Originally published in NAVEX Global's Top 10 Risk & Compliance Trends for 2021 eBook. You can download the full eBook here.
Corporations came under enormous strain in 2020. One primary source of that strain was the pandemic, but more destructive was the pandora’s box of other risks that the pandemic opened: cybersecurity, supply chain, health and safety, financial fraud, and regulatory compliance as well.
If the experiences of 2020 taught us anything, it’s that a federated approach to risk is not enough. Just like a wildfire, individual threats, and crises can easily converge, feeding off one another and unleashing unpredicted destructive potential. This year may be over, but we still face many challenges. Compliance and integrated risk management will need to come together under one roof. The risks emerging before our eyes are interconnected and require the same in response.
In 2021, organizations will further integrate their compliance, IT, operational, reputational, third-party, and ESG risk management processes and practices.
In 2021, organizations will integrate their compliance, IT, operational, reputational, third-party, and ESG processes and practices. This holistic integration will require clear lines of communication and responsibility, and we expect more organizations to appoint Chief Risk Officers (CROs) or Chief Risk and Compliance Officers (CRCOs) to manage an integrated risk strategy. Additionally, board-level committees will be tasked with addressing enterprise-wide risk and risk strategy.
The Current State of Risk Integration
Regulators, such as the U.S. Department of Justice, scrutinize organizations’ ability to prevent misconduct from happening. Risks from climate change or supply chain failures threaten enormous operational disruption, even if those issues aren’t regulatory enforcement concerns. Social media enables advocates to draw public attention to corporate missteps, asking, essentially: How did the company not see this coming?
That’s a question corporate boards and CEOs never want to ask. In 2021, boards will require tools and information to assess, manage, and report enterprise risks.
Integration of risk functions isn’t a new idea, but the pandemic of 2020 has accelerated this corporate governance to a disorienting degree.
Integrated Risk Management is an Evolutionary Requirement
Governments have already begun to respond to the new complex risk landscape by pushing organizations toward increased transparency and accountability. In the U.S., the Biden Administration has already made clear that it wants to see more disclosure from corporations on climate change and racial equity. The European Union’s new whistleblower protection directive will go into effect at the end of 2021. Enforcement of anti-corruption, anti-money laundering, data privacy, and human trafficking laws increased dramatically over the past decade, and that won’t change in the next decade.
These dynamic social, regulatory, and economic pressures require an integrated approach to risk management. The board, senior executives, and business unit leaders should have a comprehensive understanding of organizational risks. Companies who are able to evolve and meet these new demands will have the advantage of informed decision-making and improved performance.
Steps for Organizations to Take
1. Cultivate Support for Integrated Risk Management
Integrated risk management affects many parts of the organization: legal, internal audit, IT, compliance, and any existing risk management functions the organization already has. Advocates for IRM need to identify and cultivate the support of in-house partners, senior management, and the board, which has the ultimate responsibility for assuring effective risk management.
2. Clarify Roles and Responsibilities
How will compliance and risk management functions intersect? Those can be delicate issues at many organizations, but clarity around roles and responsibilities determines decision-making hierarchy, and ultimately accountability. If you don’t have a CRO or CRCO, consider designating a member of senior management who can assume these duties.
3. Define Risks and Mitigation Steps
Leaders throughout the enterprise will need to use risk assessments to map risks to processes and requirements, including supply chain management, compliance risks, financial liquidity, litigation threats, workplace operations risks such as extreme weather events or pandemics, and more.
Use risk management frameworks to identify and mitigate risks. This can be an ambitious undertaking; role clarification is an important prior step.
4. Develop Monitoring and Reporting Capability
Risks need to be monitored on an ongoing basis, and new risks should generate an alert and be reported to key stakeholders. It’s also important to report regularly on all collective risks, so risk management leaders can clearly articulate the organization’s high-level risks and pressing concerns, as well as less urgent considerations.
It is tempting to view 2020 as an anomaly, and that’s not wrong. However, the trends driving the major crises of 2020 - growing international political instability, weakening institutions and norms, increasingly complex and interdependent supply chains, expansive trade wars and sanctions, ecological disruption, and accelerated global warming, just to name a few - will be just as urgent in 2021.
Businesses that isolate compliance risk from other business risks will not be able to strategically respond. Those that bring risk and compliance under one roof will be poised to thrive when the next once-in-a-century storm invariably hits – as it invariably will.