Risk /

cssc.jpg

2024’s Top 5 Risks—and How to Mitigate Them

March 27, 2024 Risk

As risk professionals look ahead into 2024 and beyond, there are a number of key risks they will need to monitor and prepare for. According to Aon’s annual Global Risk Management survey, the following five current risks are of greatest concern for risk professionals and business leaders in 2024, and some of the firm’s top mitigation tips: 

1. Cyberattack or Data Breach
Survey respondents ranked cyberattack and/or data breach as the top risk for 2024, with 18% of respondents indicating cyber-related risks contributed to a loss for their organization in the past 12 months. After declining in 2022, ransomware attacks jumped 176% in the first half of 2023, according to the report. On a positive note, 89% said their organization had set up a plan to respond to cyberrisks. To mitigate the impact of a cyberattack or data breach, the report outlines four key strategies:

Identify and assess cyberrisk. Aon suggested collecting and examining data and insights related to any exposures and impacts to inform leaders’ decisions to mitigate, avoid or transfer cybberrisk in the future.

Mitigate cyberrisk. There is a lot that goes into mitigating cyber-related risks, including staying on top of evolving threats, which usually coincide with new technologies, and conducting organization-wide cyber-defense training to emphasize the importance of complying with cybersecurity measures.

Prepare cyber-incident response and recovery. Whether accidental or malicious, cyber incidents are unfortunately inevitable at this point. Every organization should have plans in place for incident response, containment and investigation efforts.

Transfer cyberrisk. Risk transfer is important to ensure financial resilience. In addition to traditional insurance placement, captive insurance and alternative capital are also viable approaches for some organizations to protect their balance sheets.

2. Business Interruption
Whether the cause is a natural disaster, global pandemic or political conflict, losses can be significant and put an organization at risk. With so many complex issues constantly at play, respondents identified business interruption as the second-highest risk. While business interruption claims are often out of an organization’s control, Aon offered a few best practices to help mitigate losses:

Regularly revisit and update crisis management and business continuity plans
To reduce supply chain risk, a related factor in business interruption, use multiple sources for receiving inventory
Stay in regular contact with your insurance broker to keep business interruption plans updated
Maintain any business operations you can while focusing on recovery
3. Economic Slowdown or Slow Recovery
As consumers cut back on frivolous spending or seek out alternatives to their normal purchases, organizations feel the effects of economic downturns in the form of a revenue decreases, supply chain disruptions, financing issues, and labor and staffing troubles. Banking crises and the lingering effects of the COVID-19 pandemic also contributed to the most recent economic slowdown.

Aon research shows that economic slowdowns happen about once a decade, but it is not an exact science. To brace against the impact of economic slowdowns, Aon recommended that organizations:

Increase cash reserves. If possible, focus on increasing the amount of cash your business has on hand so that it can still meet financial obligations during a period of revenue decline.

Implement strategies to minimize workforce disruptions. Conduct skills assessments and job architecture planning, for example, to provide an organization with detailed insights to identify opportunities to reskill or move employees to other areas.

Increase focus on related risks. Focusing on recovery or maintenance during an economic slowdown is great, but do not turn a blind eye to other related risks, such as cyberattacks, supply chain issues and regulatory risks.

Diversify. Switch up investment strategies, supply chains and customer bases to get the most out of your business while the economy is slowing down or recovering from a slowdown.

4. Failure to Attract or Retain Top Talent
Recruiting and retaining top talent has been a business issue for years, and that will not change any time soon. Companies are constantly struggling to balance the need for top talent with the need to be fiscally responsible, and sometimes tough choices need to be made. While recent inflation seems to be nearing its end, businesses are still reeling from the effects of a sustained period of high costs for materials and other major expenditures. As a result, hiring has either halted altogether or positions come with lower compensation packages, making it harder to reach top-tier candidates. Workers are also demanding different working conditions. For example, remote work boomed during the pandemic, and now many workers will not even consider a company requiring in-person office work, especially as many viable employees choose to live where housing is more affordable, which does not always align with where top companies are.

According to Aon, one way to ensure your organization is not missing out on recruiting and retaining top talent is to recognize increases in cost of living and improve salary packages, whether in the form of higher base salaries or stock options.

5. Regulatory or Legislative Changes
Constant activity from regulators and lawmakers impacts thousands of businesses. Organizations must stay on top of the latest changes and make sure they remain in compliance with regulations or risk hefty fines, among other potential consequences. Organizations have a few options for mitigating the impact according to Aon, including:

Set up an in-house team to track regulatory and legislative changes and implement compliance measures
Find ways to influence the development, passage and implementation of new laws and regulations and
Clearly communicate the new rules to employees


Source:  Jennifer Post is an editor at Risk Management.

risk-.jpg

12 top enterprise risk management trends in 2024

March 27, 2024 Risk

Trends reshaping risk management include use of GRC platforms, risk maturity models, risk appetite statements and AI tools, plus the need to manage AI risks.

Enterprise risk management has taken center stage in many organizations as they grapple with the lingering effects of the COVID-19 pandemic, economic uncertainties, the rapid pace of business change and other potential business risks.

Forward-looking corporate executives recognize that stronger risk management programs are required to remain competitive in today’s business world. For example, one aspect of the current enterprise risk management (ERM) landscape that companies must contend with is the connectivity of risks between different organizations.

Businesses are increasingly interconnected with partners, vendors and suppliers across global markets, complicating various types of risks they face, explained Alla Valente, an analyst at Forrester Research.

“We find that when there is significantly more risk in one of those categories it can have a ripple effect that impacts other categories,” she said. The business impact of a local natural disaster, the ongoing wars in Ukraine and Gaza, higher interest rates or other developments can cascade across an entire supply chain worldwide. Along with other factors, that makes effective risk management a prerequisite for continued business success.

But there’s a lot for risk managers to keep up with. Here are 12 security and risk management trends that are reshaping the ERM process and influencing business continuity planning and risk mitigation efforts.

1. Risk maturity models consolidate workflows
More enterprises are considering a risk maturity model as a way to manage the growing interconnectedness of risk vulnerabilities, Valente observed. This method mirrors other frameworks like the capability maturity model widely used in software development. Adopting a risk maturity model requires addressing risk management processes and technologies that can support them.

