As the risk landscape continues to evolve and threaten the stability, survival, value-creation processes and performance of the business, the board and management team must move from reactive to proactive risk management.
The business environment is changing at unprecedented pace. The huge transformational shifts taking place within the economic, environmental, geopolitical, societal and technological realms are not only presenting opportunities for success and growth. These shifts are also posing systemic risks because of their interconnectedness.
It is therefore imperative that boards and the management team clearly understand the impact of these emerging risks on governance, strategy execution and business performance. They must be able to proactively identify, assess, evaluate, manage and monitor enterprise risks and this can be achieved via the creation of a dynamic ERM model capable of delivering critical insights about the business’s risk landscape.
Building an effective dynamic ERM model should form part of the board and management’s critical strategic initiatives if effective risk assessment and governance is to be achieved. Here dynamic refers to an ERM model that is responsive to the changing environment. Building a dynamic ERM model helps define, assess and measure the potential negative impacts of interconnected global risks threatening the organization’s value creation and preservation processes.
Thus to successfully manage enterprise risks effectively and build resilience to their impacts, it is critical that the board and its executives lead this mandate. Apart from showing their involvement in ERM in word, they also must act and behave according to their word otherwise little buy-in or none at all will take place.
Building a resilient and effective ERM model must be data driven because what you do not know can actually harm you. This is where technology, in particular, business analytics come in. The predictive and analysis nature of these tools can help management gain critical insights about risks and in turn improve strategic, operational and tactical decision making. Making use of data to help build an enterprise’s risk model also helps determine the most effective way of evaluating risks in the future.
Although building this dynamic risk model involves looking at historical data which in this context is reactive, historical data is critical for establishing a baseline for effective forward-looking risk identification, assessment and evaluation. Unfortunately, many boards and management teams are still relying on subjective risk assessments despite the availability of huge amounts of data which they can get their hands on, analyze and interpret and improve risk management decision making. Basing decisions on gut feel often makes it difficult to predict the future with a certain degree of accuracy.
When building a dynamic ERM model and in turn move from a reactive to a proactive risk management approach it is important to remember that not every piece of internal and external data in your hands can be used. You need to comprehend the critical role data plays when performing risk assessments and defining the organization’s ERM strategy, risk appetite and risk tolerance levels. Using the wrong type of data for risk assessment will lead you to incorrectly interpret risks and their impact which can cost you heavily.
When you are performing risks assessments and evaluation, in addition to the data being raw, it is also important that the data you are using focuses on the critical outcomes of the business. Non-achievement of a desired outcome means there is some risk involved which needs addressing.
Redefining the way the organization measures success or failure also helps to move from reactive to proactive risk management. This means that management must be able to clearly distinguish KRIs and KPIs. Most companies make the mistake of measuring KPIs that are output focused and easy to manipulate. The problem with this approach is that the measurement of outputs often does not help identify risk that may be present or potentially going to negatively impact the organization.
On the other hand KRIs provide the basis and foundation for a sound objectively based ERM environment. If the KRIs derived are to be accurate and reliable for proactive risk management, then the organization as a whole must strive for data integrity. If the data lacks integrity and its source cannot be verified or relied upon that same data should never be used for evaluating risks and reporting key results.
In conclusion, moving from reactive to proactive risk management and building a responsive ERM model requires discipline and patience. Doing it will ensure effective governance is achieved, strategy is executed and overall business performance improved.