2023 is shaping up to be a pivotal year for business leaders. On your connected risk journey, careful planning and guidance from audit, risk management, and compliance professionals are essential for business success when facing risk challenges such as digital transformation, climate change, supply chain disruption, and economic uncertainty.
In this episode of Speed of Risk, John Wheeler, Former Gartner IRM Analyst and Senior Advisor, Risk & Technology at AuditBoard, shares a connected risk map to help your organization reach its destination and sustain for the next adventure including:
- Navigating the decade of uncertainty with greater risk visibility.
- Understanding the business outcome first to adopt a future orientation and a more complete view of risk.
- Taking a PRACtical approach to risk with a balanced view of performance, resilience, assurance, and compliance.
- Integrating risk frameworks and metrics to improve visibility and understanding.
Watch the full conversation, and read the can’t-miss highlights below.
Living in the Decade of Uncertainty Requires Greater Risk Visibility
“This is the decade of uncertainty. A leading global forecaster, Kristalina Georgieva, she’s the head of the International Monetary Fund, predicted the future back in January 2020 when she said, “If I had to identify a theme at the beginning of this decade, it would be uncertainty.” How could she make that statement? Well, they had been working at the IMF on a major research project for about a year in advance of that statement, and they were about to release their World Uncertainty Index. This is a leading risk indicator for all of us as to where we’re headed. Now, this World Uncertainty Indicator (WUI) includes data on 143 countries with at least 2 million in population. It comes from the Economist Intelligence Unit, and their reporting on these 143 countries across a range of data, including economy, policies, and politics, in each individual country on a quarterly basis measuring back 60 years — so, a huge data set. When this was published back in the beginning of 2020, this index was at its highest point in history, and this was just before the pandemic really took full force. It continues to trend higher today, and with greater volatility, as Ms. Georgieva predicted.”
“I live in Atlanta, Georgia, in the southeastern United States, and love to go up to the Blue Ridge Mountains… we were rushing to get everything in our car so we could get out of town and up the mountain. I had checked detailed weather forecasts and was prepared for a huge snowstorm that was going to hit. My wife, on the other hand, was looking at the traffic indicators showing a huge amount of traffic leading out of town. So while I was rushing to try to get everything into the car while my wife was at a more leisurely pace, we were working off of different risk indicators. We finally headed up the mountain, and lo and behold, the snowstorm hits. I was prepared, and I put on my tire chains. We continued up, and we started to see cars on the left and the right off into the ditches. As they sped into the turns, they just went straight off. Luckily, as we headed into those turns, we knew how treacherous it was, we also were prepared with those tire chains, we had an all wheel drive vehicle, and we accelerated up the mountain to our destination.”
“Now, this is very similar to what we face today, and what we’ve already faced. It really goes to show there are two key elements that you need to keep in mind as a audit, risk, and compliance leader when you’re headed up this mountain.
- Operational Disruption: The first is the fact there’s going to be major operational disruption. Just like the snowstorm, we’ve already dealt with the pandemic, we’ve dealt with the war in Ukraine, uncertainties with geopolitics as well as with supply chains, de-globalization, unstable environments. As you start to head into these turns of operational disruption, you’ve got to really slow down ahead of the turn and gain greater visibility and understanding of what you’re headed into.
- Digital Acceleration: Then on the other hand, organizations recognize we’ve got to navigate this turn, and do it at speed so that we can be at an advantage — get through the turn safely and ahead of the cars that unfortunately met their fate. So just like navigating through that turn and accelerating out of it, we’re seeing digital acceleration. We see it not only in investment by companies to make sure that they’re heading out of these turns into a future of new products and services that will be added growth for their companies and their stakeholders, but we also see the need for greater risk management using digital means, and making sure that we can prepare for the safety challenges that we may have with future pandemics. Certainly, sustainability challenges that we face with climate and the environment, but also within the business, and sustaining their operations on a go-forward basis. Growing at speed and maintaining that pace is huge.”
“Getting up this mountain of uncertainty, you need a special vehicle, and that vehicle needs to be equipped to give you greater risk visibility looking into the future, but also greater risk understanding based on where you’ve been and what you’ve seen. It needs the ability to monitor, measure, and inform, both by current readings that you may have on your dashboard, but also future warnings that you may receive, as new vehicles come equipped with heads-up displays. What is coming ahead? How can we prepare?
