Operating a business requires taking risks. Organizations that identify and manage these risks well are positioned to grow and remain successful. That is the result of this year's global governance, risk and compliance survey, published by EY. They asked 1,196 participants, around the globe and across sectors, how well they are managing risk and what they need to do to better manage the risks that drive performance.
Organizations today are challenged with managing a rapidly changing risk landscape. Reports in the media illustrate the increasing risks faced by organizations: market volatility, geopolitical crises, wide-spread economic changes, regulatory reforms and cyber threats. Long-term patterns such as the aging population, the rise of hyper connectivity and increasing geographic mobility are also having a direct effect on organizations worldwide.1 While this creates many challenges for organizations, it also presents an opportunity to take advantage of the upside potential of risk.
In this year's survey, the experts of EY found that organizations are making progress in improving the way they manage risk in response to a changing risk landscape. However, organizations also indicated that there is still further room for improvement and opportunities to be seized. However, this requires businesses to change the way they work and how they capitalize on it, so that they become a more risk-aware organization.
Building a risk-aware organization
Identifying, managing and responding to risk should be an integral part of an organization's everyday activities. This can be achieved by applying the three risk categories: strategic, preventable and external. The EY global governance, risk and compliance (GRC) survey tells us that organizations are looking for a more comprehensive, coordinated and innovative approach to enable them to successfully manage the opportunities and the hardships presented by risk. This requires transforming the way the organization views and capitalizes on risk — the GRC experts call this "building a risk-aware organization."
With the knowledge that risks are a never-ending challenge and new risks will be encountered every day, a stepped approach to risk management is required: These three steps are explained below:
Step 1: Advance strategic thinking: The first step challenges the way organizations categorize, manage and respond to risk: thinking about risk in the context of their business decisions and designing risk response plans to appropriately manage identified risks.
Step 2: Optimize functions and processes: The second step focuses on what organizations are doing to optimally align functions by allocating talent and design risk management processes to efficiently and effectively execute risk response plans across each of the lines of defense.
Step 3: Embed solutions: The third step highlights the importance of integrating sustainable solutions throughout the organization to prevent, balance or limit risk.
Advance strategic thinking to improve value creation
Organizations are not created to manage risk, they are created to generate value as part of a broader aspirational purpose; as a result, they need to focus on the risks that directly impact their purpose and business strategy. A result of the EY survey: Organizations that methodically identify, assess and respond to the risks that impact their business strategy are better equipped to define risk responses that reduce the negative impact of risk while maximizing its upward potential. They think strategically about risk.
Organizations that exhibit advanced strategic thinking:
1. Identify and assess the risks that impact their business
2. Design risk response plans
1. Identifying and assessing the risks that impact your business
Organizations need to continuously evaluate their business strategies and determine the level of risk exposure they are willing to accept to generate value, otherwise known as their risk appetite. This approach better enables organizations to effectively and methodically identify and assess their risk landscape in the context of their business. In this year's GRC survey, 77% of respondents only evaluate their organization's risk profile on an annual basis, limiting their ability to adjust their business strategy based on changes to their risk landscape.
In the table 01 below, some of the potential risks associated with each business strategy are identified, applying the three risk categories – strategic, preventable and external. Each business strategy requires taking a strategic risk in search of higher reward (e.g., high ROI). They each also introduce preventable risks that must be dealt with as a result. Lastly, external risks may exist that could negatively impact each strategy.
<link file:16295 _blank download "Initiates file download"></link>
Table 01: strategic, preventable and external risk [Source: EY]
An organization needs to assess each identified risk to determine its likelihood, potential impact or time to realization. For example, the likelihood of a natural disaster (an external risk) occurring that could negatively impact critical IT infrastructure may be low, but the potential impact to an organization launching new customer-facing IT platforms could be catastrophic.
In another example, the likelihood and impact of disruptions to business and customer support processes arising as part of a major transformation program (a strategic risk) may be relatively high; but the benefits associated with such a program are also significant.
To make the right assessments, organizations need to directly address risk management in strategic and business planning discussions. They also need to routinely evaluate their risk profile and its impact on their business strategy, enabling the organization to readily identify new and emerging risks and adapt their strategy accordingly. Getting organizations to think differently about the risks to their business by strategically applying the three risk categories (as depicted in the table and graphic) enables them to identify risks they may not have otherwise thought of. Organizations are able to clearly identify the key risks to "own" that not only result in negative consequences, but also those that generate value, enabling a direct linkage between risk and business performance. It is encouraging that 85% of survey respondents indicated opportunity exists to further improve the linkage between risk and business performance.
2. Designing risk response plans
Once an organization has identified and assessed its key risks, it can manage them by designing cost-effective and efficient risk response plans based on the organization's risk appetite and each risk category — strategic, preventable and external. For instance, the amount of risk an organization is willing to accept as part of a transformation program may be low, but disruptions to business and customer support processes could negatively impact the organization's reputation/brand and ROI: as a result, the organization must employ cost-effective risk management to balance the mitigation of risk with the expected benefits of the program. Likewise, an organization may be willing to accept a greater amount of risk in complying with new legal or regulatory requirements if the cost of noncompliance is relatively low or can be avoided all together. An organization developing digital platforms to better interact with its customers can take advantage of the upward potential of risk by not only designing responses to monitor for negative publicity that could harm its reputation, but also design responses that monitor for positive publicity that it can capture and highlight in the marketplace.
