When risks intersect, it can amp up the impact on your business. Working out these potential connections in advance can enhance decision making and build organisational resilience.
Risk management frameworks and processes are typically organised around individual risks and risk owners. In reality, these risks and relationships often intersect.
For example, an external risk event like the Covid-19 pandemic has an impact throughout an organisation, sometimes in hundreds of different ways - from the need to safeguard employees and customers to having to navigate work-from-home restrictions and overcome supply chain breakdowns.
Internal risks can cause similar ripples. If an organisation throws weight behind a series of product launches, for example, it will have a big impact on available bandwidth for other activities in different parts of the business.
Some risk executives question whether there is any need – or major benefit – to connect risks in this way. But a discussion on this topic in one of our recent member meetings highlighted some of the advantages that can arise from making these connections.
Below is an excerpt from that debate, while the full meeting write-up and experiences of risk leaders working on risk interconnectivity can be found on our Intelligence platform.
- Getting on the same page: Executives often talk in clusters of risks anyway - think environment and sustainability or legal and regulatory. If the rest of the organisation can be convinced to do the same, these connections can be formalised. This will help everyone to see and understand the organisation’s full risk picture. It will also contribute to embedding risk discussions within day-to-day activities.
- Building organisational resilience: Establishing this kind of interconnectivity between risks that need to be managed should help boost organisational resilience because it will enable better scenario planning, testing, and improvements. You want to avoid the danger, however, of over-complicating things.
- Delivering better insights: Embarking on a strategy to map your company’s risk connectivity could provide you with the means for more insightful reporting than a traditional heat map with associated KRIs. It’s important though, to present these findings in an enticing way that isn’t going to confuse or scare off management.
Taking the first steps . . .
Finding a way to establish more formal connections and monitoring and reacting to risks requires input from a range of stakeholders. These employees and teams will require space to meet, discuss and ask questions about risk. Risk managers can facilitate these discussions and learn from them - using the insights gained to build a better, more interconnected risk picture for the organisation.
A lack of understanding around risk interconnectivity can lead to a lack of accountability and transparency: you want the business to be clear on who are risk owners and who are responsible for mitigating transversal risks. Interconnectivity gives you the means with which to identify and spot gaps in risk management controls, too.
. . . And the next steps
The process shouldn’t end with the identification of the connections. Work out how to properly visualise the results of this discussion: show how your organisation’s risks connect. This is key for reporting purposes and could produce a more nuanced, intuitive tool for executives to use than a standard heat map.
Are you an in-house risk manager who could benefit from collaborating with a global network of risk leaders? Find out more about how we create better risk management practice here.