But this vehicle is simply an enabler. It’s the way you’re going to get up the mountain, but the real answer lies in the ability to bring it all together with a combination of risk visibility and understanding that it takes to accelerate up that mountain safely. The answer is not the vehicle itself, the answer is you, as the audit, risk, and compliance leader.”
Taking a PRACtical View of Risk: Performance, Resilience, Assurance, Compliance
“So what are CEOs really interested in as it relates to risk management? What are they seeking in greater investment? They are looking for an integrated, practical approach to risk management that’s coupled with a balanced view of risk. Coming out of Gartner, I’ve put together a model that I call the Integrated Risk Management Navigator, which I’m going to share with you today, and talk to you about how my conversations and research into the chief executive officer, and that person’s needs as it relates to risk management, manifest in a more integrated approach to risk management.
- Performance: It all starts, in the CEO’s mind, with performance, the P of the PRACtical risk approach and risk objectives. The reason we start with performance is the fact that, very often, CEOs and their teams may not truly understand or consider the risk as it relates to their performance goals. On the flip side, as audit, risk, and compliance leaders and professionals, we don’t fully understand where those performance goals meet execution, and the risks in trying to achieve them not only for financial purposes — which is a large part of the focus because our corporate reporting is so heavily loaded with financial results — but more and more for non-financial performance. ESG is leading the way in creating a new integrated corporate report that will produce metrics, not only for ESG, but for other risk areas that are super important to stakeholders, things like quality and safety that haven’t been reported before.
- Resilience: Quickly on the heels of performance, CEOs need a better understanding from a resilience perspective, the R in the PRACtical risk objectives. Resilience not only includes a focus on, as we all know, supply chain risk, because the supply chains have grown so complex and fragile and they span boundaries across the globe. There’s a whole re-fortification of supply chains, but it’s looking at it from a business continuity perspective, and how to create a risk playbook for effective response and recovery from a major risk event.
- Assurance: But then you come to the “A” of the risk objectives, and that’s assurance. This is where a lot of us get our bread and butter, in making sure that our organizations are addressing the right risks in the right way.
- Compliance: Then finally, the “C” of PRACtical risk objectives is compliance. Compliance I have at the end, because CEOs told me in my research that compliance is certainly important, but without a understanding of the first three: performance, resilience, assurance, compliance adds very little value. Where compliance can add great value is by understanding the first three, and the relevance of compliance to the business at large, and how things like IT, cybersecurity, are addressing risks in those most critical business processes. But even more important, they told me, was the fact that areas of noncompliance have to be identified much more quickly, and it all has to do with the shifting nature of regulation and the need to disclose these areas of noncompliance in a very short timeframe. For example, GDPR, of course, any sort of privacy issue has to be disclosed in 72 hours, and that requires a lot of upfront work and coordination to be able to pull that off when it actually happens.”
“Now that you have a better understanding of the four objectives, and why they’re PRACtical in the mind of the CEO, I want to share with you how they’re connected. To be successful, these four risk objectives must be linked through greater risk visibility, as well as through greater risk understanding. The visibility comes from a horizontal view of risk across three primary risk domains, technology and cyber risk, operational risk, and strategic or enterprise risk.
These three areas have a very specific focus when it comes to risk assessment. Oftentimes, while it’s very informative of the risk in that domain, it doesn’t provide the full understanding that’s necessary for real business decision-making. I think many of you will agree that on the technology and cyber risk side, most risk assessments are focused on the technology asset — hardware, software, data — and understanding the key threats to that asset, but also the inherent vulnerabilities that are part of the asset, and their creation and maintenance on a go-forward basis. Now, a lot of times that will live on its own without any further context into how those assets are enabling specific business processes, and most importantly, the most critical business processes that organizations need to better understand from a resilience perspective. So there’s a huge need to connect those asset-based risk assessments into a business process view.”
“Not only do you have to have that broader horizontal view and greater visibility of risk across the business, you need to couple that with a more vertical view of risk that is manifested in two key areas.
- Products and services: these are the key targets, or creators, or generators of risk, that are driving the business forward. That’s where, as auditors, as risk managers, as compliance leaders, we need to start first in understanding where these products and services are taking us. Very similar to what I just mentioned with the mortgage business, where are those mortgage products and services taking us? Are we actually originating subprime loans, but calling them something different? Are there greater risks in those products and services that aren’t readily apparent?