On the process side, risk management leaders must put together a team of risk stakeholders. This team should combine the technical and business expertise necessary to make fast and intelligent risk-based decisions, establish ERM policies and procedures, and implement the proper controls. Risk managers also need to establish processes for consolidating ERM workflows across disparate entities.

The technology side includes the IT infrastructure for centralizing and contextualizing information about risk management and automating risk policy enforcement.

2. ERM technology stacks expand into GRC
Enterprise risk management has expanded beyond financial issues to also reach into cybersecurity; IT; third-party relationships; and governance, risk and compliance (GRC) procedures. A comprehensive GRC platform can be a critical integration tier for all types of risk management activities. An organization can use one to create and manage policies, conduct risk assessments, understand its risk posture, identify gaps in regulatory compliance, manage and respond to incidents, and automate the internal audit process.

CIOs need to confirm that their risk management technology stack is adequate for each task and used proactively, not just reactively, Valente said. Consider integrating the following functions into a more comprehensive technology stack:

Risk intelligence tools to analyze geopolitical risks, natural disasters and other incidents.
Third-party risk assessment tools to track sanctions, security incidents and financial health in other organizations.
Cybersecurity systems to assess the potential impact of security vulnerabilities, data breaches and cyberattacks.
Social media monitoring capabilities to identify sudden changes in brand reputation.
3. ERM seen as a competitive advantage
Organizations now often view risk management as a way to increase their competitive advantage instead of simply a risk avoidance exercise, especially since the onslaught of COVID-19.

“Although many companies suffered economic losses during the pandemic,” Valente noted, “we also saw many companies pivoting to new opportunities that did not exist before.”

Valente’s research team has been exploring the differences between traditional chief risk officers who are laser-focused on minimizing risk and so-called transformational CROs who see risk management as a competitive differentiator that can prevent risks from interfering with business strategy and limiting revenue streams.

“Companies with a transformational approach to risk can mobilize their teams and business leaders quickly to jump on a new gap in the market,” Valente explained. When, for example, Ikea’s store traffic plummeted during the initial pandemic lockdown, the furniture retailer quickly implemented a new contactless pickup system that let customers securely pick up their purchases, according to Valente.

4. Wider use of risk appetite statements
Risk appetite statements emerged in the financial industry to improve communication with employees, investors and regulators. Some risk is required to expand a pool of loans, but if too many customers default, a bank needs a program in place to trigger decisive action. For example, banks might establish a safety baseline for mortgage defaults or fraudulent transactions that still lets them turn a profit.

Risk appetite statements are starting to gain popularity in other industries to replace rudimentary “check the box” exercises with a process that more definitively guides day-to-day risk management decisions, observed Chris Matlock, vice president and advisory team manager for the corporate strategy and risk practice at Gartner. There’s a caveat, though.

“It is difficult to do,” Matlock warned, but “the payoff for organizations that do it is extremely high.”

He explained that companies face numerous challenges in creating an effective risk appetite statement. Some executives believe it could limit their ability to pursue new business opportunities, while others are concerned that a poorly worded statement might be misinterpreted as condoning unacceptable practices.

5. Subject matter experts expedite risk assessment and response
Bringing all the risk information together is important, but experts are also required to make sense of it. Enterprises are increasingly using their GRC platform to create an informed network of subject matter experts for critical projects, Matlock said. When issues spanning multiple departments emerge, such as a security incident involving IT, legal and HR, an appropriate panel of experts in those areas can quickly assess the risk and take required actions.

Risk assessment at the beginning of a new project is table stakes now. Devising the best plan and creating a process that supports a timely risk response yields the best results. “It is the maintenance of risk and the timely response to risk throughout a project’s lifespan that has the biggest impact on success,” Matlock said.

6. Risk mitigation and measurement tools multiply
Tools for actively measuring and mitigating risks are getting better, said Keri Calagna, a principal at Deloitte who is the professional services firm’s advisory leader on strategic risk and resilience in the U.S. Among the improvements are internal and external risk-sensing tools that help generate the risk intelligence needed to detect trending and emerging risks.

In addition, Calagna reported that enterprises are turning to more integrated tools that do the following:

Present a holistic view of risks across the organization.
Capture leading risk indicators to show how a risk is trending.
Promote accountability for the actions taken to mitigate risk.
Provide real-time risk reporting to aid in management decisions.
Expect a rise in scenario planning and assumption testing capabilities, Calagna said. Companies are also using simulations, war games, tabletop exercises and other interactive workshops to promote more cross-functional thinking about risk management and help assess the impact of different future events on corporate business plans and strategies.

7. GRC meets ESG
Another enterprise risk management trend is connecting the dots between business risk and environmental, social and governance (ESG) agendas.

“As companies begin their ESG risk planning, they should ensure that the actions they are taking are significant and genuine,” cautioned Cliff Huntington, general manager of software vendor OneTrust’s GRC and Security Assurance Cloud product suite. Organizations need to demonstrate that they aren’t just greenwashing and are instead making measurable progress as part of their ESG strategies and programs, according to Huntington.

“Business leaders,” he said, “are realizing that ESG risk is a business risk and are taking steps to mitigate it in conjunction with their enterprise risk initiatives.”

8. Extreme weather risks grow in importance
With crisis events like extreme weather growing in impact and frequency, CEOs and boards of directors will be called on to implement risk management strategies to mitigate the impact on employees and business assets. In 2023, there were a record 28 billion-dollar weather and climate disasters in the U.S. that caused a total of at least $92.9 billion in damages, according to the National Oceanic and Atmospheric Administration.

“With extreme weather now a norm, CEOs will need to learn about risk mitigation to protect their assets, employees and bottom line,” said Mark Herrington, CEO at OnSolve, a software vendor that offers a critical event management platform.

9. Integrating risk management with digital transformation
As business operations increasingly go digital and IT environments become more and more complex, enterprises are increasingly adopting an integrated GRC, or IGRC, program to simplify their risk management activities, said Elizabeth McNichol, a principal at PwC and enterprise technology leader in its U.S. cyber, risk and regulatory consulting practice.

“Due to decentralized, overly complex systems, many companies are not aware of all the kinds of data they have, how it is organized or even if it may be noncompliant with the law,” she said. Rules for how organizations handle data and comply with regulations should be clear, straightforward, universal and grounded in a risk-based approach, McNichol added.

