Why we must improve risk maturity to make risk management a relevant and useful exercise

2020 is nearly over and it will forever be remembered for the pandemic that has devasted the economy, businesses and our social lives.

I’ve heard risk managers say this is our time and indeed I’ve spoken to risk managers that have been in the centre of their business’ response to the pandemic and lockdown. Similarly, I’ve spoken to many risk managers that have been furloughed and made redundant.

The difference between the two camps are stark, those that have stepped up now have a platform to excel; those that have lost resources will eventually need to rebuild because whether they recognise this or not - risk and the need for risk management has not gone away.

What a selection of headlines from 2020 tell us is that businesses are not only dealing with COVID-19, it is also business as usual when it comes to other risk events happening, whether regulatory breaches and fines, cyber-attack, fire and safety events, social unrest, or activist shareholders – these are all still highly relevant.

In fact, when an organisation is already financially stressed by COVID-19, the impact of the next event is relatively more severe and who knows which will be the straw that breaks the camel’s back.

So, what’s next for risk management? Just like businesses, staying in survival mode is unsustainable. We must develop and implement strategies to flourish or we become irrelevant and die.

Coming of age

For risk management, there is no room for the proverbial ‘ticking of the box’ and the problem remains unchanged, we must improve risk maturity (i.e. effectiveness), to make risk management a relevant and useful exercise. To me, this means:

1) embed capability and culture in the organisation; and

2) make a difference at the leadership and decision-making tables.

Whilst the problem statement hasn’t changed, the world is very different. There is a lot more working from home, this means our stakeholder relationships are different, this means committee meetings are virtual, this means sharing screens is the norm.

In terms of embedding, well this means getting more people involved in risk management. This is extremely hard to do when people are working from home, but a technology platform can unlock this.

Embedding risk management simply means getting more people engaged in, contributing to and aware of risk. At GOAT we recommend (particularly for larger businesses) that risks need to be distributed to owners. Further, the risk details need to be distributed to the team members. Those actually delivering the actions, designing the controls, creating the metrics and reports. There is no way you can get this kind of collaboration in a manual spreadsheet.

When it comes to decision making, we know how leaders make decisions. They need to synthesise the business context, logical problem solving/gap analysis, and want to see data.

Risk scoring is essential for prioritisation and visualisation of risks relative to each other, but to the C-suite decision makers, these scores are not data. This is why performance metrics need to be tied in with the risks, so we are able to performance manage our risks, making risk discussions grounded in facts rather than anecdotes and scores. The traffic lights that measure completion of actions are now supported by the measurable impact and outcome of actions.

We know financial resources are stretched and achieving change must be done cost-effectively. Yes, your risk register spreadsheets are free but they are not fit for purpose. We have entered an age where risk managers are benefitting from cloud-based software as a service and this enable technology solutions to be implemented at extremely low-price points and flexibility.