks.
Since the first line of defense often becomes aware of emerging risks before others, they play a critical role in an IRM program. The integrated issue and action management capability must be extended to them so that all issues identified at the first line are aggregated and consolidated with the issues identified by the ecosystem of risk monitoring tools.
The result is a single repository of all risk-related issues from the three lines of defense. This data enables the first line to allocate resources for issue remediation based on the areas that are important to strategy or contribute to corporate objectives.
The process of capturing and aggregating issues and risk events from the first line of defense can be quite time-consuming and resource-intensive due to the large number of participants involved. However, technologies like robotic process automation (RPA) and chatbots have exponentially increased the ability of risk functions to gather information from the first line of defense in a simple, efficient manner. For example, at a leading mortgage financing company, mobile-device-based chatbots offer an easy and jargon-free way for first-line participants across the organization to report issues and risk events.
As digital organizations increase cloud adoption and process automation, IT and cyber risks are also increasing. These risks have a compounding effect when considered in terms of their intersection with other more traditional risks.
Established frameworks like FAIR (Factor Analysis of Information Risk), as well as risk management solutions have made it easier for organizations to identify and quantify IT and cyber risks across information assets. The ability to aggregate the risk findings, and map them to other risk profiles, is key to a truly integrated risk program.
Ultimately, an IRM program enables organizations to identify issues from multiple risk monitoring programs and tools that were previously managed in siloes. Using this data on issues, organizations can correlate different risks and, at their intersection, find previously “unknown-unknown” risks. Advancements in artificial intelligence (AI) and machine learning (ML) will make the process more efficient and effective.
With an IRM program, organizations gain a single source of truth for risk. The next step in the evolution of this program is to develop a systemic, industry-wide risk management dataset that can help organizations identify and prepare for risks that might not yet have materialized within their enterprises, but have done so in others with similar business interests, operating in similar markets. Early efforts to build such systemic datasets have included the external operational loss databases created by ORX and GOLD. In the future, we’re likely to see industry-wide risk datasets being built not just for operational losses and risk taxonomies, but also for issue aggregation and risk treatment plans.
Integrated repositories of risks and issues, coupled with systemic risk datasets, will offer organizations the ability to correlate issues and risk remediation actions. This golden source of information can be aligned to the risk universe, and then acted on by AI and ML analytics to identify both unknown risks and unknown relationships between issues. Based on these insights, organizations can formulate an integrated risk response strategy.
To become future-ready, organizations today need to think beyond financial statements and profits, and work towards becoming a purpose-driven entity that strives for global sustainability and enables global communities to thrive. Concerns related to Environmental, Social, and Governance (ESG) issues are quickly becoming a top agenda item for every board of directors. In addition to climate risks, there is a growing global awareness of diversity, inclusion, and equity in organizations. Organizations need to incorporate ESG performance metrics in their overarching risk management framework as going forward this will determine how consumers, regulators, investors, and other stakeholders gauge an organization’s progress and success.
By adopting the integrated risk management practices discussed in this e-book, organizations can improve visibility into the health of their business, while also making better-informed strategic decisions. A truly effective integrated risk program doesn’t just highlight downside risks; it also identifies upside risks, enabling organizations to proactively act on opportunities, rather than having them pass by simply because they were unknown or unmonitored.
MetricStream offers a comprehensive product suite in the areas of:
MetricStream is the world’s largest independent IRM software provider with 1,200+ employees, an Enterprise SaaS Platform, a global partner ecosystem, and an experience of 450+ Enterprise Implementations, thus consistently ranking us a leader in prominent industry analyst reports.