Why silos are the biggest threat to your risk process
2 May 2019 - By Maeva Charles
Every year you evaluate your risks and include them in your financial report. You do a cursory scan of the issues in the industry, take a look at the company’s past performance, challenges and consult internal experts to ensure you haven’t missed anything major. This superficial approach to risk management is common, but it is not doing nearly enough to protect the company.
Business operates in the midst of a risk culture: we see companies folding, banks crashing, reputations dying. Perhaps there is a sense of inevitability, a lack of resources or simply no drive to look at things differently. But in our risky world, companies can be better at mitigating their own risks, strengthening their positions and protecting their futures. You just need to look beyond the numbers.
What is a risk process?
There is a pretty standard approach to risk, which can provide an understanding of everything that can affect the company:
- Work out who the risk owners are. These are the people who can tell you what risks the company has.
- Identify the risks. Are those new? Are those related to existing risks and represent a variation of something you have already identified and/or addressed?
- Assess the risks. To what extent can the risks impact the company, and what measures do you have in place? At this point, you will be looking at two types of risk: generic (for everyone) and residual (for the company, depending on mitigation).
- Mitigate the risks. What do you want to do to address the risks even more? This is linked to your risk appetite: to what extent are you comfortable having those risks?
- Monitor the risks. Now that you have measures in place, what do you need to do to keep the pulse of your risks, especially when things move quickly?
Click to enlarge
On paper, these five steps look pretty simple, yet most companies don’t have a solid and formalized process in place. Why? Most of the time there is just one person responsible for risk. They might be in touch with the board, for example, and they may know all the relevant people internally and know what is happening. But their approach is often not structured or systematic – they have no real risk process in place. They lack the tools they need to get the right signals at the right time from the right people.
The benefits of a robust risk process
A good risk management process makes a company better equipped to deal with things that might have negative impacts on the business. Those things aren’t just financial or operational – in fact, some of the biggest risks your company is facing are probably environmental, social or governance-related.
When I spoke recently at the RIMS 2019 annual conference about changing the risk management culture and future-proofing your organization, I showed delegates that day’s New York Times cover. Climate change, human rights, sexual harassment, terrorism: almost every story was a potential risk for companies. So in addition to understanding financial risks like volatile exchange rates and operational risks like fire, you need to think more broadly about what is happening around the company – you need the full spectrum of ESG topics in front of you to get the true picture.
Forget silos if you want to manage risk
Getting a comprehensive overview of the company’s risks necessarily involves talking to everyone with a stake – desk research and a few clever applications aren’t a good substitute for capturing a wide range of input from people. To be able to get a holistic view of risks for your company you will need robust data and the ability to talk to different departments, in other words you need to start breakdown walls – or you take a chance at missing crucial risks for your company.
Although it can’t capture everything, technology like AI-based Datamaran is a great way to get signals of risks that may be up ahead that you can then check with risk owners. With the information you collect, you have something on which to base a constructive conversation about risk – a starting point. You can ask if the risk owners have heard about certain emerging topics in their operations. You can see things on your radar, helping you be less surprised and more proactive while giving your risk process a fresh look .
Risks of not having a risk process in place
There are no sanctions for getting it wrong. There are, though, real consequences for the company. At Datamaran, we are working on a pilot project with Novo Nordisk, running a risk inventory that breaks down their risk factors into three elements: event, cause, and consequences. Here it is in action:
- Event = deviation from standard practice – failure to attract, train and retain talent.
- Cause = what gives rise to this – fierce competition, inadequate benefits or bad corporate culture.
- Consequences = result of the event – high HR costs, expertise gaps, and competitive disadvantages.
Click to enlarge
The risk itself is the event, but by analyzing it like this, you can see how it can help identify the right people to talk to about each risk – relevant stakeholders could be revealed by thinking about the causes and consequences of a risk as well as the risk itself.
How does your company view and manage risks? Are you having all the right conversations? I challenge you to look at your risks in a different way – think about their causes and consequences, and look for new people you can talk to about the road ahead. I challenge you to be more proactive in setting up your risk process – before it is too late.
Global Insights Report: The Three Big Wake-Up Calls For Boards
The events of 2020 brought risks related to public health, climate change, and diversity, equity, and inclusion to the forefront of public consciousness. Yet, too many businesses are failing to incorporate external and ESG risks into their long-term strategies and to think about business model innovations to reorient towards long-term value creation.
Published jointly by Datamaran and The Conference Board, this Global Insights Report examines how some of the largest public companies reacted to the events of 2020 in their corporate reporting. It considers how senior executives and Boards can apply this knowledge in addressing other systemic and external risks.
Get your complimentary copy now and learn how to use real-time data to monitor the external risks landscape and stay on top of trends.