IT plays a critical role as both a driver and enabler of IGRC. CIOs and other IT leaders must work with business managers to identify, assess and mitigate risks in accordance with a company’s risk appetite. An integrated governance model can help by coordinating strategy, people, process and technology objectives across the enterprise. These steps are crucial for ensuring the risk management component is successfully integrated into broader digital transformation plans.

10. Enhanced and contextualized risk monitoring
Kumar Avijit, practice director for cloud and infrastructure at technology research firm Everest Group, is seeing increased demand for risk management monitoring tools tailored for various roles and personas, such as CIOs, CISOs and business managers. This is because various executives and business users are defining new risk management priorities and mandates. These tools enhance traditional risk analysis with drill-down views that provide the right level of granularity.

Examples of some of the growing risk priorities for different roles include the following:

CEOs want to drive secure business transformation.
CFOs want to reduce business risks and the cost of data breaches.
COOs want to run resilient business operations.
CIOs want to make security a foundational element of IT strategy.
CISOs want to quantify cybersecurity risks to aid in decision-making.


11. AI augments risk management initiatives
AI will play a growing role in risk management initiatives. Abhishek Gupta, founder and principal researcher at the Montreal AI Ethics Institute, said he expects the following to be some of the most common manifestations of this trend:

AI-driven risk identification and prediction. Machine learning is beginning to be used to identify risks more accurately and faster than humans can. That’s especially the case in dynamic risk management processes for cybersecurity, in which heuristic- or rule-based approaches can become outdated because adversaries are using AI themselves to mount novel attacks. AI and machine learning tools can also monitor risks and predict how they might develop in the future, enabling mitigation strategies to become more proactive.
Use of chatbots. They can answer risk management questions from employees, customers, business partners and other parties that would otherwise need to be addressed by risk managers. Chatbots can also navigate internal knowledge bases to surface risk-related scenarios and incidents that were previously encountered in an organization, thus saving time and preventing redundant investments in resolving issues.
AI in legal and model risk management. AI tools are being used to ensure legal compliance and mitigate related risks. They can also be used for model risk management and stress testing of quantitative and qualitative models to meet regulatory requirements in financial services, insurance and other industries.


12. AI introduces new risks that need to be managed
On the flip side, the surge in interest in AI being driven partly by the emergence of generative AI technologies also threatens to burden enterprises with various new risks that haven’t been widely considered before now. Gupta predicted that organizations will adopt the following measures to help manage AI risks:

AI risk management frameworks. Progress is expected on case studies and tests to determine whether new AI risk management frameworks, such as one developed by the National Institute of Standards and Technology, are effective. If they are, that would remove a big impediment for organizations in getting started on managing AI risks.
Responsible AI programs. A cohesive responsible AI strategy will be an important component of AI risk management. But some companies likely will struggle to balance idealistic commitments to responsible AI principles with the level of resources required to support and sustain a program. Organizations will need to think seriously about how to achieve that balance.
AI governance policies. This involves establishing guidelines that align the governance of AI systems with an organization’s values and objectives. Without such alignment, the implementation of an AI governance policy could fail due to internal friction, resulting in limited adoption and an inability to effectively manage AI risks across the organization.
Management of third-party AI risks. Organizations also must address risks that stem from the use of externally developed AI tools. Incorporating these third-party AI risks into existing risk management strategies will separate companies that are successful in their approaches from those that aren’t.

Source: TechTarget.com

 

risk-.jpg

Why Is Risk Management So Critical in the Public Sector?

January 22, 2024 Risk

Risk management plays a crucial role in the corporate governance of public sector organisations. It involves building structures and mapping out processes that contribute to both strategic and operational success.

This article will provide a thorough explanation of what risk management in the public sector is, why it’s so important and highlight examples of potential challenges linked to public sector risk management.

What Is Public Sector Risk Management and Why Is It So Important?

Public sector organisations will always face different risks that could potentially impact their operation and reputation. These risks can be divided into areas such as financial, compliance, technological and political.

To effectively identify these risks and have suitable measures in place to cause minimal impact; public sector organisations should create a risk management strategy.

A dedicated risk management team should coordinate a strategy. Their role is to capture relevant risks at each organisational tier and monitor the completion of planned mitigating actions to decide whether to escalate the risk.

Change is one of the most critical elements of potential risk and the public sector is currently undergoing an era of significant change. This era of change has accelerated by digital transformation, Brexit and the challenges caused by the pandemic.

Risk management enables public sector organisations to become more reactive to change and make better decisions on how they can operate more effectively in the future, ultimately leading to better citizen outcomes and improved internal efficiency.

However, there are several challenges linked to having an effective risk management strategy in place and public sector organisations must overcome these.

What Are the Associated Challenges Linked to Public Sector Risk Management?

The fast-changing landscape of the public sector can make it difficult for public sector organisations to mitigate risks both efficiently and effectively. However, there are some specific reasons why organisations might find the subject even more challenging than it needs to be:

Lack of Integration

Risk management should play a vital role in the overall strategy of any organisation. Its importance should be embedded into every department so they become more risk-aware when making decisions.

Many organisations find it challenging to integrate risk management into their operation at a departmental level. Instead, the risk management team becomes a silo, leading to poor communication and an abdication of responsibility from individuals.

A Misunderstanding of Risk Management

A lack of employee understanding of the purpose and relevance of risk management can also lead to challenges.

Some may just regard it as a compliance exercise without fully appreciating its importance to the organisation and how it can contribute to overall success. This leads to employees continuing to continue working using old approaches that can’t meet today’s expectations of minimising disruptions.

Instead, organisations need to gain buy-in from their employees during the initial stages of risk management implementation. This can be done by supporting them in embracing new technologies such as AI-driven threat analysis and orchestration.

Growing Privacy Concerns

The introduction of Data Protection (GDPR) has also presented risk management challenges for the public sector.

Data plays a crucial role in minimising risks in areas such as cybercrime and terrorism. However, data protection laws have made it much easier for organisations to breach privacy.

To overcome these challenges related to privacy, public sector organisations need to invest in updating their security solutions, which play a crucial role in managing data safely and using it to aid organisational decisions.

