What is the one thing you have heard most frequently in 2016 about risk management? The chances are that it is the need to move away from a siloed approach to risk management towards an integrated and consistent enterprise-wide approach. Yet despite all we hear about the shortcomings of a siloed approach to risk management, relatively few organisations have yet to achieve comprehensive enterprise risk management (ERM) processes—and there could be good reasons for this.
Even though there are obvious drawbacks to relying on a haphazard mix of risk and compliance system processes, I think it is worth thinking about the practical problems that can arise if organisations are overly intent on moving towards ERM—just because the consensus seems to be that it is a good thing. One of the warning signs that things may not be on the right track are when ERM processes and systems (and projects and committees and task forces) start to take on a life and infrastructure of their own. The risk is that organisations lose sight of the primary objectives of risk management and that the costs of resources and effort involved in ERM projects start to outweigh the benefits.
You may have noticed the references made in 2016 by some leading thinkers in the profession about the risks of ERM processes becoming “Enterprise List Management.” When the number of different risks and types of risks that end up in the risk repository become really mind-numbing, you do have to wonder if anything but the most intelligently designed enterprise risk dashboard is actually going to provide the critical insights that are hoped for.
Here are five predictions of what will trend in the world of ERM this coming year:
Trend #1: A focus on integrating risk management into different business processes—not on integrating risk management processes themselves
There are, of course, benefits to consistency in risk management processes (despite the fact that there are so many disparate risk types), as well as the ability to achieve an enterprise view of overall risk. But the more important thing is that everyone in the business should think of managing risks as part of their job—and have the best tools to help them do so.
Risk management systems and processes themselves should be as simple and low impact as needed to enable individuals to intelligently consider and respond to risks in their area of responsibility. The focus should be on optimising risk management as an integrated component of each different business process—not on trying to force inherently different risks and processes into a common framework, just for the sake of doing so.
Approaches should be sufficiently consistent to form a broader integrated view—even though it is not necessarily of much value to combine many different types of risks into one overall executive dashboard view.
My prediction for 2017 is that business managers, as well as the professionals involved in risk management infrastructure, will increasingly recognise that the important issues are flexibility, simplicity, and a focus on what matters—as well as perhaps one of the most important outcomes: dynamic, timely, ongoing insight into the risks that matter.
Trend # 2: Smart simplicity backed by underlying sophistication in risk management technology
This trend will be reflected in a desire for risk and compliance management technology that is simple and effective to use. At the same time, the underlying capabilities for monitoring and assessing risks—both existing and new—in a dynamic and timely way will be increasingly sophisticated.
It goes without saying that using spreadsheets, shared folders and homegrown databases for any of these processes is anything but simple and smart. At the same time, too many specialised risk management technologies were designed a decade or so ago and are just not able to provide the type of user experience in which technology seems invisible, instead of a system that has to be endured.
Trend # 3: Using multiple sources of data to intelligently monitor risks
The key to making critical risk management systems highly effective is timeliness. It’s important to be able to efficiently create and maintain an extensive repository of appropriately ranked and weighted risks, together with corresponding controls. The real challenge is in making the process dynamic—not only in terms of being able to continuously assess the status of risks that are already identified, but also to identify new and rapidly changing risks.
During 2017 more organisations will recognise the value of multiple and new sources of data—both internal and external—including “human-based” data such as that which is generated from surveys and questionnaires. The use of external data to monitor risks will increasingly include data that is shared among organisations and within industries, balancing concerns over competition with the greater good of keeping an eye on mega risks that can cause great damage.
Traditional approaches to risk management tend to be historically focused, as risk repositories are put together based on thinking about things at a point of time in the past. Dynamic continuous monitoring systems not only need to assess the current state of things that were known to be risks, but also look for new risks and new trends. This is where newer technologies involving visual analysis and statistics provide valuable indicators.
Trend #4: Using monitoring as a control
The traditional approach to controls has typically been to design a process that is meant to minimise risks (e.g., segregation of duties, reviews and approvals) and implement embedded controls in an ERP or application system. However, controls are never perfect, and breakdowns and workarounds occur. Instead of using data analysis to monitor transactions and determine whether controls are working, analytics will increasingly be used as the means of control. Immediate analysis of data relating to each transaction will provide far more timely notification of risks and problems and be used to stop high-risk activities from moving forward.
Trend # 5: Rapidly increasing demand for analytic skill sets
And of course, even though technology and data analytics have major roles to play in driving risk management processes, technology and the availability of massive amounts of data are not solely the answer. People need to be able to use technology tools in a smart way. And people need to be able to interpret and act upon the insights that data analysis can provide.
The need for individuals who are skilled in both designing and interpreting analytics will only increase. There is already a shortage of such individuals in the jobs marketplace, so organisations will need to think about how to best develop skills among their existing teams.