Gone are the days of simplicity in business operations. The challenges that are thrown by ever-changing regulations, distributed operations, highly competitive business landscape, evolving technologies, and huge volumes of business data encumber organizations of all sizes. Risk management has become a challenge for CXOs, as well as managers throughout all levels of the organization.
The physicist Fritjof Capra said, “The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.” Capra was indicating that biological ecosystems are complex, interconnected and need a holistic, contextual awareness of the complexity in interconnectedness as an integrated whole – rather than a disconnected collection of systems and processes. Change in one area brings a cascading effect that impacts the entire business ecosystem. He might as well have been talking about risk management in the modern enterprise.
Three Prerequisites of Managing Enterprise Risk Effectively
1. Establish the Right Risk Management Strategy and Processes
The primary objective of a mature risk management capability is to deliver operational effectiveness and efficiencies, and business agility that helps manage the breadth of risks on organizational performance, objectives, and strategy. This calls for a strategy that connects the enterprise, business units, systems/IT, processes, and information to enable transparency, discipline, and control of the ecosystem of risks and controls across the enterprise. Organizations require a mature risk management capability combined with a coordinated strategy and processes. This is powered by strong information and technology architecture that delivers an integrated view of objectives, risks, compliance, controls, events, and more.
2. Manage Risk Across the Three Lines
Risk engagement is a critical process. Risk management does not only happen in the back-office functions of an enterprise. Risk is also taken and owned by the front office of the organization – from the management down to the front-line employees. Risk management traverses all three lines (formerly three lines of defense):
- Operational Management: Risk is understood, taken, and owned by the first line of operational management. Since the front office (first line) employees and managers are the people who make risk and compliance decisions every day, they can either protect or expose your organization to unwanted issues. Hence, it is essential to educate them with effective training on policies and what is an acceptable and unacceptable risk, and how to report issues and incidents.
- Risk and Compliance: Risk management is coordinated, analyzed, and modelled by the second line of risk management comprising the risk, security, and policy owners and managers. This second line functions to facilitate conversations with the first line while ensuring that the policies they bring into force are recent and understood in the organization. It works towards defined processes and technologies to govern policies and implement an effective policy management lifecycle.
- Assurance through Audit: The third line comprising defense, audit and assurance professionals provides assurance and validation on how risk is taken and managed in the organization. These assurance professionals ensure that the policies are appropriately managed, communicated, and implemented across the organization. They work towards maintaining integrity, mitigating risk, and reliably achieving organisational objectives.
3. Use both Left-brain and Right-brain Thinking
Organizations also need to approach risk management with both left-brain and right-brain risk thinkers. Historically, risk management has been influenced by left-brain thinking on risk with structured risk models, simulations, and analyses. We always try to put uncertainty/risk in a box. As long as that box is close to reality, then our analysis can be fairly sound.
Good risk management involves structured thinking about risk with robust data and analysis, but it also needs creative thinking. Business is complex and dynamic. There are so many variables that can hamper us from achieving business objectives. Some of these can be fairly evident and real, some can be very abstract, remote, and hidden in the weeds of the organization. Creative thinking about risk demands good risk models from the structured risk thinkers, but then to think out-of-the-box on how those models fail or what they do not cover. Right-brain risk thinking requires a lot of visuals of risk and carrying out risk scenarios.
The Bottom Line
It is time that organizations rethink their approach to risk management to implement a coordinated enterprise view of risk across all three lines within the organization. It also requires that they think creatively about risk and risk scenarios and not get locked into models that may be out of date. This is all possible with the right risk management strategy and processes powered by a robust risk information and technology architecture.
Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC). With 28+ years of experience, Michael helps organizations improve GRC processes and choose technologies that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in 2002 while at Forrester.