This is Part One of a four-part blog series on ERM that is from guest blogger Michael Rasmussen of GRC 20/20 Research.
Organizations take risks all the time but fail to monitor and manage risk effectively for the enterprise. A cavalier approach to risk-taking results in disaster, providing case studies for future generations on how poor risk management leads to the demise of corporations — even those with strong brands. Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, projects, strategy, processes, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as risk management professionals throughout the business. Organizations need to understand how to monitor risk-taking, whether they are taking the right risks, and whether risk is managed effectively. Enterprise Risk management, in this context, is an integrated part of everyone’s job and not just for the back office of risk management.
The modern organization is:
- Distributed. Even the smallest of organizations can have distributed operations complicated by a web of global supplier, agent, business partner, and client relationships. The traditional brick and mortar business with physical buildings and conventional employees have been replaced with an interconnected mesh of relationships and interactions which define the modern organization. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy.
- Dynamic. Organizations are in a constant state of flux as distributed business operations and relationships grow and change. At the same time, the organization is trying to remain competitive with shifting business strategies, technologies, and processes while keeping pace with change to risk environments around the world. The multiplicity of risk environments that organizations have to monitor span regulatory, geo-political, market, credit, and operational risks. Managing risk and business change on numerous fronts has buried many organizations.
- Disrupted. The explosion of data in organizations has brought on the era of “Big Data” and with that “Big Risk Data.” Organizations are attempting to manage high volumes of structured and unstructured data across multiple systems, processes, and relationships to see the big picture of performance, risk, and compliance. The velocity, variety, veracity, and volume of data is overwhelming – disrupting the organization and slowing it down at a time when it needs to be agile and fast.
Understand the Interrelationship of Risk and Its Impact
Enterprise risk management is often misunderstood, misapplied, and misinterpreted as a result of scattered and uncoordinated approaches. Risk is pervasive; there are a variety of departments that manage risk with varying approaches, models, needs, and views on what risk is and how it should be measured and managed. These challenges come at department and process levels, and build as organizations develop operational and enterprise risk management strategies.
Risk management silos — where distributed business units and processes maintain their own data, spreadsheets, analytics, modeling, frameworks, and assumptions — pose a major challenge. Documents and spreadsheets are not equipped to capture the complex interrelationships that span global operations, business relationships, lines of business, and processes. Individual business areas focus on their view of risk and not the aggregate picture, unable to recognize substantial and preventable losses. When an organization approaches risk in scattered silos that do not collaborate, there is no opportunity to be intelligent about risk as risk intersects, compounds, and interrelates to create a larger risk exposure than each silo is independently aware of. A siloed approach fails to deliver insight and context and renders it nearly impossible to make a connection between risk management and business strategy, objectives, and performance.
It can be bewildering to make sense of risk management and its varying factions across enterprise, operational, project, legal/regulatory, third-party, strategic, insurance, and hazard risks. This makes enterprise and operational risk management a challenge when risk management strategy forces everyone into one flat view of risk to conform and have significant issues in risk normalization and aggregation as they roll-up risk into enterprise risk reporting.
Providing 360° Contextual Awareness of Risk
Managing risk effectively requires multiple inputs and methods of modeling and analyzing risk. This requires information gathering — risk intelligence — so the organization has a full perspective and can make better business decisions. This is only enabled through strong business intelligence and analytics with a user experience that is intuitive and relevant to varying levels of the organization. This is an important part of developing a risk analysis framework. Mature risk management is built on a risk management process, information, and technology architecture that can show the relationship between objectives, risks, controls, loss, and events.
In light of this, organizations should consider:
- Does the organization understand the risk exposure to each individual process/project and how it interrelates with other risks and aggregates in an enterprise perspective or risk?
- How does the organization know it is taking and managing risk effectively to achieve optimal operational performance and meet strategic objectives?
- Can the organization accurately gauge the impact risk has on strategy, performance, project, process, department, division, and enterprise levels?
- Does the organization have the information it needs to quickly respond to and avoid risk exposure, and also to seize risk-based opportunities?
- Does the organization monitor key risk indicators across critical projects and processes?
- Is the organization optimally measuring and modeling risk?
Gathering multiple perspectives on risk is critical for producing effective relational diagrams, decision trees, heat maps, and scenarios. This risk intelligence comes from:
- The external perspective: Monitoring the external environment for geopolitical, environmental, competitive, economic, regulatory, and other risk intelligence sources.
- The internal perspective: Evaluating the internal environment of objectives, projects, risks, controls, audits, loss, performance and risk indicators, and other internal data points.
Organizations are best served to take an enterprise and federated approach to risk management that allows different projects, processes, and departments to have their view of risk that can roll into enterprise and operational risk management and reporting. This is done through a common risk management strategy, process, information, and technology architecture to support overall risk management activities from the process level up through an enterprise view. Organizations need to clearly understand the breadth and depth of their risk management strategy and process requirements and select the right information and technology architecture that is agile and flexible to meet the range of risk management needs today and into tomorrow. This architecture should be intuitive and easy to use while providing a depth of analytics and embedded business intelligence.