For risk management to be effective, risk must be shared across the organization. In practice, everyone from business leaders on the operating risk committee to business managers on the front line should be connected to and able to continuously understand the organization’s risk management profile. Yet, as any risk management team can attest to, achieving this ideal state of continuous risk monitoring is often desired, but much easier said than done. More often than not, there are operational gaps that fail to account for risks in day-to-day business processes. When these operational risks are not identified and communicated up the chain of command, the business remains vulnerable to these exposures despite its best ERM efforts.
In AuditBoard’s Unlocking Operational Risk Management: Empower the Front Line to Effectively Manage Risk, we explore why risk management programs so often fail at identifying operational risks and enabling front-line business managers to own their risks. Download the free guide here, and continue reading to learn how understanding and utilizing a connected risk approach, along with integrated risk management technology, can help organizations bridge this essential gap and build comprehensive enterprise risk management programs.
Defining Connected Risk
A connected risk approach aims to connect risk owners to their risks and promote organization-wide risk ownership by using integrated risk management (IRM) technology to enable improved Communication, Context, and Collaboration — remember these as the three C’s of connected risk. The foundation of a connected risk approach is modern IRM software that unites disparate risk data — previously existing in different teams’ databases across the organization — into one system of record. The end result is a truly connected risk environment, enabling risk teams to connect their controls to their processes, and their processes to desired business outcomes.
While Communication, Context, and Collaboration can all be achieved in a manual risk program without the help of technology, this is made more challenging by the dynamic nature of risks today. Due to rapid digitization and a volatile global risk climate, risks are changing quickly and are more interconnected than before. Consequently, for modern organizations to keep pace with evolving risks, they must rely on technology to enable the three C’s quickly enough to stay ahead of them. Speed and efficiency make all the difference in effective risk management because if important risk data is not communicated timely, it cannot inform critical — i.e. time-sensitive — decision-making. This is why IRM technology is the cornerstone of a connected risk approach.
Achieving the Three C’s of IRM Using AuditBoard’s Connected Risk Technology Platform: A Checklist
For a risk management program to be successful, it must engage the participation of everyone across the organization. Therefore, it must be simple and leverage repetition. If the framework is overly complex and involves complicated steps, it will likely deter front-line business managers and process owners from utilizing it to manage risks. Thus, the simpler you can communicate the goals and steps of your risk program, the better.
Below, we provide an example of a simple framework you can use to implement a connected risk technology platform, based on the three objectives of IRM: Communication, Context, and Collaboration. It also highlights what sets AuditBoard apart from other technology solutions — the unique ability to connect people to risk through technology.
- Communication. Your operating risk committee — ideally middle management individuals from various risk teams in your organization — should lead the effort of communicating up and down the org chart to foster understanding of the different layers of risk in the business.
- Communicate Up: The operating risk committee should meet with a risk champion from the senior executive committee to understand the goals set by the board and executive leadership. Important items to define or gain clarity on include:
- Enterprise risks: What are the organization’s strategic objectives and what is preventing it from achieving those business outcomes?
- Operational risks: What are the processes that support these strategic outcomes? What are the risks to those processes?
- Risk tolerance: How much risk can each critical process take on before it breaks?
- Risk appetite. How much risk the business is willing to take to reach each of its strategic objectives? This helps to identify your business’s critical assets and shape your control environment.
- Communicate Down. Once the organization’s strategic risks, risk appetite, and risk tolerance levels have been communicated from the top, the operating committee should communicate this information down to the front line to ensure the business has a clear understanding of the organization’s goals, risk appetite, and risk tolerance levels.
- Context. Based on the risk information communicated from senior leadership, the operating risk committee can establish key performance indicators (KPIs) that provide the front line context for measuring the progress of their processes against larger business outcomes. The operating committee should also establish key risk indicators (KRIs), based on risk appetite and risk tolerance, to help measure the risks tied to these performance indicators. KRIs enable risk owners to escalate issues when things go wrong so that they can be remediated timely. Categories of KPI and KRI metrics to define and communicate to the front line include:
- People metrics: What are the people-related risks (e.g. health, safety) that can disrupt internal processes?
- Process metrics: What are the process-level risks (e.g. supply chain, human capital) that can impact the company’s ability to support its business outcomes?
- Tech metrics: What are the technology-related risks (e.g. data privacy and storage) that can disrupt operations and affect business outcomes?
- External events: What are the external risks (e.g. natural disasters, cybersecurity attacks) that can disrupt or halt business processes?
- Collaboration. Having shared metrics enables risk groups to collaborate with the front line on a regular basis to work toward their shared goals. Importantly, different risk groups must coordinate with each other — rather than in separate and isolated department silos — in order to collaborate effectively with the front line.
- Risk professionals should provide regular support to the front line. Risk teams should provide support to the front line in implementing/improving their controls and remediating issues to improve operational efficacy and efficiency. Risk professionals should also meet with the front line on a regular basis (e.g bi-monthly or monthly) to review any outstanding issues, troubleshoot problems, and communicate any changes to the business’s risk profile/appetite/tolerance.
- Continuity is key. Risk professionals are responsible for ensuring the front line stays informed of any new or changing risk information in a business process context.
- The operational risk committee should meet on a monthly basis to review operational risk metrics to determine if any are nearing risk tolerance levels based on history.
- The senior executive committee should meet on a quarterly basis to discuss any issues affecting the business’s alignment with its strategic objectives — and whether these need to be advanced to the board.
AuditBoard’s Connected Risk Technology Platform. Technology is the key that unlocks connected risk management because it is the mechanism that connects your risk data across the business — and your risk stakeholders to each other. Your risk software should create a connected risk environment that enables your risk management processes to operate effectively and timely. The right technology solution enables a connected risk program by:
- Serving as the unified data core. The technology should synchronize risk data, including risks, controls, policies, issues, and frameworks, into one system of record. The primary benefit of the unified data core is that it enforces a streamlined view of risk, with a common taxonomy and risk scoring criteria, across the business — helping to integrate assurance functions by uniting their data.
- Connecting the front line to the data they need. This enables teams to make better decisions and improve their controls and processes — in a way that fits naturally into their day-to-day job responsibilities. Ideally, the data that feeds the front line’s operational risk metrics is the same data they use for quality management/performance management.
- Enabling important risk management processes to operate at speed. Speed is a crucial ingredient to risk management. Important new risk data must be communicated to the front line and addressed in a timely fashion to enable effective action. In a manual environment, this is simply not possible.
This approach builds in safeguards to ensure that front-line processes and the controls built around them are supportive of business outcomes and integrate with ERM efforts. By doing so, the connected risk model empowers the front line to share risk ownership with the rest of the business in a seamless, integrated way.
Unlocking Operational Risk Management to Thrive in a Volatile Risk Climate
To thrive in a landscape where operational risks are inevitable, businesses must acknowledge the operational gaps in their ERM programs and proactively adapt their risk management strategies. Forward-thinking risk groups that embrace a collective and coordinated approach to risk management — with the aid of the three C’s of connected risk as described above— can aid their companies in bridging the assurance gap between enterprise and operational risk management efforts. This ultimately begins with different risk teams taking the initiative to work together. To learn more best practices for empowering the front-line to effectively manage operational risks, download the full guide, Unlocking Operational Risk Management: Empower the Front Line to Effectively Manage Risk, here.