In an era of unprecedented risk volatility, long-term business success requires getting in front of risk. As business leaders across the globe look to the future, they see an urgent need to streamline, automate and integrate their businesses in the face of great uncertainty. According to the Conference Board C-Suite Outlook 2022, less than 40% of CEOs globally say they are “well prepared to meet the challenges posed by a major crisis related to inflation, cybersecurity, supply chain disruptions, or climate change.”
These C-Suite challenges go straight to the core of integrated risk management (IRM) and the business objectives IRM is designed to achieve. In my last post, I discussed the four integrated risk drivers — sustainability, soundness, safety, and security — that businesses need to address in 2022. These risk drivers are specific to today’s risk landscape and directly impact the primary business objectives every organization faces.
As part of my research over the past decade, I discovered four business objectives that apply for organizations in the short term and persist over the long term. No matter the size, industry, or location, every business looks to achieve better performance, stronger resilience, greater assurance, and cost-effective compliance. Here’s why business leaders need to prioritize these four IRM objectives and their underlying risk drivers to meet the challenges of today’s risk landscape and set the foundations for future organizational success.
Four Critical IRM Objectives
The measures of success for business organizations are evolving beyond just financial performance. More and more, the focus is widening to include a better understanding of how well a company is running the business. Operational metrics that measure a company’s performance in areas such as sustainability are now being disclosed more formally and will soon become standard for broad-based, annual corporate reports. Soon, frameworks such as integrated reporting (IR) and the evolving International Sustainability Standards Board (ISSB) disclosure requirements will become the norm for corporate reporting — and will rely on IRM for better risk disclosures.
Now more than ever, businesses must have the ability to expeditiously identify, respond to, and recover from a risk event. Risk events can take many forms — supply chain failure, cyberattack, natural disaster, etc. What is common across risk events is the need for awareness and understanding of what is most important to conducting business. Conducting regular risk assessments such as a business impact analysis to determine where to focus attention and scenario analysis to practice how to respond and recover are “must have” activities. IRM provides the ability to orchestrate these activities and strengthen overall business resilience.
How does a business know it is mitigating the right risks in the right way? It requires an integrated approach to defining risk appetite, establishing risk metrics, and monitoring risk on a continuous basis. Organizations that rely on outdated, legacy GRC technology cannot provide the appropriate level of assurance due to their siloed views of risk. What may be acceptable in each silo, such as IT security, may not support the intended level of risk mitigation in other areas like data privacy or health and safety. For example, in a recent survey by leading law firm Baker McKenzie, 68% of respondents say increased cross-border regulation related to data is causing confusion across enterprises. This confusion often results in misallocation of resources to areas of the business that may not be as critical, or that represent lower overall risk in comparison. By having an integrated risk focus, organizations can more effectively analyze the total risk and prioritize efforts accordingly.
While meeting compliance requirements is an increasingly complex endeavor, identifying and remediating areas of non-compliance is now the real challenge for most businesses. New laws and compliance mandates are requiring quick disclosure of non-compliant events under threat of penalty. The penalties will come from greater enforcement of regulations according to a recent survey by KPMG, which reports that 60% of 600+ survey respondents expect compliance risk to grow. They also conclude that, “nearly every respondent expects more regulatory, or compliance requirements related to data privacy, labor relations and the environment in the next five years.” Without an integrated approach to risk management, these complex requirements will result in more penalties and potential reputational harm.
Toward a PRACtical Approach to Risk Management
Using IRM technology to facilitate risk management activities to achieve these four business objectives — Performance, Resilience, Assurance, and Compliance — is not only beneficial, but essential for long-term business success. Organizations must maintain a balanced view of risk in a practical sense so as not to overly emphasize one objective at the expense of the others. For example, overemphasis on performance may result in cutting corners on compliance. While it may serve short-term needs for better performance, it will most certainly result in less cost-effective compliance from greater fines and penalties. That’s why I like to call this a “PRACtical” approach to risk management — a subject I’ll be writing more about as I take a deep dive into each element in upcoming articles.
John A. Wheeler is the Senior Advisor, Risk and Technology for AuditBoard, and the founder and CEO of Wheelhouse Advisors. He is a former Gartner analyst and senior risk management executive with companies including Truist Financial (formerly SunTrust), Turner Broadcasting, Emory Healthcare, EY, and Accenture. Connect with John on LinkedIn.