By Piers Kelly

Rango-of-LA-1200x789.jpg

The Essential Elements of a Great Risk Culture

October 31, 2023 Risk

What do we mean by a great risk culture?

Risk culture is the encouraged and acceptable behaviours, discussions, decisions and attitudes toward taking and managing risk within a business or organization.

A great risk culture binds the stakeholders, risk management framework and process together to reflect the values, strategic goals and practices and embed these into a business’ decision-making processes.

Organisational Culture

The overall organisational culture affects an individual’s values, beliefs, and attitudes towards risk. It’s helpful to employ the sociability vs solidarity model (Goffee and Jones, 1998), also called the “Double S” model, which considers culture with two dimensions:

  • sociability (people focus – based on how well people get on socially)
  • solidarity (task focus – based on goal orientation and team performance)

The model identifies four distinct organisational cultures described:

  • Networked (high people focus, low task focus)
  • Communal (high people, high task)
  • Mercenary (low people, high task)
  • Fragmented (low people, low task)

Risk culture

Risk culture can be hard to understand because it covers an organisation’s ability to manage risk.

It may seem like a background concept but business culture influences risk culture. Risk culture is a broad topic because it covers an organisation’s collective ability to manage risk. Still, the more general case of a business’s culture is also influenced by its risk culture, including:

  • Attitude – the way an individual or group perceives and deals with risk, influenced by perception, predisposition, and mindset
  • Behaviour – observable, risk-related actions, including risk-based decision-making, processes, communications, etc.
  • Culture – values, beliefs, knowledge and understanding of the risk a group shares with a common goal. In particular, it is the values, beliefs, knowledge, and understanding shared among leadership and employees

One of the many cultural issues is that people naturally head towards others who share the same culture. An organisation’s culture can self-propagate if recruitment processes and environment remain unchallenged.

Every organisation has a risk culture, or indeed cultures and the question is whether that desired culture effectively supports or undermines an organisation’s long-term success.

What impacts an organisation’s risk culture

The right people

Behaviour

Behavioral risk management refers to controlling and mitigating employee and organizational behaviour risks. Individual risks are the behaviours of employees and leaders that could open the business up to risk.

Organizational behavior is collective behaviour and some of these behaviours could be too high a risk for the business.

Compliance

A robust regulatory compliance system within effective risk management will considerably impact a business. It will make it less likely to experience risk threat events and ethics violations.

Employees

From a health and safety viewpoint, employees have rights and responsibilities for their and colleagues’ well-being. This is expanded into the risk culture to include risk associated with the business ensuring the company culture is in and maintains a healthy position.

Senior management involvement

The Board must make effective risk decisions about what they expect from the business. They need to communicate their attitude towards risk-taking and risk tolerance and explain the difference in impact between a successful and unsuccessful risk as measured by target metrics.

Governance

What is risk governance?

It’s the rules, methods, processes, and measures by which we make decisions about risk. It’s negative and positive because it analyses and formulates risk management strategies to avoid (threat) or achieve (opportunity) risks.

Senior management involvement

The Board must make effective risk decisions about what they expect from the business. They need to communicate their attitude towards risk-taking and risk tolerance and explain the difference in impact between a successful and unsuccessful risk as measured by target metrics.

Accountability

Accountability is a term known to many but not appreciated for the value that it can bring to an organization’s long-term success, including safeguarding against irreversible damage and reputational risk. To make risk accountability practical, the business line must know the acceptable limits on risk-taking.

The accountable person must have the resources and authority to manage the risk.

Issues and escalation

Escalation is the progressive increase in the intensity or spread of risk.

A risk management system must have a process where an increasingly higher level of authorization is required to approve a continuous tolerance of increasingly higher levels of risk.

A contingency (plan) is designed to reduce the impact if a risk materializes. Consideration should be given to developing contingencies for threats and opportunities against the business risk attitude and risk tolerance.

Assessment and Evaluation

An excellent risk culture will improve risk management performance. Because risk culture often evolves as an organisation grows, it may make sense for organizations to self-assess, survey and use focus groups and other techniques to understand the current state of risk culture.

The tone of the organisation

The term tone is the combined impact of all stakeholders on risk management. Communication from the Board level will have little effect if the business employees and other stakeholders hear a different message from line managers, supervisory interaction and other contacts daily.

Information often gets distorted as it moves from one management level to another. There is always a greater possibility for contradictions in communication between team members at the organisation’s top, middle, and bottom. Equally, the risk of executive management being unaware of profound financial risksoperational risks and compliance risks that may be of common knowledge to one or more middle managers and employees.

Physical mechanisms driving risk culture

It’s essential to think about the tone of an organisation and how tangible physical mechanisms can help control it. These mechanisms include a risk governance structure, corporate values, code of conduct and ethics statements, policies, procedures, risk oversight activities, incentive programs, risk assessment processes, risk indicator reporting, performance management reviews, reinforcement processes, etc. Companies and boards must examine various risks, including strategic, operational, financial, IT, etc. They must also consider the organisation’s appetite for risk, how the different risks can interact and how they are managed daily.

Internal attributes driving risk culture

These internal attributes include the attitudes, belief systems and values that drive the organisation’s behaviour, activities and decision-making.

They demand attention while not as quickly seen and understood as physical, tangible mechanisms. For example, how a business handles risk management, control and audit often manifests in addressing weaknesses, escalating issues, and resolving problems. The method and timely nature, or not, in which such activities are carried out provide information regarding a business’s risk culture. So, too, does leadership’s reaction, or lack of, to warning signs offered by the risk management process.

External attributes driving risk culture

These external characteristics include regulatory requirements and expectations of customers, investors and others.

How an organisation seeks out these requirements and expectations and aligns business processes through actionable improvements reveals its resilience.

Subcultures that impact risk management

In response to a changing business environment, a subculture permits a business to be agile in solving problems, sharing knowledge, and serving customers.

However, they can also lead to rogue actors and risk-taking behaviours that harm the organisation.

Relationship to the overall business culture

A positive risk culture does not operate in a vacuum. As previously mentioned, the business’s culture influences it in many ways. Many argue they are the same thing.

How to improve risk culture

As risk is about future uncertainty, it would seem logical that a desirable risk culture would position the business to be proactive and agile. It should quickly recognise a threat or opportunity and use that knowledge to evaluate its response.