- Policies and Procedures: how you can keep the business on track. What are the right controls? How strong do they need to be? And how are they matched up with the risk appetite so that the folks in the boardroom at the senior executive level have that assurance that the right risks are being managed in the right way.”
“This full, integrated view will provide that context that I just described, but then also start to pull together the four risk objectives in specific risk areas, and start to enable key business leaders to connect the dots. For example, you’ve got specific risks that may be aligned with an objective more over another, but they’re highly connected to other objectives.
ESG risk, for example, is going to be a real challenge for organizations as they continue to produce these sustainability reports. 98% of the S&P 500 are producing sustainability reports, but as they truly get into the data, and go from scope one to scope two to scope three, broadening out the perspective of how key vendors and suppliers are contributing to their metrics, they’ve got to understand that supply chain risk, they got to understand the legal risk associated with having the appropriate remedies built into the contracts to make sure that they can drive the change that’s necessary. But then you also have the connected challenges with vendor and third-party risks from a performance realm. You need those vendors and third parties to drive digital forward, but at the same time, you’ve got to make sure that they’re compliant from an IT perspective because their risks are really your risks. So, having that visibility and understanding, and being able to act upon it, is so crucial.”
Speaking Executives’ Language: Good Risk vs Bad Risk
“As you begin to talk and build new relationships with executives, and helping them gain a more integrated, balanced view of risk, you also have to start speaking in their terms. What we have all been trained on and conditioned to focus on from a risk management perspective, is the heat map. The heat map helps us understand, what are the high risks within the organization, what are the low risks in the organization, driven by both impact and likelihood. This is more of a tactical view that is necessary, and it cannot go away, but it is focused on loss minimization, and it’s borne out of the insurance industry in helping to drive residual risk to its lowest point.”
“Now, I can say this with certainty, when I would present a heat map to senior executives, their eyes would roll back in their head, because they knew that, unless you’re in the insurance industry, this is not going to help drive the business forward. While it may help avoid those losses, it’s not going to help grow the business in any way.
What CEOs are really interested in is a more strategic view of risk that’s focused on performance and resilience. What they want to talk about is how risk appetite, or the amount of risk they’re willing to take, compares with the value of the activity that they’re looking to engage in. So the conversation goes from a high to low risk conversation, to, what’s the good risk versus the bad risk? How can we be smarter about taking risk? That’s where, really, the conversation with them begins, and it starts to put it in a different context from what I would call the risk treatment plan to drive those losses down to zero, to more of a business case view and understanding of how risks fit into the set of opportunities that lie before the organization, and how can either taking more risk or less risk allow the organization to move forward, and move forward at an advantage to their competitors.”
Connected Risk Means Going Beyond Expecting to Embracing the Unexpected
“These new business priorities all point to future risk, and create a new demand for connected technology that can tie these risks together and inform better business decision-making. Going back to my initial analogy to the car and the driver, the car provides all sorts of information — and it’ll provide a lot more information into the future — but it’s the driver that makes all the difference in understanding how these things relate to one another. It really comes in the form of connected risk.”
“Connected risk, I will tell you, is the combination of people and technology and managing risks, and providing greater visibility and understanding of those risks. As you saw here at this event, with the unveiling of the connected risk dashboard, that information is critical to making superior business decisions. But I’ll tell you, the dashboard is just the start. The dashboard, much like a car, tells you what’s happening today. What you also need to have in place is an understanding of what’s coming ahead. And so, similar to innovations in electric vehicles and others with heads-up displays, with a windshield view of what’s coming, that’s what’s coming with AuditBoard. More focus on leading risk indicators, like the World Uncertainty Index, but also leading risk indicators that are specific to your own risk profiles.”
“Pulling those together in a way that gives you the ability to act, and that’s the real difference. By connecting risk in this way, you’ll take your organization beyond simply expecting the expected to embracing the unexpected. It’s those leaders and organizations that embrace the unexpected, that are prepared for the unexpected, that are going to speed through the turns, pass the other cars who are in the ditch, and be at a greater advantage.”
Looking for more thought leadership? Check out our on-demand webinar library, and stay tuned for more Speed of Risk videos featuring industry leaders and experts discussing timely issues, insights, and experiences.