A wise person once said, “Risk management is not about avoiding risks, but about navigating through them with wisdom and preparedness”. In my view, this has never been truer. In this blog, I am going to put forward three propositions. First, risk management is becoming increasingly important. Second, the old risk management tools won’t cut it in our current environment. Third, improving control governance is an important focus for organisations.
Proposition 1: That risk management is becoming increasingly important.
Not a week goes by when we don’t have a report in the media of an organisation in crisis. From cyber-attacks, to liquidity issues, to fraud and corruption, to major supply chain disruptions, the risks that face organisations in the current environment are many and varied, and can have a catastrophic impact. Here are three compelling reasons why risk management is becoming increasingly important.
- Complexity and Uncertainty: The business environment has become more complex and uncertain than ever before. Globalisation, technological advancements, changing consumer preferences, geopolitical events, and natural disasters are just some of the factors that result in a high level of complexity and uncertainty. Managing risks in this environment has become critical to ensure organisational survival, growth, and sustainability.
- Volatility and Disruption: All sectors in our economy are experiencing increased volatility and disruption, with rapid changes in customer preferences and behaviour, operating landscapes, and regulatory frameworks. Disruptive technologies, such as artificial intelligence, automation, and blockchain, are reshaping industries and creating new risks and opportunities. Organisations need effective risk management strategies to effectively identify and manage risks arising from these disruptions and remain agile and resilient in the face of uncertainty.
- Changing Stakeholder Expectations: Increasingly, stakeholders have higher expectations from organisations when it comes to risk management. Whether it be government, shareholders, regulatory authorities, tax-payers, rate-payers, or the public in general, they are demanding an increasing level of transparency, accountability, and responsible governance practices. Risk management is essential for organisations to protect their stakeholders’ interests and maintain trust and credibility.
Proposition 2: The old risk management tools won’t cut it in our current environment.
It may surprise you about the number of organisations – some of them very large – that still use spreadsheets as their principal tool to manage risk. Given the contemporary risk context, this can leave an organisation unable to effectively and efficiently manage risk. Whatever tool/s you use to manage risk, here are some of the “must haves” for an effective and efficient risk management system (RMS):
- One-Stop-Shop: A RMS should be able to cater to all types or categories of risk that an organisation should be managing. Whether it be strategic risk, operational risk, project risk, cyber risk, fraud risk – or any other category of risk – a single system makes sense. One place for staff to go, a standardised approach to risk management processes (as much as possible), and a single source of risk data – these are just a few of the benefits.
- Accessibility: A RMS should be accessible to all potential users – not just the risk specialists within an organisation. This is not only from a physical access point of view, but also from a usability point of view. A good RMS will take the complexities of risk management and provide a simple, easy-to-understand-and-use interface for users.
- Integration into Key Business Processes: A RMS should support the integration of risk management into all governance and compliance processes and key areas of operations. For example, how can you effectively manage a corporate plan if you do not understand the strategic risks? How can you effectively manage compliance if you do not understand the risk profile of your key compliance obligations? How can you effectively deliver a project if you do not understand and manage the risks to the project? Risk management must organically be part of all of the important business processes in our organisations. A good RMS will enable this.
- Automation: The administration around risk management can be significant – particularly if spreadsheets are being used. A good RMS will automate much of the administration, and support an appropriate cadence to facilitate an effective approach to risk management. Automation will also mean that risk management is not just a periodic activity on a checklist, but “always on” with active triggers and notifications to engage users at the appropriate time.
- Quality Outputs in Real-Time: The value of an RMS will be limited by the quality of its outputs. With risk management, we should start with the end in mind. Why are we doing this? What data do we need to collect? What information is this risk management process going to give us that will be valuable in decision-making? When do we need that information? Is there real-time risk data that is going to prove valuable? Can we tailor information for specific stakeholders? User configurable reporting and live dashboards represent a minimum acceptable level of outputs in the contemporary environment. Additionally, a good RMS will integrate with your preferred data analytics tool, so you can bring all your important business data into a single visualisation environment.
Proposition 3: That improving control governance is an important focus for organisations.
Like many business disciplines, risk management goes through phases where there is a focus on a particular element of the discipline. In the Australian Commonwealth Government context, there is currently an increasing focus on the governance of controls. This is reflected in the updated Commonwealth Risk Management Policy that requires entities to improve the governance of controls, including that:
- Each control is identified and categorised by type
- Each control has an owner
- The effectiveness of controls is periodically reviewed
- The owner must regularly report on the implementation, testing and effectiveness of the control.
Given the criticality of controls in risk management – and the broader governance and compliance environment within an organisation – improvements in control governance can yield significant benefits. This is both in terms of organisations better understanding their control framework, and also the performance of their control framework. This paves the way for actively managing the internal control framework and making informed decisions about the ongoing resourcing of existing controls and potential investments in new controls.
Wherever your organisation is in its risk management journey, improving this vital part of governance will deliver tangible benefits from the staff room to the board room. Remember: Risk is an inherent part of doing business but managing it smartly can lead to great outcomes.
This article was written by Zane Edwards, Global Director of GRC at LighthouseGRC. Zane is a chartered accountant and has 20 years experience in Government and Private sector GRC management. Not only is he passionate about the digital transformation of governance, but he is also a skilled and influential communicator with extensive national and international experience in a variety of channels, including conferences, radio, television, and video.