Such a risk culture would give leadership and management a time advantage and better decision-making.

Another example of an attractive risk culture might be maintaining a healthy tension between the business’s activities for creating value and its activities for protecting value. Ideally, one activity must not be disproportionately stronger than the other activity.

Once the current risk culture is assessed, executive management should consider whether any organizational changes are needed and define the steps required to implement change.

In transitioning to the desired risk culture, management should try to achieve the following:

Strategies for Achieving the Desired Risk Culture

Embed the change in the organisation

Risk culture should be affected through a business’s overall risk governance process. For example, risk management accountability should be reinforced through committee charters, policies, job descriptions, limit structures, and escalation protocols. To illustrate the importance of responsibility, accountabilities for risk management should be reinforced through committee charters, policies, job descriptions, and limit structures. Procedures and escalation protocols can also support the desired cultural risk behaviour.

Make it a priority for all stakeholders

All stakeholders must support the positive and desired risk culture by demonstrating the desired behaviours through actions and decisions over time and periodically communicating the value contributed by the organisation’s risk culture.

Undertake an integrated approach to the change

If addressed as a stand-alone initiative, change programs with intermittent communication, awareness promotions, and training strategies are mere surface dressing and provide little in the way of a positive cultural change.

When integrated into a comprehensive program that aligns performance expectations, roles, responsibilities, and operational structures with appropriate risk attitude and tolerance, they reinforce the critical aspects of the desired risk culture.

Periodically evaluate progress

Regularly evaluate stakeholders during the change process. Before commencing, it is important to assess the business and understand the pitfalls to provide a baseline for the initiative. Some of the key strategic considerations in this regard to consider before putting things in place are as follows:

  • Leadership support – Is leadership driving this initiative?
  • Ownership of the business’ risk management process – Who is responsible for risk management including the controlling and mitigating actions?
  • Effectiveness of risk management and governance processes – Have the strategies been proven effective?
  • Evidence of crucial business decisions taking risk and solvency into consideration – Consider the consequences of high-impact events and contingency plans
  • Quality of leadership discussions on risk issues and escalated matters – Are these discussions honest, open and transparent?
  • Is there a risk appetite statement and risk tolerances in decision-making? Do you measure how many risks were taken in the past year? How does this compare with how many were tolerated?
  • Is there alignment and incorporation of risk into strategic planning and direction – Is this aspect handled with care?

Every organisation is different. It is crucial to evaluate the business risk culture and make necessary adjustments to shape it over time in response to internal and external change. 

Conclusion

What should now be clear from the article is that any approach to changing risk culture must be carefully planned within the overall business strategy.

The recipe and mix of tools adopted within a business depend on the current situation. There is no perfect answer to how these elements are combined to address the risk culture and maturity of an organization. Several techniques can drive risk management adoption and embed a great risk culture.

Creating a strong risk culture that encourages honest, open and transparent disclosure of risks is an important starting point. What can be measured can be managed and, in many ways, is the first step in recognizing that risks are real and we need to take this on board. Accountability is critical in ensuring leadership acts upon this information and makes the most of these insights. These approaches can be reinforced by effective performance risk management.

It’s not about being risk-averse. Great risk culture also enables individuals to take suitable risks in an informed manner. However, as seen in the run-up to the financial services crisis of the late noughties, taking inappropriate and unsuitable actions can create immediate and systemic risk.

Finally, communication and training programmes are pivotal in reaching the broader organisation and stakeholders to raise general risk awareness. Clearly defined goals are required for these programmes to ensure they deliver benefits within the overall culture change programme. Goals imply that performance should be tracked over time, hence a move to developing risk culture dashboards.

Business leaders must recognise that changing to a great risk culture requires strong organisational change and risk management skills.

Published by: M.Salman Khan

WEBSITE-RISK-CULTURE.jpg

The Role of Risk Culture in Effective Risk Management: Building a Resilient Organization

June 30, 2023 Risk

In today’s dynamic business landscape, risk management has become critical for organizations seeking to navigate uncertainties and protect their interests. While implementing robust risk management frameworks and strategies is essential, organizations often overlook the role of risk culture in effectively managing risks. Risk culture encompasses the attitudes, beliefs, values, and behaviors regarding risk within an organization. A strong risk culture is instrumental in building resilience, enhancing decision-making processes, and ultimately driving sustainable growth. This article explores the significance of risk culture in effective risk management and provides insights into how organizations can cultivate and embed risk culture within their operations. 

Understanding Risk Culture 

Risk culture encompasses the collective mindset and behaviours surrounding risk within an organization. It defines how individuals perceive, assess, and respond to risks at all levels. A positive risk culture fosters a proactive and informed approach to risk management, encouraging employees to take ownership of risks and make sound risk-related decisions. On the other hand, a weak risk culture can lead to complacency, siloed decision-making, and an inadequate response to emerging risks. 

Importance of Risk Culture 
  1. Improved Risk Identification and Assessment: A strong risk culture promotes an environment where risks are actively identified and assessed. Organizations’ Employees are encouraged to raise concerns, report incidents, and contribute to risk assessments. According to a study by the Institute of Risk Management (IRM), organizations with a strong risk culture are more likely to identify and address risks in a timely manner, reducing the likelihood of negative impacts. 
  2. Enhanced Decision-Making: Risk culture influences decision-making processes by embedding risk considerations into everyday operations. When risk is embedded in decision-making, individuals at all levels consider potential risks and rewards before taking action. This leads to more informed, balanced, and resilient decision-making. A study by PwC found that organizations with strong risk cultures were more likely to make informed decisions based on risk-reward trade-offs, increasing their ability to achieve strategic objectives.
  3. Strengthened Risk Appetite and Tolerance: Risk culture plays a pivotal role in establishing an organization’s risk appetite and tolerance levels. A robust risk culture ensures that risk tolerance is clearly defined and communicated throughout the organization, enabling employees to make risk-related decisions aligned with the organization’s risk appetite. A survey conducted by Deloitte revealed that organizations with strong risk cultures were more likely to have well-defined risk appetite statements and effective risk governance structures. 
Cultivating a Strong Risk Culture 
  1. Leadership Commitment: Building a strong risk culture begins with leadership commitment. Leaders must prioritize risk management and actively communicate its importance across the organization. By demonstrating a commitment to risk management, leaders set the tone for the entire organization and create an environment where risk management is embraced as a shared responsibility.
  2. Clear Roles and Responsibilities: Establishing clear roles and responsibilities related to risk management ensures that everyone understands their contribution to the organization’s risk culture. By defining accountability and encouraging cross-functional collaboration, organizations can foster a culture where risk management is integrated into various business functions and decision-making processes.
  3. Training and Awareness Programs: Providing comprehensive training and awareness programs on risk management can equip employees with the necessary knowledge and skills to identify, assess, and respond to risks effectively. These programs should emphasize the importance of risk management, educate employees on best practices, and highlight real-world examples of the impact of risk culture on organizational resilience.
  4. Effective Communication: Open and transparent communication channels are vital for cultivating a strong risk culture. Organizations should establish mechanisms to encourage employees to report risks, incidents, and near-misses without fear of retaliation. Regular communication on risk-related matters, such as sharing lessons learned from past incidents, can also contribute to building a risk-aware culture.
Conclusion 