Figure 01: Advance strategic thinking [Source: EY]
Optimize functions and process to effectively execute the risk strategy
Once an organization has determined its risk response plans or strategy, it needs to optimally align its functions, allocate resources and design risk management processes to efficiently and effectively execute its strategy.
Organizations have historically dispersed responsibility for risk activities to specific functions within the organization. This has resulted in silos, negatively impacting the effectiveness of risk management activities by preventing critical information from reaching key decision-makers. If a clear operating model and processes are not defined, then communication does not flow effectively through the organization.
Leading organizations optimize functions and processes by:
1. Establishing a well-defined and coordinated operating model
2. Aligning the right talent and skillsets
3. Designing risk management policies and processes
Figure 02: Optimize functions and processes [Source: EY]
1. Establishing a well-defined and coordinated operating model
In this year's EY GRC survey, respondents clearly recognized the value of a well-coordinated operating model; 67% expected activities to be well-coordinated within three years. Organizations must define clear ownership and accountability for risk activities to enable effective coordination, communication and reporting. Management owns the process of identifying, managing and monitoring overall risk to the organization. Management sets the tone at the top, fosters a risk aware culture and defines the organization's risk strategy.
Risk culture is reflected in the behaviors and actions of people. It is the belief system, or set of values within an organization that make risk an integral part of the business and supports the achievement of the organization's overall purpose. Regulators address risk culture through factors affecting risk-taking behavior such as risk appetite, governance and compensation. To deliver an appropriate risk culture, a variety of mechanisms need to be in place and be effective. When in place and effective, the mechanisms contribute to deliver the desired behavior outcomes.
Attributes of a sound risk culture:
- Leadership: Tone from the middle tier of management is aligned with tone from the top tier to establish desired risk behaviors.
- Organization: Governance and business models support the delivery of desired risk behaviors and enable strong accountability and effective challenge.
- Risk framework: Risk management framework is embedded in the way the business manages risk and enables effective challenge.
- Incentives: Employee life cycle and incentives support the delivery of desired risk management behaviors.
The "three lines of defense" need to be identified and deployed as part of the organization's risk strategy. However, no line of defense executes this strategy singlehandedly, they must work in concert. EY defines three lines of defense as follows:
First line (operations and business units): This group comprises of the line management responsible for identifying and managing risks directly (design and operational controls); they regard risk management as a crucial element of their everyday jobs.
Second line (management assurance): This group (typically covering risk management, internal controls, SOX, legal, compliance, etc.) is responsible for the ongoing monitoring of the design and operation of controls in the first line of defense, as well as advising and facilitating risk management activities.
Third line (independent assurance): This group is responsible for independent assurance over risk management activities – it will include the Internal Audit function, external auditors and applicable regulators.
The organization's management should be responsible for mapping and assigning clear ownership and accountability for risk response activities across the three lines of defense. This establishes a structure to facilitate coordination, communication and reporting across clear boundaries of responsibility; it also enables an organization to validate risk coverage and foster a culture in which all parties understand their role in executing the organization's risk strategy.
2. Aligning the right talent and skillsets
Once an organization has assigned clear ownership and accountability for risk response activities, it needs to then align the resources and skillsets required to execute those activities. This is usually straightforward in the first line of defense, but may be more complex in the second and third line. Leading organizations demand talent with deep industry and business knowledge, as well as skills relevant to each of the risk categories – strategic, preventable and external.
Recognizing the upside potential of strategic risks and the need to limit the potential impact of external risks, these organizations are developing and aligning talent with the requisite skillsets across each of the three lines of defense to improve the effectiveness and efficiency of each, better enabling the organization to execute its risk strategy.
Respondents identified the following as the most important skills or experiences required to enhance their risk functions:
- Risk management
- Business strategy
- Critical/analytical thinking
- Regulatory compliance
- Process improvement
As an example, resources with a background in business continuity planning or disaster recovery (DR) have typically resided within the first line of defense, but leading organizations are now embedding resources with similar backgrounds within the first and second lines of defense to facilitate and monitor the response related to external risks. Similarly, launching a new social media platform requires resources with digital expertise within each line of defense; this enables each line to better understand the associated strategic risks and appropriately balance risk mitigation activities with the benefits.
3. Designing risk management policies and processes
Lastly, an organization must design policies and processes governing the execution of its risk response plans. Risk management policies and processes are integral to influencing behaviors, coordinating activities, establishing communication protocols and facilitating risk reporting – they dictate why to do it, what to do and when to do it. To illustrate, an organization facing external risks arising from competitor strategic shifts might design processes to facilitate wargaming exercises across the three lines of defense to evaluate the potential impact to the company's business strategy. These processes would help to define each function's role and responsibilities, the frequency at which the exercises are conducted, and how the results are to be compiled and communicated to decision-makers.