2020 has been quite the year to be in the risk management business. Who knew back in January that all of our risk universes would expand so dramatically?
- Uncertainties about a “novel coronavirus” would grow into the deadly realities of COVID-19.
- Shelter-in-place orders would result in tens-of-millions working from home.
- Business continuity factors would shutter scores of businesses and cause the unemployment rate to skyrocket.
Plus (as of this writing), there’s the upcoming U.S. presidential election and its potential impact on the economy, markets, and geopolitics.
Add all this to your baseline normal risk profile and…well, the phrase “dynamic environment” seems inadequate to describe current conditions.
Even before COVID-19, we at Uber had embarked on a journey toward systematizing our ongoing risk assessment efforts. And despite the pandemic, we’re now well on our way to achieving our goal of operationalizing real-time risk assessment.
We’re often asked to talk about our journey, as we were during a recent webinar for AuditBoard. Since there are lots of questions, we thought it might help you—our fellow auditors—to share the most common here, along with our answers.
“What do you mean by ‘real-time risk assessment’? What’s Uber trying to achieve?”
Our ultimate goal is to use data analytics and machine learning to automate our enterprise risk assessment efforts in order to bring awareness to leaders and inform our internal audit planning. We’re building a full view across our risk universe, and identifying key risk indicators so we can track and prioritize them.
“Why are you so committed to doing it now when so much is changing?”
There’s no better time to be doing this work. It’s precisely because the environment all around us is changing so fast that the business needs greater agility, flexibility, adaptability. The emergence of COVID-19 (and society’s responses to it) has given rise to its own set of risks. But the resources needed to respond well may be constrained for some time to come. This lack of resources will likely make stakeholders and investors more attentive and demanding.
“What risk assessment process do you use?”
We’re using a five-step risk assessment methodology. Nothing magical here. It’s all in how you apply it.
- Understand. Ensure your ability to offer foresight based upon an exceptional understanding of the business—it’s objectives, priorities, challenges, and market.
- Gather. Collect and understand the internal and external information needed to get a clear picture of your business’s priorities and objectives.
- Synthesize. Use all the information gathered to profile an area of risk, and identify the key risk indicators (KRIs) for assessing that risk.
- Socialize. Hold regular conversations with stakeholders to ensure alignment.
- Evaluate. Seek feedback throughout the process to ensure you’re baselining the right risks and data points.
“What behaviors have helped your risk assessment team overcome challenges along the way?”
There are many, but maybe the most important is learning not to start with the risk. As auditors, we must first understand what creates value for the business before we can understand how to protect it. That’s why, at Uber, we’ve coined the term “Value Contributing Factor” (VCF). VCFs are readily identifiable variables that affect the performance of a business process.
“How are Key Risk Indicators (KRIs) used to dynamically assess risks?”
A KRI is a metric that provides an early signal of risk exposure. It helps measure how risky an activity actually is. KRIs are essential to automating risk assessment. But first, you have to pick the right ones. Here’s a quick overview of how.
- Identify company priorities and define business processes across functions, lines of business, geographies, etc. (for example, cost efficiency).
- Map the range of value contributing factors (VCFs) to business priorities and processes (e.g., business development, for its impact on cost efficiency).
- Define and gather risk categories and topics related to each VCF (e.g., third-party risk, for its impact on efficient business development).
- Use a KRI (or KRIs) to define the risks prioritization and relevancy across multiple dimensions (e.g., number of strategic partnerships, number of third-party business disruptions, year-over-year growth in third-party relationships, etc., for their impact on third-party risk).
Data is then harvested for each KRI from sources like external repositories, contract management tools, internal databases, etc.
Is 2020’s expansion to our risk universe a “new normal”? Or just an outlier? We can’t know for sure. But greater risks to business continuity, personal safety, and cybersecurity seem likely to endure.
Since real risks happen in real time, it only makes sense that real time may also be the best time to assess them. Where is your organization on the journey to dynamic risk assessment?