In an increasingly uncertain and complex business environment, organizations need to recognize the critical role of risk culture in effective risk management. Organizations can build resilience, enhance decision-making, and adapt to emerging risks by fostering a positive risk culture. Leadership commitment, clear roles and responsibilities, training programs, and effective communication are key elements in cultivating a strong risk culture. By embedding risk considerations into their organizational DNA, organizations can confidently navigate uncertainties, protecting their interests and driving sustainable growth. 

References: 

WEBSITE-MAIN-ARTICLE.jpg

Increasing Organizational Resilience During a Period of Weak Economic Growth

April 5, 2023 0Risk

Economic cycles are nothing modern. Business leaders have constantly had to deal with things like unstable job markets, supply chain confinements, and cost changes. Concerns about a potential period of weak economic growth is however justified. The two most important factors are how long it will last and how much damage it will cause.   

Although no one can see into a crystal ball, there are some concerning signs that should not be ignored. For Nigerian businesses in 2023 for instance, they will continue to cope with several vulnerabilities including:   

  •  A high-cost environment. 
  • Challenges with the retention of talent with the increasing demand for migrant workers in the United Kingdom, Canada, and other developed economies. This is without prejudice to the rising cost of living in the aforementioned countries. 
  • Post-election political risks 

It would be short sighted for business leaders to not prepare for some kind of economic slowdown when you consider this along with the frail global forecasts and the pandemic’s ongoing effects. 

Despite the doom and gloom, businesses can take practical actions to lessen the effects of economic slowdowns. Instead of worrying about potential future events, this is the ideal time to check that your organization has the necessary systems in place to not only weather storms but to thrive in them. How? 

Pay Attention to your Business Relationships

Customer relationships are crucial regardless of the economy’s outlook, but they can become even more crucial during hard times. Understanding how the economy impacts your customers’ businesses is crucial, but it’s also a great chance to figure out how to help them and add even more value. 

Partner relationships can also be very important. Strong partnerships can help to stabilize or even increase revenue streams because they share the burden of acquiring new business, even though this may result in slightly smaller overall revenue pie slices.   

Diversifying your customer base is essential. When the economy is struggling, it’s crucial to evaluate your customer base and determine whether your business is overly dependent on a small number of significant clients. If that’s the case, think about how you can diversify your customer base and invest in forming new connections. Be cautious when adding new customers because you will want to make sure you can still provide excellent customer service. When every business is vying for a small pool of customer dollars, this differentiation becomes particularly crucial.

Motivate your Talent

Taking care of your team should always be a priority, especially when the economy is weak, as we frequently mention here at H. Pierson. When there is talk of a recession or weak growth, employees are concerned about their own finances and layoffs are a real possibility. It’s not simple to find talented, strong candidates, as we’ve seen over the past few years. 

Consider innovative ways to reduce costs without laying off your talent. Rather than making the decision to shrink your team right away, see where else you can cut costs, like overtime or scaling back some nice-to-have, but unnecessary perks? Also, you can offer employees a day off each week in exchange for lower pay? Or can the team collectively agree to a pay cut that ensures everyone keeps their jobs? 

Increase your Firm’s Agility

In order to become more agile, your business may need to invest in itself or increase spending in some areas. In a struggling economy, this may seem counterintuitive, but you might discover that enhancing technological or organizational systems results in longer-term resource utilization. As well as allowing for the introduction of new goods and services, it may also permit the diversification of income sources. 

Any department in your organization could benefit from agility. You can change how you interact with customers and assist them in discovering new value in the goods and services you provide by using agile marketing. Agile development may entail freeing up unused resources to give your team more time and freedom to think creatively and make the best use of their collective talents. Your human resources department’s agility may take the form of job-sharing arrangements to better utilize strengths and tap into your talent pool or cross-training staff to take on new responsibilities. 

We are aware that not all organizations can implement these ideas, and that there are times when difficult choices must be made. Transparency is key in those situations. Be clear about the needs and objectives of the business and try your best to make decisions for your employees with respect and gratitude. Take into account the significance of every position within your company as well as the effects on those left behind when positions are eliminated. Show that you have a plan in place to guarantee a fair and enjoyable working environment, even if the size of the team needs to change. 

When times are tough economically, having the right strategy and the insights required for effective strategy execution, is mission-critical. Reach out at strategy@hpierson.com and let us guide you through a free consultation to determine how your company can best develop a plan to remain strategy-protected both now and into the future. 

H. Pierson Advisory Team
BUSINESS-WITH-AI-1.jpg

Why should you enwrap your business with AI?

November 2, 2022 0Risktraining

Artificial Intelligence (AI) and machine learning have proven beneficial to businesses across several industries. Artificial intelligence is the ability of computer-controlled robots or digital computers to perform tasks commonly associated with intelligent beings. Machine learning (ML) is a subset of artificial intelligence (AI) that concentrates on building systems that improve performance based on behavioural patterns and data (Oracle, 2022).

The ability of AI to rationalize and take the best possible actions in the direction of a desired goal or expected result(s) is its ideal feature. Artificial intelligence includes expert systems, speech recognition, natural language processing (NLP) and machine vision.

