Covid Lesson Number One: Reconsider Risk Management

For the past year, the Covid-19 pandemic has been redefining how companies manage risk. The rapidly changing business environment has led to ever-increasing risk velocities. Companies’ exposures are in flux, and new risks are emerging more and more frequently. In this environment, traditional organizational structures—with risk specialists in one department, compliance in another, and silos of additional risk professionals spread across different lines of business—have proven ineffective.

As a result, the Committee of Sponsoring Organizations of the Treadway Commission (COSO), a highly influential risk management thought leadership organization, recently issued guidance for companies to create closer links between compliance departments and risk managers who focus on an array of corporate hazards. This underscores the widespread need for companies to unsilo risk functions and create an enterprise risk management (ERM) program.

Although not a new concept, integrated ERM represents a significant improvement over more common, fragmented approaches to risk management. The fundamental purposes of an enterprise risk management program are to:

• Bring together risk management and business strategy functions to establish a healthy, corporate-level perspective on the organization’s risk appetite.
• Integrate all areas of organizational exposures to market opportunities (innovation, technology, competition, supply and demand, etc.) and risks (financial, operational, reporting, compliance, etc.).
• Prioritize and manage those exposures as an interrelated strategy and risk portfolio rather than as individual risk “silos.”
• Evaluate corporate strategy and the company’s risk portfolio in the context of all significant internal and external environments, systems, circumstances, and stakeholders.
• Recognize that individual risks across the organization are interrelated and can fit into a view of aggregated exposures companywide, which may differ significantly from the sum of the individual risks.
• Provide a structured process for managing all risks, whether those risks are primarily quantitative or qualitative in nature.
• View the effective management of risk as a competitive advantage.
• Embed risk management as a component in all critical decisions throughout the organization.

There are three primary reasons why this approach to risk management is particularly well-suited to the rapidly evolving current environment.

1. An inability to simultaneously assess both “big picture” and individual risk impact is the reason many risk management efforts fail.

When risk management is siloed, managers responsible for operational risks in one business area may not have insights into risk or compliance failures in another area. Those failures, when viewed in isolation, may not cause concern about the organization’s ability to achieve objectives. But a series of seemingly low-impact failures occurring in different areas of the same business may attract the attention of regulatory authorities or the media, quickly resulting in major brand damage or financial penalties. This scenario is not uncommon when risk managers are unable to view exposures from a corporate perspective that combines a wide array of risk categories.

The solution is to implement a framework for relating risks to one another, such as ERM. This provides a consistent way of measuring risk impacts on the achievement of corporate objectives by aligning key risk indicators (KRIs) with key performance indicators (KPIs). This type of advanced risk management process helps staff and executives recognize early-warning indicators of risk so that they can preemptively and swiftly respond to any corporate-level exposures that are revealed through integrated risk analysis.

2. New big data and analytics solutions enable companies to monitor risk in real time.

Combining data from multiple sources in a single analysis gives risk managers the ability to put all of the organization’s risks in context, even as conditions change due to Covid or other external factors. The risk team can monitor millions of daily operational activities and financial transactions to determine whether, in aggregate, risks are increasing to a point where action must be taken. This continuous monitoring of what is actually happening within many different business processes reveals critical trends and indicators of minor issues that could turn into major problems.

Analytics also provides insights into new and emerging risks that would otherwise go unnoticed until it’s too late. In 2017, McKinsey reported that 90 percent of the world’s data at that point hadn’t existed two years earlier—and yet only an incredibly small 1 percent had actually been analyzed. The potential for data-driven risk assessment and monitoring is enormous—and is currently underused.

As an organization’s risk management processes and capabilities mature, it typically moves from a retrospective and defensive point of view on risk to a more forward-looking perspective that facilitates smarter decision-making. When a risk management team reaches this point, risk professionals can both spot obstacles and act more quickly to address them. They can fine-tune risk performance management to a balanced system in which corporate actions are neither overcontrolled nor undercontrolled.

3. Management teams are ready to bridge the gap between business and risk professionals.

A common obstacle to successful ERM is the divide between risk and business management. Such a polarized environment often results in the risk management team developing an unhealthy focus on risk prevention, while business decision-makers accept an unhealthy risk appetite—taking on larger exposures than the risk team would prefer, with the goal of taking advantage of market opportunities.

The solution is an integrated approach in which business strategy and risk management teams work in support of one another, not against. This allows both business managers and risk management professionals to see the world through a similar lens, giving all decision-makers confidence that they are working toward common objectives.

See also:

• Prepare Today for the Crisis of Tomorrow
• ERM Boosts Compliance Success
• Emerging Risks: Get Ahead of the Unexpected
• Value Through Risk

Creating an integrated program—with everybody using the same governance, risk, and compliance (GRC) technology platform—transforms the traditional disjointed, siloed risk management into unified oversight. It also gets the entire organization working together to achieve objectives and drive performance while effectively managing risks.

The current pandemic is unlikely to be the last major global event we experience this decade. Between trade wars, collapsed industries, climate change, and widespread socioeconomic and geopolitical instability, we can expect a lot more “unprecedented times” in our future. An intelligent and integrated approach to ERM is the number-one secret to differentiating corporate performance in unprecedented times.

Integrated ERM is more relevant now than ever before.

Sergiu Cernautan is a designated Certified Public Accountant (CPA) and Certified Information Systems Auditor (CISA) with over 23 years of external audit, internal audit, and risk and regulatory compliance consulting experience with Deloitte; KPMG; Straight Talk Consulting, Ltd.; and Galvanize. In his role as VP of product strategy at Galvanize, Cernautan has managed a number of responsibilities, including shaping the product content and enablement strategy, managing influencer and analyst relations, performing strategic “proof of concept” projects on emerging product capabilities, gathering competitive intelligence, overseeing the solution architecting and solution consulting functions, and providing overall GRC domain support to the rest of the teams (e.g., product management, product design, professional services, marketing, and sales).