- Corporate Security
- Governance, Risk and Compliance
- Information Security
Governance, Risk and Compliance
By Resolver Modified November 21, 2019
This year, the Resolver team joined 400 risk leaders at the Risk Management Society (RIMS) annual ERM conference on November 3-6, 2019 in New Orleans.
The conference provides a great opportunity to network with risk leaders and to learn more about the strategic and tactical initiatives that they are using to advance the practice of risk management in their organizations. Throughout the week, there were three major themes that were prominent in the sessions and discussions:
How are ERM teams quantifying and presenting their value to the company? The answer is that it depends. In one session, the speaker shared that ERM teams are working to change the perception of their teams away from being the risk police to being value providers that support initiatives throughout the organization. But in order for them to support value management, ERM teams need to gain earlier visibility into initiatives, rather than just being looped in to react to crises. He presented an interesting model of reacting to change, particularly how companies tend to manage internal change as a reaction to external change.
The focus on value quantification exposed two major gaps that most risk teams need to address:
The most promising technique for proving the value of an ERM program is to quantify loss events and reduce the number of loss events by implementing controls recommended by risk teams. One way to quantify loss events is to use technology and software that automates the collection of metrics in a systematic way that makes reporting on these loss events part of the everyday workflow for the business units.
Another way to quantify the value of ERM is to set quantifiable risk thresholds on KRIs. These thresholds should be set first at the executive level, and then at the board level. Any decision maker outside these thresholds will need executive, and potentially board level approvals before proceeding.
These emerging quantification techniques are great steps in helping ERM teams be more critical to decision-making in the organization and better able to support corporate strategy.
How can risk teams address potentially catastrophic events if they never occur? It’s a perplexing question, but the root of the solution is to analyze smaller events at the operational level that could eventually lead to something larger.
There is a feeling that simply relying on high level assessments leaves risk executives blind to the risks the organization is actually experiencing. If you’re hyper-focused on theoretical risks, you become blind to the day-to-day risks that are driving operations and strategy.
Getting down to the operational level includes both simply doing assessments with lower level operational employees in the company, as well as being embedded in operations and being responsible for approving operational risk exceptions. This might include having the domain expertise on specific operational risks and controls to support their business units, and then conducting root cause analyses to identify where there is a concentration of risk. And, of course, this means having the infrastructure in place to be able to collect complete data on risk events and other incidents, and then putting controls in place to prevent future incidents.
ERM teams are focused on protecting the organization from emerging risks. Risk teams are under increased pressure to get ahead of executives and investors who are actively identifying new risks to the company. For example, Alphabet’s, Google’s parent company, latest proxy statement includes shareholder proposals to establish a societal risk oversight committee and a report on sexual harassment risk management.
Chief Risk Officers continue to highlight the importance of tracking risk velocity (the measure of how fast an exposure can impact an organization) to help guide risk teams to manage and prioritize risks. High velocity emerging risks should be focused on the immediate identification of risk events and the appropriate response plans. Low velocity emerging risks should be focused on key risk indicators (KRIs) that provide advance warning of a potential risk event.
Again, having good historical data will help identify real risks and prevent risk teams from focusing on phantom risks – risks that are elevated because of a bias, political motive, or from the withholding of information.
The state of the ERM profession is strong and is poised to grow in importance in organizations. Risk teams are increasing efforts to connect top level risks to the front-line operations of the business and collecting data to effectively contribute to strategic conversations. In order to do this effectively, forward-thinking risk teams are leveraging software, like Resolver.
Resolver’s Risk Management Software connects risks to incidents, so that assessments of what could happen are linked to what did happen. With this connection risk teams are able to quantify the impact of risk mitigation plans, identify where the risk register has gaps, and where risk assessments were overly confident. By leveraging software, Resolver customers have been able to focus resources on the risks and controls that make the biggest impact on the organization.