Organisations need to rebuild their risk management structures to cope with the increasing frequency of unforeseen, devastating risk events
In an increasingly uncertain world, organisations need to evolve their risk management frameworks to further enhance their resilience to the unexpected.
While boards once believed they could manage and control risks, today established approaches are often outflanked and outpaced. Board members identified three main shifts in the risk landscape.
First, they feel risk frameworks and processes they have in place no longer give enough protection. Second, they see increases both in the speed with which risk events occur, and the extent to which their impacts on the business become contagious, spreading across different risk areas.
Third, boards sense they are spending too much time and money on running their current risk management processes, rather than being able to quickly and flexibly identify and tackle new risks.
Underlying this shift in the risk landscape is the increasing frequency and impact of black swan risk events that can hit businesses without warning, with devastating effects.
If organisations are to be prepared for these shifts and events, their approaches to and mechanisms for risk management must evolve. Here are five steps for progressing from managing specific risks to achieving wider resilience to risk events.
1) Consider risk across the three categories
Alongside financial and operational risks, organisations also face strategic risk. This may spring from a failure to respond to shifts in the external economic, political or regulatory environment, and includes legal and compliance risks.
It could also result from changes and/or flawed risk assumptions. It is important to note that many businesses have not tended to focus on strategic risk, because they have regarded risk and strategy as separate concepts, rather than seeing taking risk as fundamental to value creation in business.
2) Look at risk through the consequence lens
Identify how you can enhance your risk management framework by adding tools and techniques such as scenario modelling, predictive indicators and particularly ‘reverse stress testing’.
The reverse-stress testing approach effectively accepts that it is no longer possible to forecast events themselves, and instead focuses on managing their effects. For example, an airline might test the impact of Europe’s airspace being closed (as after the volcanic eruption in Iceland). Reverse-stress testing can be an effective way of focusing on extreme events and protecting against unknown risks.
3) Develop a risk-aware culture
Organisations need to move beyond merely identifying, measuring and prioritising the various risks they face towards a broader focus on the resilience of whole systems within which they operate and contribute value. These include the organisation’s industrial, political and financial environments.
It also includes progressing from explicit risk controls to a risk-aware culture, managing risk in a co-ordinated way across different interests, organisational units and external relationships. Risk management should be seen as a vital issue for every employee
4) Focus explicitly on risk appetite
The uncertainty of today’s environment means that just analysing historical data is no longer a reliable way of predicting future events and impacts. Overwhelming boards and audit committees with risk information can actually hamper understanding of the key risk issues. Instead, organisations must encourage boards to be more explicit about the organisation’s risk appetite, and build awareness at all levels of what risks it is willing to bear.
Greater clarity on risk appetite can aid board effectiveness; non-executives, for example, sometimes criticise executives for being too cautious.
5) Align risk and strategy
The alignment of risk and strategy should be a key requirement for enhancing an organisation’s risk resilience. The board must clearly articulate its attitude to integrity, risk and safety, linking this to its view of the organisation’s environment, culture and value proposition. In this way the board will be taking a more holistic view of risk management and the interplay between risk appetite and strategic goals.
Aligning risk and strategy can help the organisation strengthen its relationships with external stakeholders, enabling the board to communicate more clearly on how the business builds a trusted reputation and organisational resilience.
Richard Sykes is governance, risk and compliance leader at PricewaterhouseCoopers
No comments yet