For any organisation, big or small, risk managers are a key asset. Among many others, they play an important role in keeping the organisation out of trouble, enhancing the deployment of capital, and driving it towards its strategic objectives and goals.

However, being a risk manager and managing risks effectively is not an easy task. In an era where the geopolitical landscape is volatile, regulatory requirements are forever expanding, products and processes have become complex, technology is rapidly evolving, and reliance on third parties to deliver critical products and services have significantly increased, managing risk effectively and efficiently has become a big challenge.

So, what can risk managers to overcome this challenge?

Based on our collective risk management experience of over 40 years between the co-founders and consultations with other risk professionals, here’s a list of five simple things that we could do to transform risk management.

Keep an eye on the horizon:

Risk managers sometimes have fallen into the trap of managing risks that are here and now, with less attention given to what’s around the bend. This risk management myopia can be fatal. Risks that are unknown to the organisation but brewing in the future or emerging could be significant enough to cause unprecedented damage to the organisation. For example, they may destabilize the current business model, make products and services redundant or less profitable, or affect key suppliers. Therefore, risk managers should scan the horizon for new and emerging risks, assess them to understand how they could potentially impact the organisation, and take necessary steps to manage them.

Some of the ways we can do this include:

• Environmental Scanning: Systematically monitoring and analysing the external environment to identify emerging trends, technological advancements, regulatory changes, geopolitical shifts, and other factors that could impact the organisation. It helps in the early identification of potential risks
• Horizon Scanning: Identifying signals or early indicators of emerging risks. It involves gathering information from various sources, such as industry reports, academic research, expert opinions, and social media monitoring. By detecting these signals, organisations can take early action to address emerging risks before they become an issue/
• Industry Networks: Engaging in collaborative networks, such as industry associations, partnerships, and information-sharing platforms, can provide access to valuable insights and knowledge about emerging risks. Collaboration allows organisations to pool resources, share experiences, and collectively address common challenges. 
• Technology Monitoring: Keeping track of technological advancements and innovations relevant to the organisation's industry is crucial for managing emerging risks. This includes monitoring new technologies, assessing their potential impact, and identifying associated risks and opportunities. Regular technology assessments and horizon scanning can inform strategic decisions and risk management strategies. 

Use metrics effectively:

Metrics such as key risk indicators and control indicators are critical parts of monitoring risk and control effectiveness. They provide an early warning indicator to the overall control environment effectiveness and emerging risks and issues.

However, many risk professionals have made the mistake of using either too many or very few metrics, or using metrics that have no bearing on the key risks facing the organisation or the industry within which they operate. This provides little or no value to the overall effectiveness of risk management.

So, here what risk managers do can:

• Start with a list of key risks and key controls: If you start measuring and monitoring every risk and control, you will be left with too many metrics. And collecting and analysing data will become a big task. It probably will not add that much value either. Start with a handful of risks or scenarios that have been assessed as significant to the organisation and a handful of key controls. You can use your existing risk register to get an idea of what those key risks and controls are.
• Don’t reinvent the wheel: Organisations already have lots of metrics that they use for measuring and monitoring business performance. This should be a good starting point for identifying effective risk and control indicators to use. The advantages of using the existing data are: (i) they are already tailored to the organisation, (ii) there will be lots of related historical data which can be analysed to understand the trend, and (iii) senior management and board have already approved these, so no need to gain their approval again.
• Set realistic thresholds: It is important to set thresholds that are attuned to your organisation's business model and your board's risk appetite. If they are set too high, many important early warning indicators are missed. And if set too low, every single signal warning will be escalated, reducing the benefits of risk and metrics reporting.
• Review: As the internal and external business environment changes, review the existing metrics and thresholds. Get the SMEs around the table to review the matrices.
  

Map the interconnectedness:

We know that organisations are a complex web of objectives, products, processes, services, applications, and third parties. To achieve a certain objective, a firm relies on several products and services, which are served by various processes. And these processes are in turn supported by a myriad of applications and third parties, thus creating a web of interconnectedness. This interconnectedness becomes even more complex as organisations grow bigger and offer more products and services in various jurisdictions.

To manage risks effectively, it is critical for risk managers to map and visualize this interconnectedness for (at least) every critical objective, product, service, and process. This will help risk managers:

• Better understand dependencies and pain points: Having a clear view of how an objective, service or a product is supported by various processes, applications, and third parties provides a good starting point for risk identification. It gives you context for risk identification and help identify the right risks. It will also help you analyse and understand the single points of failure and pain points within the chain.
• Perform meaningful assessments: With this knowledge of interconnectedness, you can then perform meaningful risk assessments. You are more likely to accurately predict the implications on the firm’s viability, consumer safety, and market integrity when, for example, there is a data breach or loss of a third party.
• Improve mitigation and monitoring: It helps you identify robust controls as you have fully understood the risk and its implications on key aspects, such as the firm's viability, consumer safety, and market integrity. As a result, you can plan subsequent actions, such as risk mitigation, control testing, and risk monitoring, more effectively. 
• Meet regulatory requirements: Identifying important services and mapping the supporting applications, resources, and third parties is now a key requirement under the operational resilience requirements as well. Thus, mapping this interconnectedness will not only transform your risk management but also help meet regulatory requirements.
  

Use Multiple Data Points:

Using multiple data sources for risk management involves gathering and analysing diverse sources of data to gain a comprehensive understanding of risks and controls. It allows risk managers to understand how well risks have been managed, or where the gaps and issues are in the control environment, and make informed decisions. By considering various data points, risk managers can enhance their risk assessment, forecasting, and mitigation efforts.

Risk managers should use data from a variety of sources to capture different perspectives and dimensions of risks. This includes both internal data (e.g., financial records, issues, internal loss events data, KPIs) and external data (e.g., external loss events data, industry reports, regulatory information).

Leverage risk management tools:

And finally - Leverage risk management tools. Technology plays an intrinsic part in building effective and efficient risk management. As we have seen, to better understand risks, risk managers require up to date information, map and visualize the interdependencies, use multiple data points, and understand the trends of key indicators. Now imagine doing all this using excel at a time when the size of the risk management team has shrunk over the years and there is a growing pressure on risk managers to protect and drive the organisation forward.  To achieve these objectives without a tool is very difficult.

----------------------------------------------

ABOUT THE AUTHOR

LAXMAN MAHARJAN IS CO-FOUNDER OF ERM PLUS AND A SENIOR GRC CONSULANT AT RISKSPOTLIGHT

FOLLOW HIM ON LINKEDIN