What do executives say is their biggest risk management challenge? According to a new report from the Risk and Insurance Management Society (RIMS) and Marsh & McLennan, it all boils down to risk integration.
Survey results from the Excellence in Risk Management Report show that C-suite executives identified “integration with strategic planning” as the biggest performance gap in their organization’s risk management function.
“This should concern those who believe risk departments should be strategic partners to the overall business,” the authors of the report point out. “Strategic thinking about risks cannot take place in a vacuum.”
The report reveals a number of ways that businesses are failing to use data to support strategic, integrated risk management:
- Less than half of organizations (38%) use risk data to make long-term adjustments to risk management strategy
- Only 35% use data to make long-term changes for improving operations performance, including control measures
- Only 29% provide data for strategic planning
- Only 16% use data in real time to adjust risk management strategy (less than a third leverage real-time risk data at all)
If these are some of the obstacles to informed, risk-based decision-making, then what should strategic risk management look like?
What is strategic risk management?
- A primary component of and foundation for effective enterprise risk management (ERM)
- A process for identifying, assessing, and managing risks and uncertainties
- Considers both internal and external events or scenarios that may inhibit an organization’s ability to achieve its strategic objectives
- Has the ultimate goal of creating and protecting shareholder and stakeholder value
In addition to these core characteristics, William Hord, Quantivate’s vice president of ERM services, emphasizes the development of key indicators (KPIs and KRIs) as a critical component of strategic risk management. Key performance and risk indicators help properly align risk management activities with organizational strategy and improve overall governance.
When internal and external data from your GRC program is utilized to develop key indicators, and they are properly aligned to strategy, risk management can provide a truer picture of the potential risks and opportunities
“When internal and external data from your GRC program is utilized to develop key indicators, and they are properly aligned to strategy, risk management can provide a truer picture of the potential risks and opportunities to the board and senior management much further in advance,” Hord says. “This increases the organization’s ability to make more informed decisions around changes to current or future strategy, which ultimately impacts capital allocations. In the end, it means saving time and money and providing a higher assurance of achieving the overall strategy set by the board and senior management.”
Components of Strategic Risk Management: What’s Missing
It’s clear, however, that many organizations either don’t have the capacity to collect, analyze, and disseminate risk data, or aren’t fully leveraging their data to empower strategic decision-making. The survey results suggest that two components are missing from many risk management programs:
1. Risk Integration
Informed decision-making is difficult when risk data is siloed throughout the organization. However, sharing data across business units, departments, and risk and compliance functions enables a more holistic and accurate perspective of your organization’s risks and opportunities and their impact on business outcomes.
Many organizations choose to invest in a governance, risk, and compliance (GRC) solution that automates integration, sharing data points across management areas such as ERM, vendor management, compliance management, and business continuity, among others.
Integrating risk data in a single system enables better oversight, an interconnected understanding of risks and controls, and improved access to data and reporting — ultimately reducing both the time and resources required for your GRC program. In doing so, it also gives decision-makers the data and perspective they need to integrate risk information with their strategic planning.
In fact, one GRC maturity survey found that 89% of organizations that implement an integrated GRC program have seen benefits that meet or exceed expectations, such as:
- Reducing gaps in risk and compliance
- Reducing the costs of GRC processes
- Increasing the ability to gather / report on GRC information and present meaningful analysis
The Excellence in Risk Management report points out that “true integration with… strategic planning will be more likely to occur for those who deliver data-based advice to top management,” which brings us to our next topic: executive reporting.
2. Executive Reporting
A McKinsey & Company survey found that boards tend to devote a relatively small amount of their time to risk management — about 9% on average. Furthermore, only 6% of directors believe their organization’s board is effective at managing risk.
All the more reason, then, that boards, executive management, and other stakeholders need a clear view of the organization’s risk landscape through reporting that is relevant, synthesized, and tailored to recipients’ governance responsibilities.
“The objective is to ensure that an independent risk view, encompassing all levels of the organization, is embedded into the planning process. In this way, the risk profile can be upheld in the management of business initiatives and decisions affecting the quality of processes and products.” – McKinsey & Co.
Making timely executive reporting part of your organization’s processes is an essential step toward more strategic risk management.
The Takeaway
Without integration, data analytics and reporting, and other best practices for collecting and deploying risk data, organizations will struggle to align risk management with business strategy.
How Quantivate Can Help With Risk Management Integration
The Quantivate GRC Software Suite was designed to help organizations quickly implement a holistic, integrated GRC program. Our risk and compliance management products are robust on their own but even better together thanks to built-in integration that provides powerful data-sharing, automation, and reporting capabilities.
Learn more about how Quantivate can empower strategic risk management by requesting a demo today.
