The risk management methodologies in play for most companies today were developed before the turn of the century. In effect, risk management is often an analog approach being applied in what is now a digital world. More importantly, if enterprise risk management (ERM) is a standalone process, it is suboptimal. More needs to be done to elevate risk management to help organizations face the dynamic realities of the 21st century and truly leverage the advances of digital, cloud, mobile and visualization technologies, exponential growth in computing power, and advanced analytics to embed deeper and more insightful risk information in strategy-setting, performance management and decision-making processes.
Now that COSO has released its updated ERM Framework, every company has an opportunity to take a fresh look at its risk management. For example, take risk reporting. The business environment features rapid advances in and applications of digital technologies and rapidly changing business models. Consistent with the objective of being an early mover, risk reporting should help organizations become more agile, flexible and nimble in responding to a changing business environment. For most organizations, today’s risk reporting falls short of that objective.
To impact decision making, there are three questions risk reporting must address:
- Am I riskier today than yesterday?
- Am I going into a riskier time?
- What are the underlying causes?
Risk reporting faces multiple challenges. Traditional methods of risk measurement tend to generate information that is difficult to aggregate and interpret across multiple types of risks, lines of business and geographies. Traditional risk reporting lacks transparency into the underlying data, making it difficult to assess the direction and speed of risk, understand the drivers of risk, consider risk in the context of enterprise strategy, and enable a robust risk appetite dialogue. As a result, the amount of manual effort required to collect data from multiple sources, update metrics and create PowerPoint presentations to deliver what decision makers require is often excessive. “Dynamic” is certainly not the word one thinks of when describing the process. Is this the way organizations should report risks during the next five to 10 years?
To combat today’s rapidly changing marketplace, companies need a more comprehensive, comprehensible and actionable snapshot of their organizations’ risk profile so that risk officers, board members and shareholders become more confident that they understand their critical risks – and can quickly take action when risk levels are rising or falling. Furthermore, a more agile and nimble process would enable value-added risk analysis, resulting in more insight for decision-making. The Protiviti Risk IndexTM is an example of an innovative approach to risk reporting made possible by combining an effective, efficient, and customized risk management tool with leading data visualization technology (see discussion of the Protiviti Risk IndexTM on our website).
Simply stated, risk reporting is often not actionable enough to support decision-making processes. Until it is designed to answer the above three questions, it won’t. And once it does, it elevates the organization up the information hierarchy from reliance on lagging retrospective indicators so typical of most performance management systems to incorporating a more balanced family of measures that includes leading indicators and advanced analytics to drive value-added insights, competitive intelligence and early mover positioning.
The integration of performance management and risk management on matters of strategic importance is where corporate performance management systems often fail. As a result, the organization is unable to monitor the vital signs that help anticipate emerging opportunities and risks. Effectively integrated with performance management, risk reporting is a key to evolving ERM from a “risk listing” process to a “risk informed” decision-making discipline.
In summary, risk management for most companies has not fully leveraged the powerful tools that have emerged in the 21st century – increased computing power, digitization, advanced analytics, mobile and visualization techniques, among others – and the capabilities they make possible. Until it does, management can’t get serious about tying ERM into strategy, performance and decision-making – key themes emphasized in COSO’s updated ERM Framework. The whole idea is to enhance the odds of the organization achieving its objectives by enabling it to become more adaptive and agile in the face of an increasingly volatile, complex and uncertain world. As a result, management and the board can face the future more confidently.
It’s time to take another look at your risk management. If you agree, join our free webinar on October 12 – register here.