Originally published in NAVEX Global's Top 10 Risk & Compliance Trends for 2020 eBook.You can download the full eBook here.
As we enter the 2020s, the fiscal, operational and reputational integrities of companies are being threatened by new and evolving risks. Proliferating regulations are demanding constant review and alignment. Data retention practices are turning businesses into risk storehouses. And third and fourth party risk are extending organizational risk into the broader world. Preventing all risk has never been a mature approach to risk management, and in today’s world, it is no longer a tenable strategy. How we manage evolving risk will play a key role in how successful our companies are in the future marketplace.
Traditional preventive risk management structures are strong but rigid. They are designed to address individual threats that are often direct and blunt. In these structures, we apply more internal controls and protective measures to shore up our vulnerabilities. However, risk has changed. It’s not simply forceful. It’s fluid. It’s subtle. It’s voluminous. These changes have made rigid approaches increasingly more reactive rather than responsive.
When you think about risk holistically, you broaden your perspective on the full breadth of the risk ecosystem your business operates in.
The future of risk management will be in how we embrace risk through a holistic yet agile approach. This requires a better understanding of how we address our organization’s most immediate and damaging risks: people risk, business risk, and regulatory risk. Yes, there is IT security, data privacy, health and safety standards, and legislative risk – but these categories should ultimately align with the regulations that define them; support business operations while managing operational risk; and drive employee bases that are both inspired and ethical.
Developing a federated but enterprise-wide perspective of risk creates a shared vantage point, shared understanding, and shared approach to these major risk categories that still allow for risk to be actionable in the user’s context. This evolves risk management from a rigid structure to a resilient architecture.
Creating a Single Resilient Risk Management Architecture
Disparate approaches to risk management create siloes with blind spots, redundancies and conflicts. These silos turn into seams through which modern risk enters our organizations. While IT security, strategy, compliance, and legal teams may all have best-practice risk-management strategies, if those strategies are not operationalized in agile ways that inform one another, we can simply shift risk without addressing it.
We can see this more clearly when looking through the eyes of the board. Directors no longer want five different executives talking about the same types of risk in five different ways. They want a consistent and simplified narrative driven by a cohesive risk management strategy. How this strategy is tailored across roles, teams and functions may be unique, but it should all track back up into the same dataset – the same overarching risk architecture.
The holistic architecture of people, regulatory and business risk can further be seen in one of our industry’s growing concerns – data privacy. Data privacy law has redefined regulatory expectations for organizations. A key aspect of privacy law is embedding a privacy by design approach into everything we do. Next, the business processes, systems and technologies we implement need to operationalize privacy. Lastly, the point of risk ultimately sits with our people. Will an employee follow data handling best practices when the time comes? Will they intentionally or unintentionally share protected information? Or will they open that phishing email?
Whether in a presentation to the board or in day-to-day management, an actionable risk and compliance narrative driven by an integrated risk architecture is essential.
Steps for Organizations to Take
Understand Your Organization’s Risk Composition
While every organization has people, regulatory and business risk, how those risks compose the whole will be unique to your organization. Financial institutions may prioritize regulatory risk and manage people and business risk around that. Manufactures may start with their business risk and ensure operations align with regulatory requirements and employee relations. Retail organizations with large salesforces may lean heavily into people risk while ensuring their third-party suppliers do not jeopardize their business risk. And every organization must manage strategic risk that comes with year-over-year growth expectations. The end goal for every organization should be a single architecture for risk management. This ensures that the individual strategies deployed across separate business functions inform and respond to enterprise needs.
Understand the Full Life Cycle of Risk
Broad risk categories are operationalized when individual risk life cycles are properly mapped. The steps below map out an organization’s relationship with risk.
1. Define your organizational risk profile
2. Identify the inherent risks to your business, industry and region
3. Define and articulate your organizational risk tolerance by clearly indicating which risks are to be accepted, absorbed, mitigated or avoided
4. Design internal controls that operationalize that risk tolerance
5. Ensure your business ecosystem – customers, employees and vendors – are aware of their responsibilities for managing their business in an ethical manner and within the bounds of the designed controls. This is usually performed with a robust risk management program incorporating and integrated policy, training, and control testing approach
6. Monitor controls to ensure they are in acceptable tolerances and not showing signs of risk
7. Prepare for the potential failure with remediation strategies and resiliency plans that manage downstream events strategies that manage downstream consequences
Monitor Consistently & Continuously
Once the life cycle is defined and operationalized, we can then take a risk-based approach to monitoring our risk. An example of this is in our third party due diligence and screening practices. These same risk-based, continuous monitoring efforts should be reflected in our internal tools, processes and assessments. While vendor risk management may track different factors, our internal efforts should mimic its risk-based cadence for monitoring our leading risk indicators. Internally, this will often include monitoring things like sales figures, marketing performance, digital risk, API integrations, or travel bookings among others. For this, we need a risk architecture that identifies risk and is responsive enough to identify when those risks change.
Risk management, once a unique responsibility within individual departments, needs to be elevated from its siloed roots. Unfortunately, there will most likely always be silos – that is the business reality we live in. The goal, however, is to create systems that force those silos to identify the relevant information that needs to be communicated across, and integrated into, global operations. This will create a common risk vocabulary and increase transparency so that silos do not create confusion and volumes of extra spreadsheet work that increase administration and decrease accuracy.
This requires departmental personnel to physically (or virtually) get up from their seats and build working relationships with their counterparts in adjacent departments. This again can be seen clearly in the role of data privacy and security. For instance, your data privacy officer is probably a lawyer. While they can inform each team of what the law says, they need privacy-minded counterparts in each team who can translate what CCPA or GDPR alignment looks like in practice for engineering, customer service, accounting, information security and IT, etc.
Our technology solutions need to be holistic as well. Risk management software is essential to automate processes and programs, and solutions themselves cannot be siloed. Individual solutions that do not speak to one another or ultimately track into an enterprise-wide system can unintentionally automate risk for other departments. A flexible platform solution, or at least an integrated risk management approach, that supports actionable, risk-based management in an auditable manner will ensure that transparency is embedded into the solutions we deploy to manage our risks.
When you think about risk holistically, you broaden your perspective on the full breadth of the risk ecosystem your business operates in. This creates more visibility into the complexity. While we will never be able to reduce the complexity of the risk landscapes our businesses operate within, we are able to simplify the approaches we take to effectively manage that risk.