Effective governance requires changes in the way risks are managed across “stove-pipes” or “business silos”. More often than not, when loss events occur it becomes clear after the fact that different silos were holding onto different pieces of the risk puzzle but no one could put the pieces together. So the problem is how to identify risk?
Many risk managers are so bogged down by loss event capture and incident management, that being able to focus on preventing loss events and identifying emerging risks, rather than tracking down why past events happened, seems like a far-off goal.
Some people think of emerging risk as “out there,” possible scenarios that you sit around and brainstorm about, whereas really it occurs whenever information is collected independently in silos, making it difficult for risk managers to be able to foresee when the right combination of seemingly disparate, but actually related, current activities will cause a loss event.
Most, if not all, important goals simply cannot be achieved within a single silo as in one way or another everything and everyone throughout your organization is connected through a network of relationships. If you haven’t heard the theory, the six degrees of separation refers to the idea that everyone is on average approximately six steps away, by way of their relationships with each other, from any other person on Earth, so that a chain of “a friend of a friend” statements can be made, on average, to connect any two people in six steps or fewer. The same is true inside a corporation. Because there is a multitude of interactions between people, processes, customers and systems, the connection between the cause and effect to the goals of the organization is elusive.
The breakthrough enabled by ERM software technology is the ability see across these relationships and use them to gain an order of magnitude increase in productivity, reducing work that may normally take 5 months down to just a few weeks.
Understanding the relationships between all the control activities and internal and vendor resources involved in what we do every day and how we are connected to others and their activities and resources as well as understanding the risk, performance and compliance consequences of all these activities and resources, in combination with where existing issues–meaning red flags or potential loss events–lie and overlap, is incredibly complex, which is why we sometimes feel we are in meetings all day discussing post mortems, loss events that have already happened, rather than identifying emerging risks.
A potential loss event—let’s call these issues, as they have not happened yet—are raised all the time, by Internal Audit, Managers, and employees. The problem is there are too many of them so it hard to know which ones to invest resources in until they become loss events! It can be hard to make the business case against certainty of profit, in many cases, and an uncertain proactive measure. Risk management approach differs from that of compliance in that it seeks to find how an activity can be done with the least risk versus a yes/no hard answer on whether or not an activity can be done by either regulatory or internal compliance standards.
The fact that risk, performance, compliance, control, and testing information is gathered on various spreadsheets, word docs, isolated systems throughout the organization, using different methods and tools makes it hard to even locate, let alone compare and aggregate this information. A risk management approach recognizes that standardized risk assessments, meaning ones conducted on an enterprise-wide set of criteria, provide an objective, common means to prioritizing what the most important control and test activities across business-silos are and allocate resources accordingly.
Organizations need to build a robust risk management framework or risk taxonomy, which provides a holistic view of all information and relationships across the organization. A taxonomy structures and preserves the integrity of information, so as changes occur in multiple parts of the organization, managers can compare risks on an ‘apples to apples’ basis to not only connect the dots, but also objectively prioritize, between business areas to avoid loss events that occur when the right combination of seemingly disparate, but actually related, activities actually happen.
When the relationships between and issues surrounding cross-functional activities and resources within your organization are known and available, you can trace how changes will affect upstream and downstream activities throughout your organization before an event happens, rather than tracing how a loss event happened and associating losses to the risks that were materialized or the controls that failed.