There’s no crystal ball that will magically outline opportunities, map risks and provide a distinct and unobstructed path to success. Nonetheless, as Steve Schlarman observes, there are specific stages that organisations can expect to move through when building an integrated risk management programme.
Broadly speaking, there are three distinct stages of risk management maturity: siloed, managed and advanced. Before a business can start to move through its own risk management journey, it must first work out at which of the three stages it currently resides.
The most common and most basic form of risk management is to tackle all of the individual elements within a vacuum or silo. Many organisations can become stuck in the most elementary risk and compliance approaches, with narrow strategies that lack the context of wider business objectives and priorities. This strategy relies on front line employees being in a constant firefighting mode and can be effective up to a point.
However, with the focus typically on compliance and tactical risks, the organisation cannot see beyond the immediate issue. Risk managers are hunkered down in the trenches with little forward movement, relying on old-fashioned approaches that may see the job done, but will never truly enable them to keep pace in today’s market.
These organisations need to prioritise beyond immediate compliance deadlines and start addressing regulatory and industry requirements in the most efficient and effective manner. This requires automating compliance and building a cohesive strategy to deal with the ‘table stakes’ of doing business. Compliance obligations need to be tackled, but with an eye towards the future.
Building more silos at this point is futile. Risk and compliance functions need to focus on where data and processes can be leveraged, re-used and shared and where the limitations of niche, operational tools can be overcome. By transforming compliance, companies can actively pave the way forward to the next stage in their risk management journey.
Companies that have moved beyond the silo and made steps to transform compliance will have common policies, standards and controls, an effective control infrastructure and efficient methods to measure, monitor and report the business’ compliance state. Companies in this stage have solved – or are well on their way towards solving – the compliance conundrum and are poised to harness risk.
These organisations need to become aware of the various risks they’re juggling and put plans in place to manage these risks within the context of a broader strategy. A key factor in this evolution is addressing both cyber/technical risk and business risk with a combined strategy. The business needs to understand the risks in its technology landscape, while technologists must be active participants in addressing business risk.
The risk programme should be focused on affording the business the insight to navigate major issues. This process is being fuelled more and more by metrics and analytical capabilities that provide visibility into risk.
Companies in the managed stage begin building the bigger picture, shoring up strong competencies and bringing weaker elements up to a stable state. As the business risk management programme matures, effort begins shifting from compliance as the key driver to focus more on risk. The organisation eventually reaches a point whereby the business objectives take the lead and the company is then poised to move to the next stage.
When the organisation has mapped out and conquered the risk landscape, it’s time to begin exploring the opportunity landscape. The organisation is now ready to realise the competitive advantages of harnessing risk: beating competitors to market, launching new products and services with calculated efficiencies and avoiding major issues that can affect reputation and the bottom line.
The organisation has turned the corner from managing unrewarded risk to benefiting from rewarded risk. Companies in this situation understand that risk and reward are intrinsically linked and are ready to focus on the latter having already conquered the former. How, though, does a business actually go about reaching this promised land?
Any journey through the three stages of risk maturity will depend on many things. There’s no single path to improving risk management in an organisation. Organisational complexities, cultural differences, market factors, business changes, leadership shifts, technology strategies and other variables will all impact the journey. While there isn’t a ‘typical’ journey, then, there are generally four phases involved: the incline of improvement, the dip of determination, the ramp of Return on Investment and the terrain of transformation.
The majority of organisations begin their risk journey by focusing on individual and tactical needs. Defined by the organisation’s business priorities, these use cases should build a foundation and begin demonstrating quick wins. This can be called the incline of improvement as the organisation moves up the maturity scale. The business will start seeing some efficiencies immediately, including a reduction in the time and effort needed to meet risk management requirements, improved reporting around those use cases, some data sharing and other indicators of improvement.
A key turning point for many organisations is a stronger commitment from senior leadership to a more enterprise-level approach. While the initial implementation may be sponsored by senior leadership, as organisations progress up the ‘incline’, at some point the wins start adding up. Executive management sees the value in the effort expended and issues a mandate to break down silos, consolidate platforms, establish common taxonomy and assessment approaches and streamline reporting, etc. This is a big step forward as it gathers more resources and momentum for the risk management programme itself.
However, most organisations will witness a dip as processes take one step backward to take two steps forward. This ‘dip of determination’ is a positive step, as it sets up a stronger programme, but you must keep the focus. As you do, some processes may need to change in order to break down organisational barriers (the step backward) and to move on to the next phase (the two steps forward) that is the ramp of Return on Investment.
At this point, organisations are in the managed state of maturity and really starting to connect the dots. It’s important to keep momentum going in order to ascend that ramp.
Somewhere along this ramp there’s an important inflection point. As the risk programme matures, the goal is to take the next step towards addressing new and changing business activities (ie those growth activities that are fuelling the business). Organisations are seeking to reach the ‘terrain of transformation’ whereby risk management is part of the culture.
At this phase, the discussion is around business opportunities and the organisation reaches the advanced stage of maturity. Once an organisation reaches this terrain, there must be constant and continuous measurement of the risk management programme. The organisation cannot be lulled into a false sense of security since the business constantly changes. The good news is that organisations attaining this level of maturity generally have a good sense of how to ride through the waves of change and adjust themselves accordingly.
It’s also vital that organisations are prepared for challenges and disruptions. For instance, anywhere along this journey a ‘paused programme’ can lead to a downward spiral. This could be triggered by several different factors. Many times, the loss of a programme champion, a lack of resources or a general lack of progress (programme wins or demonstrated value) can serve to derail the strategic plan.
Imperative to demonstrate progress
If the programme pauses, it will lose momentum and could end up dissolving to the point where it has to be reformulated and re-established. The process then starts over as the organisation goes back through the phases. Given how important risk management is today, it’s imperative to show progress and keep the risk management programme on track.
While the risk management journey is rarely straightforward, organisations need not travel alone. There are numerous services and partners who can assist in carrying a company throughout the process, helping it to make faster and more informed decisions about risk.
Steve Schlarman is GRC Strategist at RSA