Artificial Intelligence and its Business Process Effects

A report by SEMRush (2021) predicted that the surge of AI usage by businesses would create about $2.9 trillion of business value and over 6.2 billion hours of workers’ productivity, with a high impact of enhancing the overall competence of human workers by 2025. This implies that despite a reduction in the number of the total workforce due to AI, the newer jobs that will be created will produce more wealth for businesses and economies that adapt to it. By deploying AI technology, you can position your processes to:

  • Avoid mistakes prone to human errors
  • Grow expertise through reliance on very accurate analysis
  • increase productivity and operational efficiency
  • Increase revenue by identifying and maximising opportunities
  • Make faster business decisions based on cognitive tools
  • Save time and money by automating and optimizing routine processes
  • Predict customer preferences and offer more personalized options

Artificial Intelligence as a Corporate Advantage

AI is gradually changing the traditional approach to business management. AI and machine learning have substantially helped businesses speed up decision-making. It has helped to mitigate risks, provide better information security, and enabled businesses to offer customised services to their consumers.

Also, AI is distinctively capable of analyzing massive amounts of data for cyber security purposes, as well as more precise, efficient, and effective risk management. Major benefits of applying artificial intelligence to corporate institutions include:

  1. Fraud Detection

Financial institutions like banks and fintech firms, would usually need complex and sophisticated analysis processes to detect potential fraud. Using humans for this task is quite a painstaking task with a very high possibility of errors, which may in turn be very substantial in the chain of effects. As a result, machine technologies have proven to be the best for such rigorous tasks. 

 

  1. Threat Analysis and Management 

AI technologies are capable of analyzing vast amounts of data and user details from several sources. This allows for real-time prediction models to be created, enabling security teams and risk management experts to promptly anticipate and combat imminent threats.

Furthermore, these tools can be used to develop more improved systems that give early warning signals whilst ensuring that the business runs continuously and smoothly without interruptions due to threats.

  • Data Classification

At the core of AI proficiency is the handling of data, big or small, in a very fast and efficient manner. This is one of the reasons why there are no limits to the businesses that can use AI. These technologies are very good at processing and classifying data based on business patterns and categories. In addition, they can monitor and protect access, thereby ensuring data security.

 Locking into the Future with AI

As technology evolves and digitalization gains relevance in different industries, the adaptation of businesses to AI is imperative to remain competitive, relevant and efficient. AI is not just a perk, but a necessity.

While AI tools have taken the place of manual functions and human duties, businesses should strive to adapt rapidly to new ideas. Even though business goals are of strategic focus, an open mindset should be maintained towards corporate growth and likely areas for skilled talent should be gradually enabled towards the overall adoption of artificial intelligence.

References:

https://www.semrush.com/blog/artificial-intelligence-stats/#header3

https://www.oracle.com/ng/artificial-intelligence/machine-learning/what-is-machine-learning/

risk-culture-0-00-00-01_.jpg

YOUR TRANSFORMATION INITIATIVES MIGHT BE IMPEDED BY A PASSIVE RISK CULTURE

August 15, 2022 0Risk

In the past few years, the world, driven by Covid-19, has pivoted in ways most of us could not have predicted. On the back of that, companies are embarking on a series of transformation programmes, particularly to become more digitally mature as well as more sustainable on the triple bottom line of people, planet and profit.

However, doing business in today’s volatile climate is itself a tall order as companies have to juggle a vast network of evolving risks – internal, external and existential – with greater complexity and inter-connectedness than ever before. Managing large-scale transformations during these times will bring further uncertainty and raise the risk levels, but the opportunity to implement long-term sustainable change is one that companies cannot afford to ignore.

Therefore, it is no surprise that there has been a renewed focus on managing risks in the boardroom. In the ICDM 2022 ASEAN Board Trends Survey, we found that ASEAN boards are looking to elevate their oversight capabilities in risk, with the risk management committee (54%) emerging as the top board role requiring improvement in 2022.

From Passive to Proactive

In many organisations, there has been a tendency to deal with risk passively, regarding it as a compliance-oriented matter and conflating risk with finance and audit. This often results in missed opportunities in identifying areas of growth alongside the required levels of oversight to deliver breakthrough performance.

Instead, companies should develop a greater capacity to think of risk as being a proactive way of understanding uncertainty and the factors that can positively impact strategic outcomes. There is also a need to reframe the perception of risk from “something to be avoided” to “something to be explored”. After all, risk is embedded in the organisation’s pursuit of success.

 

A passive risk culture hinders transformative initiatives as it does not promote either innovation or the environment for new ideas, let alone providing the supportive culture necessary to facilitate an open dialogue on risk and opportunity, which ultimately drives success. A passive risk culture focuses on short-term mitigation plans which are often reactive in nature, rather than more robust, proactive and value-creating risk responses.

Amidst extensive programmes to drive innovation, digitalisation and sustainability, the risk management strategy should be refreshed in tandem with the aspirations for resilience and long-term growth. That means moving away from a controls-oriented risk approach and towards one that is dynamic and forward-looking. A forward-looking risk culture and setting the necessary tone for ensuring the right risk culture is perpetuated and driven by an organisation’s leadership.

While risk culture can be challenging for many organisations it can be defined through ten dimensions across four key areas: acknowledgement, responsiveness, transparency and respect, as outlined in Exhibit 1.

Exhibit 1:

Risk policies, procedures, and systems, regardless of how well-crafted and sophisticated, are only as good as the people responsible for executing them. Their mindsets, practices and behaviours will make or break the risk management strategy.

As part of the boards’ risk oversight duty, it is worthwhile for directors to allocate time and energy to create conditions that engender the desired risk culture. Here are five thoughtful actions boards can take to set the tone for a robust, forward-looking risk culture.

1. Align risk with strategy

Building a strategically focussed, proactive enterprise risk management mindset starting at the top

As the first step to transition from a controls-oriented approach to a proactive enterprise risk management mindset, boards should look at strategy development from the perspective of risk and opportunity management. For example, if a retail company’s vision is to be environmentally sustainable, their strategy development should include a consideration of potential scenarios, threats and opportunities, ranging from stakeholder expectations to regulatory requirements, and from tech disruptions to the environmental, social and governance (ESG) factors. Such an exercise brings greater insight and offers clearer direction. By understanding the gaps, strengths and weaknesses of the company, the board and management can arrive at a strategy that is far more purposeful and impactful and as an enabler in making the desired transformation happen.

