The traditional approaches to coordinating risk and assurance were once useful, but the environment has changed. Gartner’s Malcolm Murray argues against the continued use of these approaches and for corresponding change.
As organizations emerge from the COVID shocks of 2020, it is becoming clear that many organizations have spread themselves too thin and now need to strengthen their resilience ahead of whatever the next COVID-type shock may be.
Strengthening resilience requires getting better at managing all risks to the organization holistically. With risks being more interconnected and fast-moving than ever, senior management and boards will need to spend more of their time on risk. This is clear from Gartner’s latest survey of CEOs, where risk management was the issue that by far increased the most (39 percent) in importance between 2019 and 2020.
However, up until now, there has not been a good way to translate between organizational strategy and risk management. Senior management and boards set strategy, but then leave it up to the risk and assurance functions to determine the risk governance (i.e., who should be involved in the management of the risks and what activities they should perform), and these functions have been relying on outdated frameworks for this.
Out with the Old, In with the New
Chief among traditional risk governance frameworks is the Three Lines of Defense (3LOD) model, a one-size-fits-all, static model, where different functions are classified into “lines,” often ending up operating in silos. This model was recently revised (now called the Three Lines – 3L model), but this didn’t solve for the lack of senior management involvement and the model’s static and one-size-fits-all nature. Further, it actually made the coordination challenges between risk and assurance functions even worse, by separating audit even further from its fellow risk and assurance functions, as noted in CCI recently. This goes counter to recent COSO guidance and reinforces silos, continuing to stymie collaboration.
This decoupling of risk management from organizational strategy has had several negative outcomes. With senior management not having a holistic view of risk governance, whenever a new risk has been identified, the response has been to create a new function to manage it (the number of risks as well as the number of risk and assurance functions both more than doubled during the last decade, according to Gartner data). These new functions, not having a useful framework for working together, have therefore been focused on reconciling internal differences rather than strengthening the overall risk management of the firm (more than three times as many risk and assurance leaders have as their goal for collaboration avoiding work duplication rather than ensuring risk-balanced growth for the organization).
This has led to an increase in complexity and redundancy without any gains in terms of organizational resiliency. Without that holistic view, some risks have become over-controlled, meaning unnecessary money is being spent on them and unnecessary assurance fatigue in the business is being created by having too many functions involved doing too many risk management activities, while other risks are under-controlled, leaving the organization blindly stepping forward, taking more risk than it has capacity for.
The business not being able to see the connection between risk and strategy and being hammered by duplicative assurance efforts has led to them not incorporating risk thinking in their decision-making. As we saw during COVID, when very quick decisions were made, this can be highly problematic. As organizations emerge from the shock of COVID, this will continue.
We are in a K-shaped recovery, where COVID has amplified the growing gap between organizations in a strong position versus those who are struggling. These organizations both have key risk considerations to keep in mind. The accelerating organizations will focus on digital business acceleration, facing many new opportunities and new risks. This might implicitly increase risk appetite too much and lead to new risks not getting identified, assessed and managed promptly. The organizations on the other side of the spectrum are likely to focus on strategic cost management. This could lead to an implicitly declining risk appetite, not taking enough risk and under-resourcing risk management efforts.
Risk Governance 2.0
To solve for this and enable organizations to move to “risk governance 2.0,” we recommend an alternative framework in dynamic risk governance (DRG), which allows for organizational strategy to be translated into risk management by using the powerful lever of risk governance. Through having senior management own the decisions of how risk management is organized in terms of roles and responsibilities, risk management can be intimately tied to strategy.
DRG consists of three interrelated components, as seen in figure 1.
These can be executed separately, but when implemented jointly, they greatly reinforce each other.
Risk-Tailored Risk Governance: Creating distinct governance models for each risk and tailoring them to the strategy of the firm by using risk appetite and risk volatility.
Activity-Based Risk Governance: Building the governance model bottom-up instead of top-down. Instead of thinking which functions should be involved as per an existing model, analyzing which risk management activities are essential and who is best placed to conduct them, ignoring any artificial lines that prevent the most suitable function to do the job. It doesn’t matter who the risk owner is; what matters for risk outcomes is that there is an owner.
Digital-First Risk Governance: Putting opportunities to digitalize risk management first, to increase the use of digital technologies, rather than considering them as an afterthought.
The implementation of these three components of DRG has been proven to be more effective in terms of driving high-quality risk management behaviors and positive risk management outcomes than traditional risk governance (see figure 2).
The implementation of DRG will help revitalize the aligned assurance efforts in organizations that have become stagnant and also reduce assurance fatigue, since it leads to a more optimized, often lower number of assurance functions involved for each risk. DRG also raises the altitude of the discussions between risk and assurance functions and the board and senior management, putting risk on the agenda to determine the appropriate risk governance level and type.
DRG is implemented by analyzing the risk governance intensity appropriate for each risk and building risk RACI matrices for them (establishing Responsibility and Accountability, naming the Consulted source and documenting who should be Informed when the task is complete). These should then be regularly presented to senior management and the board to update as strategy or opportunities arise.