Understanding the risk profile is becoming increasingly challenging. Executives and managers are hit with a variety of risk data from a myriad of sources – the business, who owns its risk profile, does things one way; support functions like compliance, IT, HR, finance, and risk management another; and audit provides its independent view. This information spans from the simple to the complex. Stoplights and heat maps indicate criticality or opportunity while capital modeling requires an understanding of topics like extreme value theory, splines, etc. So how are (senior) executives supposed to make sense of it all?
What is the Risk Profile?
First, let’s establish our working definition of risk. Risk is uncertainty, having both positive and negative effects. The risk profile is the aggregation of the total portfolio of risks the organization faces. Organizations can have hundreds of risks and thousands of controls, often having interrelationships with one another. As a result, filtering the most salient risks becomes challenging.
Moreover, each business and functional area will typically have their own philosophy to managing risk; and rightfully so. Business units in particular have their own raison d’être for strategy fulfillment and growth. These unique, but correlated strategies, require risk management to be nimble, having a unified philosophy but customized approaches for implementation. The results are individual profiles for each business that can be aggregated for the organization. This helps to inform strategy and budgeting for capital and resource allocation.
The Implementation of a Risk Management Program
Central risk management functions, like enterprise and operational risk, must perform some fiduciary responsibilities to work across the lines of defense – from the business to the support functions – to develop a philosophy and process that can be applied efficiently and effectively on a dynamic basis. This includes developing a common library of risks and controls, taxonomy, training and education, as well as the means of sharing information.
The business is typically inundated with a variety of requests from areas like risk management, compliance, and IT to provide information to establish and substantiate the risk profile. The business however is busy making money. Risk management is something that is buried in what they do every day and it’s difficult for the business to justify taking time and resources away from generating profits to participating in what seems like disparate requests from the risk support functions. There is an opportunity to coordinate these risk management activities to reduce the burden on the business in order to develop the risk profile.
This may include:
- Creating a single assessment for completion
- A dynamic process to update the risk profile as risk events become known
- Timely escalating concerns
- Unified reporting
It provides a holistic view of risk and risk management while granting the business the autonomy to manage risk within its own appetite and tolerance levels.
Challenges in implementing a Risk Management Program
People remain the largest challenge in implementing a sustainable and dynamic risk management program. Employees need to be educated on what risk and risk management means for the organization, the business, and themselves. One example comes from the banking industry where a retail banking business unit may be concerned with penny losses while an investment banking unit may be worried about losses in the millions. The disparity of looking at business individually versus collectively has implications for how risk should be treated and managed on a day-to-day basis.
One way to overcome some of these challenges is to create a linkage between risk management and performance management – or the set of objectives that individuals are measured against during a periodic review in order to receive merit increases in bonus or base pay. Establishing metrics tied to risk management, such as losses incurred, breaches in established risk metrics, failed audits, etc. ensures that there is alignment between risk taking and risk mitigating activities.
Technology supports the development of a Risk Profile
After working in the GRC space for over 20 years, I know the criticality of having technology plays a critical supporting role in understanding and developing the risk profile.
- It can provide an autonomous view for the business or function whilst simultaneously pulling together the information for a holistic, corporate view;
- The technology can be automatable, reducing the likelihood of error through manual entry of information or the aggregation of data across disparate systems or software;
- It helps make people accountable by, for example, assigning tasks to an individual(s) to address agreed upon responses to risks or control/management deficiencies;
- Items like dashboards and bespoke reports help increase the visibility into the specifics of the risk and control environment by pulling the data together and presenting it in a way that aligns with an individual’s responsibilities;
- It can act as the single source of risk information making efficient conclusions on the risk profile and any changes in it; and
- It supports sound and informed business decision making.
Having a single technology platform can help substantiate the risk profile for the organization. I have yet to see a technology with such quick and easy configurability to depict the risk profile with the ability to deep dive into the specifics. As a long-time practitioner, it are features like this that make me excited to be working for a company like Nasdaq BWise.
Articulating the risk profile requires educating employees on risk and risk management as well as creating a nimble approach that allows for each part of the business to manage risk to its own appetite and tolerance levels. Aligning the activities of the organization ensures there is a comprehensive view of risk and that there aren’t gaps in risk management or control coverage. Technology acts as the great enabler by centralizing and producing a picture of the risk and control environment in a timely and efficient manner. Only by looking at these items collectively can there be a means to ensure that risks are managed in a way that is consistent with executive, the Board of Directors, and regulatory expectations.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.