A group of chief risk officers (CROs) and risk managers met recently to discuss the key ingredients of an effective Integrated Risk Management (IRM) framework. Here are some of the best practices that were discussed:
The risk leaders concurred that involving the first line at the strategy level is instrumental in ensuring the success of the IRM program. It is, in fact, the first line that has to not only own but also manage risks and compliance issues associated with daily operational activities. As such, they are more likely to spot emerging risks, challenges, and concerns early on compared to others.
Involving the first line in the designing phase of the IRM framework can be a gamechanger as they can provide valuable insights with respect to end-user perspectives, latent and emerging market trends, and more. On the other hand, it will provide more clarity to the first line regarding an organization’s risk appetite, thereby empowering them to make confident, informed choices.
Keeping in mind the growing responsibilities of the first line, governance, risk and compliance (GRC) solution providers are designing products for this line of defense embedded with easy-to-use intuitive interfaces, personalized pages, simple reporting mechanisms, and minimal user training requirements.
The risk landscape is becoming increasingly convoluted due to rapidly evolving risk factors and their growing interdependencies. For identifying, assessing, and mitigating emerging risks in such a volatile risk environment, organizations need timely risk insights and intelligence. This is best achieved when all three lines work in tandem, which then leads to streamlined risk identification, a better understanding of risk impact and relationships, and a unified and holistic view of risks across the organization.
It is noteworthy that the three lines of defense model is undergoing a major change as the roles and responsibilities of the three lines are expanding to meet the needs of businesses today. The onus of the first line has moved beyond risk identification and management in day-to-day activities to control ownership and accountability.
This increase in responsibility of the first line, in turn, empowers the second line to enhance their risk monitoring capabilities and oversight. Organizations are also embracing a novel concept of a “one-and-a-half line of defense”. This is basically the group that sits somewhere between the first and the second lines with a primary focus on risks, controls, and compliance. The group helps ensure that the first and second lines are working in cohesion, thus adding more values to risk insights and setting better business objectives.
These evolving responsibilities of the first and second lines provide the third line, the independent assurance providers, with deeper visibility into the effectiveness of the risk management processes and control measures.
Fostering coordination and collaboration between various functions, including audit, compliance, risk, IT, third-party, legal, and finance, is imperative to provide the executive leadership and management with a comprehensive and holistic view of risks and efficacy of controls, and strengthen risk resilience.
As organizations today have operations across multiple jurisdictions, it has become essential to encourage effective communication of business units and functions across locations. This will enable an organization to define unified risk taxonomy and get better visibility into the risks faced by BUs at the regional and local level, and how the IRM program can help them address these risks. It will also highlight if there is any misalignment between corporate centers and local BUs.
Furthermore, as the risks and challenges faced by different BUs are diverse, organizations need to adopt a federated approach to risk management. This will give individual BUs the flexibility to implement their own approach to risk management at the departmental level while ensuring its alignment to the overarching IRM program and defined objectives.
A federated approach to IRM along with common risk taxonomy will ensure that various business units have a common understanding of risks and clarity on the organization’s risk appetite. In addition, it will help to cut across silos, eliminate redundancies and duplication of efforts in identifying critical risks, and get an aligned view of the organization’s risk profile.
Comparing the IRM program to a three-legged stool, the risk leaders opined that the people, processes, and technology are the three core elements, adding that the stool is as strong as the weakest leg. For an IRM program to be successful, particularly in the current fast-paced and complex operational environment, it is imperative to transition to a matured framework—one that strikes the right balance between these three pillars.
It is important to note here that organizations often do not realize that they have become over-dependent on technology while ignoring the importance of skilled and experienced people and well-designed processes. The best practice is to find the right mix—to try and achieve consistency across all three layers at all different risk categories:
A successful IRM program today is highly dependent on an organization’s ability to collect and consolidate risk data in real-time. This risk intelligence can then be used for gaining valuable insights into the organization’s risk exposure and clarity on risk-return tradeoff, thereby driving risk-aware, data-driven business decisions.
Often, risk professionals find themselves in difficult situations of having to convince the management to implement an IRM program and the importance of collecting and aggregating risk data. Integrating risk intelligence into business strategy is key to making informed choices and achieving business growth targets. It also helps an organization identify critical risks as well as the problem areas, be it people, process, or technology in a timely manner.
Today, organizations have to be astute to detect risks, threats, operational fragilities, compliance failures, as well as opportunities. Adopting the aforementioned IRM best practices could be overwhelming for organizations of any size. IRM and GRC solutions, which come with automated workflow and real-time reporting capabilities, can help simplify the process and enable an organization to better position itself in the face of unprecedented risk events. These solutions enable firms to standardize risk management activities and control frameworks, provide real-time visibility into risks and their impact on business performance, and help reduce the time taken in managing compliance activities, audit review, and issue resolution.