Creating a resilience think tank, measuring risk effectiveness and risk culture indicators are just some of the key risk management discussion points of 2020 – read on to find out more
As 2020 comes to an end, we’ve rounded up the key discussion points and lessons learnt from the network.
It was a tough task. Over the course of 2020, we have held countless private meetings and roundtables, conducted hundreds of risk manager interviews, written numerous Intelligence case studies, shared varying tools and templates, and more.
So, how do you distill all of this in a blog of a few hundred words? You can’t without compromising the quality and value of our members’ collective insights.
And so, I heavily caveat this end-of-year blog with this: what’s detailed below is only a bird’s eye view of a small selection of themes – the real gems and hard details are held in the Intelligence platform, explored further in our member meetings and private messaging app.
So, in no particular order, here are a handful of 2020’s highlights…
1. Launch a resilience think tank – or join ours!
You cannot ignore the upheaval caused by COVID-19 – its impact will be felt for many years to come. Members were hot on the case: response and recovery plans were shared with peers across the network, including business continuity frameworks, escalation plans and ideas for creating recovery plans in phases.
Conversation is now focused on how to practically create long-term business resilience and the first step, as advised by members, is to create an internal think tank on resilience.
Here are some questions to explore:
- How will the repercussions of COVID-19 be further compounded by:
- The growing divide between the rich and the poor, and the consequences this is already having on civil unrest
- Pending climate change and the need for macro structural change?
- Automation and technology impacting jobs?
- Does this mean we are now officially in a world of increasing disruption compared to anything we have previously experienced in our generation?
- What impact could this have on your organisation?
- Is your current risk and resilience approach ready for this, or does it need to change?
- How can you make this change?
- Is this already part of your strategic roadmap, or do you think it should be?
- How in practice do we grease the wheels between risk, crisis, health and safety, business continuity management to get resilience to work?
- How do you capture opportunities in your resilience framework?
In fact, we will be launching a forum on resilience that we will be hosting. To qualify for the forum, you’ll need to be a practising risk manager and a member of Risk Leadership Network. To enquire about membership, click here.
2. Take the ‘3 As’ to measuring risk management effectiveness
The CRO for a large telecommunications company recently shared their framework for measuring risk effectiveness. The backbone of the plan is made up of 3As:
- Accountability – is your risk and control ownership clear?
- Appetite – have we agreed our risk appetite and do we have good indicators to measure where we are vs appetite?
- Action – do we have risk management actions that get/keep us inside appetite and are they working?
There will be more on measuring risk management effectiveness in 2021 in our risk effectiveness benchmarking study. The study is designed to help members measure the impact and effectiveness of risk programmes, rather than their completeness. Stay tuned!
3. Introduce risk culture indicators
Culture remains a focal discussion point, but how do you measure and track it? Our network has reviewed some of the risk culture indicators to consider, including:
- Knowledge: the extent to which employees understand the company’s risk appetite and principal risks and how they can affect the company
- Accountability and risk ownership: how well do risk owners understand their role and responsibilities?
- Processes: the extent to which risk monitoring and identification, among other risk processes, are formalised and incorporated within policies and procedures
More detail is provided in our member-only Intelligence platform.
4. Operationalise your risk appetite
There are several approaches to ‘operationalising’ your risk appetite statement. Here’s are a few things that that some of our members have done:
- Ask, 'how are we really protecting?'
- Take into account your conservative stance
- Design qualitative statements
- Determine the metrics – group level
- Determine the metrics – division level
- Determine the thresholds
- Break down strategic and operational risks
- Distinguish between appetite' and 'tolerance'
- Run risk and internal audit in parallel
- Establish risk categories and subcategories
- Get the governance right
Full case studies have been written about these approaches, supported by real-life templates that our members have created and implemented.
And, we’ve just launched our global risk appetite benchmarking report. The report provides a good opportunity to compare and contrast your risk appetite framework against 8 effective approaches that we’ve identified through extensive interviews with senior Members and chief risk officers.
These are supported by a global survey which provides a ‘state of play’ analysis with regards to risk appetite and the varying attitudes and approaches across the globe.
More detail can be found here.
5. Categorise your controls
How do you ensure your controls are effective? This was one of many questions that members explored in one of our member-only meetings. Here’s one tip: categorise your controls in these groups:
- Directly affect business performance
- Enables these direct controls
- Measures, checks or verifies control and process performance
- Critical controls and enablers would have management and verification regimes, while critical checks would introduce ‘go’ or ‘no go’ parameters and stop work decision points.
Find out more, in this blog.
6. Do these 4 things to optimise your risk reporting
- Most boards like it to the point: know your board members and their knowledge of and level of interest risk-related matters.
- Mitigate the need for detail: Having pre-meetings with board members who like detail can help you mitigate the effect of their influence.
- Focus on KRIs: A risk report focused on high-level aggregated KRIs and appetite can give the board a better view of which risks and opportunities that the company should focus on right now.
- Include emerging risks
...and in 2021
We’ll be exploring all of the above in much more detail and more. Here are three things to keep your eyes peeled for:
- Scenario planning and scenario modelling: live virtual demonstrations
- Horizon scanning and emerging risks: members will be sharing their tried-and tested frameworks
- Climate risk, TCFD, environmental sustainability and ESG: A structured programme of virtual meetings is being developed in each of these areas.