Upon settling on a strategy, aligning risk with the execution of the strategy from the outset at the board level also allows companies to explicitly pinpoint the critical risks that would influence outcomes. For instance, if the strategy for the above-mentioned retail company is to digitalise and venture into the e-commerce space, it would have to consider risks in data privacy, cybersecurity, logistics, customer experience, the carbon footprint associated with packaging and delivery, as well as human capital. And let’s not forget the project-related risks associated with the development and implementation of new processes, systems and people needed to deliver the expected outcomes. Greater awareness of these risks increases agility and responsiveness by providing greater foresight in mitigating potential threats and capturing emerging opportunities, thus offering the retail company a smoother market entry and a better chance to get ahead and benefit from the upsides.

In a nutshell, building a proactive risk culture is the very foundation of successfully aligning risk and strategy, which in turn influences behaviours and performance.

 

2. Find clarity in diversity

Diversity plays a critical role in shaping the board and the organisation’s attitudes towards risk

Humans are at the core of risk oversight and management. Directors’ personal predispositions will influence boardroom discussions on risk. Board diversity, therefore, plays a critical role in forming the board and the organisation’s attitudes towards risk as imbalanced boards are more likely to have a distorted view of risk. Based on our observation, many boards today lack the diversity of thought, experience and skills to perpetuate deep discussions on risk.

Research shows greater board diversity fosters more efficient risk-taking, and organisations with diverse board members invest persistently more in research and development (R&D) and have more efficient innovation processes. This truly emphasises the importance of having a balanced board composition. For example, members with a legal background will have a very different perspective on risk from members who are entrepreneurs or members who used to be diplomats. By coming together, they form a more holistic risk perspective that will give the company a better chance of achieving sustainable performance.

Moreover, risk should not be treated in isolation and nor should it fall on just one director with “risk expertise” to act as the sole stakeholder and authority on risk. It requires diversity of experience, thought and seniority, all contributing their collective wisdom as a board to ensure the culture is cultivated right across all functions, departments, geographies, as well as with stakeholders including joint venture partners and the supply chain (extended enterprise).

3. Adopt networked thinking

Making sense of the growing interconnectedness of risks to build greater risk awareness

In an increasingly interconnected world, risks do not exist in isolation. Like humans, they form interdependent, complex networks. Events and technological advances have often been viewed in isolation when in fact many of the events, changes and innovations taking place elsewhere or in other industries can, and usually do, have an impact on organisations on a more global basis. 

The instant noodles manufacturers in China saw a drastic decline in sales between 2013-2016. Amongst the key unexpected contributors to the drop turned out to be the explosive growth of China’s high-speed railway networks and the rise of instant food delivery. 

Networked thinking provides organisations with an opportunity to develop a broader understanding of how external market forces can impact the business, be it supply chain, resources management or even reputation. Being able to make sense of the interconnected nature of risk forms the baseline for organisational resilience.

4. Empower everyone to take action

Drive risk collaboration by encouraging open communication and risk-informed decision-making across all business units

Creating an environment where conversations on risk are encouraged is an important first step. A risk-aware culture where employees feel safe to speak up and take action will be extremely beneficial in providing early warning and enabling speedy response to crises.

An excellent example can be seen in the oil & gas sector. Employees are encouraged to act if they see or even suspect something hazardous is likely to occur. They do so with the knowledge that there will be no adverse repercussions for taking action even if it means ceasing operations with a loss of production and revenue, despite the pressure to achieve performance targets. 

Contrast this with the practice of days past when taking such action usually resulted in recriminations and retaliation from managers and peers. Interestingly, we saw a far greater number of major incidents and disasters happening when the culture did not support a risk-aware approach and did not empower people to proactively take action to manage risk.

5. Allow room for failures

Making risk less personal and incentivising smart risk-taking to capture growth opportunities across all business units

Executives and managers in large corporations are often discouraged from proposing or advocating for out-of-the-box but risky projects despite knowing that they could be good for the company. This can largely be attributed to fear of jeopardising their careers should the projects fail. Allowing room for failures through a test-and-learn approach can greatly reduce risk aversion amongst the workforce and enhance the company’s ability to capture and successfully exploit growth opportunities.

This requires the board to clearly define the risk appetite and communicate the mindset and behaviours expected in the day-to-day decision-making process. One crucial practice to consider is the use of scenarios, decision trees or other methods to map out likely outcomes – both positive and negative outcomes – bringing greater clarity along with the ability to better track and measure risks and outcomes, before deciding to embark on a project. Even if the project fails, it is not done in vain as companies can derive from it lessons learned that can be applied for future endeavours.

Exhibit 2:

Risk management is a perennial feature in business. However, as the business landscape evolves, the risk management approach must also evolve to meet the growing need for change and adaptability. Having a proactive risk culture to support the risk frameworks and processes will give your transformation initiatives a better chance of success. The impact of the tone from the top cannot be overstated and boards must first exemplify the risk culture they want the organisation to adopt by setting the tone and living the values. But to get there it needs boards to have honest conversations on risk and risk taking.

Does Your Company Have a Proactive Risk Culture?

Culture in an organisation can be defined as “how things get done around here” and risk culture is a subset of organisational culture. Risk culture is about how risk is viewed, dealt with, and how well understood it is. Here is a checklist the board can use to determine the company’s current state of risk culture.

  1. Are the company’s risks aligned with the strategies?
  2. Do we have a clearly defined risk appetite?
  3. How well understood is risk and risk management?
  4. Does everyone understand their role in managing risk?
  5. Is risk embedded in the day-to-day decision-making and execution?
  6. Are our reward structures such that we reward taking action to proactively manage risks?
  7. Does the workplace encourage people to speak up?
  8. Do we have a test-and-learn mindset and room to learn from failure?
Reference
Lim, M. K., & Griffiths, G. (2022). Your transformation initiatives might be impeded by a passive risk culture. Malaysia. Retrieved from www.bursamalaysia.com

Find us

35, Glover Road, Ikoyi, Lagos Nigeria.
info@hpierson.com
+234-812-902-3329, +234-802-056-5056, +234-083-263-3999, +234-806-597-4605

Services

Follow Us

Twitter
Facebook
LinkedIn