Developing a mature risk strategy

Risk strategy drives an organisation’s ability to respond effectively to today’s dynamic world. But not all risk strategies are at the same level of maturity. Ladd Muzzy, Principal at NASDAQ BWise provides some advice on how to develop and maintain strong performance in this area.

What is a mature risk strategy?

A mature risk strategy is one that is supported by the Board, nimble to respond to threats, malleable to adapt to business change, and inherent in the organisation’s day-to-day activities.  Employees are cognisant of the risk appetite and tolerance of the organisation and understand the relevant risks as part of their actions.  They also understand the potential up and downstream implications as part of the product or service value chain.  Escalation mechanisms are transparent and efficient without fear of reprisal.  Finally, a mature risk strategy aligns with the remuneration program of the organisation to reinforce desired behaviours.

In the context of the changing economic and political landscape why is achieving a mature risk strategy so important?

The importance of a mature risk strategy is important not only to respond to changing economic and political conditions, but to grow with confidence and with greater speed.  Mature risk management practices are holistic and efficient, working across the business, to support functions, to audit.  Practices align with corporate strategies and objectives, corporate governance, employee education and communication, performance management, and provide dynamic updating and reporting to the Board, regulators, executives, and other stakeholders (like vendors).  Mature risk management practices also utilise and recognise the need to quantify risk.  This is helpful in for example, in assigning capital based on the “riskiness” of the business.

Managing risk in this manner assures that resources are optimized and provide the insight to adapt to any change, whether it’s political, economic, or business related.  Risks can be easily understood across the organisation and actions can be aligned to assure that harmful risks are thwarted and opportunistic risks can be taken advantage of.

In what two or three ways do organisations typically fail to achieve a mature risk strategy?

There are a few ways that organisations fail to achieve a mature risk culture.  First, there is a lack of relevancy of risk management.  Risk taking and risk avoidance needs to be an unequivocal part of the business and business decision making.  Risk management must not only analyze the past, understand business stressors, but also try and be predictive.

Second, risk management is not a “one and done” exercise.  Risk is ever changing and businesses are being disruptive like never before.  Technology advances, non-traditional competitors, and threats, like cyber, occur much more frequently than they have in the past.  As a result, the days of having a relevant annual risk assessment have passed.  Risk, whether implicit or explicit, must be part of the daily conversation of the business.

Third, there is a failure to try and quantify risk.  Immature risk management organisations struggle with defining risk in qualitative terms.  This creates confusion and inconsistencies in messaging leading to a suboptimal management and control environment and inefficient capital expenditures.  For example, does each business and function define a “high” or “critical” risk the same? A common taxonomy is essential for consistently articulating the organisation’s risk profile.  Moreover, it allows for the disaggregation of risk to its parts.  GRC software can be instrumental in facilitating this.  This will set the impetus for detailing where risk activities are deficient or where more risk may be able to be taken.  Finally, defining risk in this manner aligns better with the organisational processes of how products and services move from one area to another.

What are the key ingredients of a highly developed risk strategy, from the point of view of the senior management?

Senior management looks for a few factors in a highly developed risk strategy.  These include:  dynamic and holistic reporting; sustainable risk practices; ties to performance management and employee conduct; explicit links to the strategies and business objectives; awareness and action to identify, assess, manage, and communicate risk concerns (or opportunities); compliance with applicable laws and regulations; and enabling technology, software (e.g. GRC software) and tools to operationalise risk management.

What two or three challenges do organisations face in creating a mature strategy and ensuring it is implemented?

There are a few challenges in creating a mature strategy and ensuring that it is implemented.  The first challenge is people.  There is typically a disconnect between the conduct and incentives employees have to take risk, with that of avoiding unwanted risk.  Employees must take the time to assure that risks are prioritized and actioned in an efficient and effective way.  The second challenge is technology.  Many organisations have latent systems and software that don’t always create the transparent data necessary to make informed risk based decisions.  Having an integrated risk technology and software that can identify sources of risk and pull it together is critical to assuring that risks aren’t missed or evaluated inappropriately.  Another challenge is not having a common taxonomy for risk management.  Some functions may value and treat risks differently than in other parts of the company.  This leads to confusion, incorrect reporting, and no real value driver of risk management actions.

How can organisations overcome these challenges?

Organisations can overcome these challenges by being practical and pragmatic.  For people, having a clear tone from the top on what is expected to understand and manage risk is tantamount for setting a strong foundation.  Creating and sustaining ongoing training for employees is also crucial for appropriate risk management behaviour.  This includes an understanding of relevant, key risks and their interrelationships within the business for each role.

Technology is widespread and needs, what was mentioned, is a platform to structure, organise, and analyse data.  Although a single system is ideal, it usually isn’t practical or applicable.  Organisations use many systems and risk data exists in many different places.  Pulling it together is an investment.

Additionally, the right taxonomy makes holism easier than pulling it together piecemeal.  The common language that is created by this process becomes invaluable as risks are communicated to the board, executive leadership, and external stakeholders like regulators.  This requires an understanding from the business perspective of who is asking for risk information, why, and the value of spending time on risk management instead of value add business activities.  The second line must coordinate with one another to share what is needed, how it is collected, how it is used, and for what purpose.  This begets commonalities in the process and output leading to efficient use of organisational resources.

How should organisations ensure that their approach remains relevant as times change?

Changes in business is constant.  This necessitates that risk management practices are fluid and not a once-a-year set of activities.  For example, risk events, such as cyber-attacks or fraud attempts, can occur multiple times a day.  This erases any feasibility on the efficacy of an annual risk assessment.

To remain fluid, risk management must be part of the everyday activities and thinking of every employee.  Collaborating and getting educational and communication cues from support functions like IT, enterprise or operational risk, compliance, vendor management, and audit ensure that risks are identified, understood, and appropriately addressed.  This necessitates that there is an understanding of the business and what it’s trying to achieve and that risk and risk management activities are properly communicated to the business.  This symbiotic relationship of sharing information assures that risks are prioritised and addressed in a timely fashion.