Protiviti’s Jim DeLoach revisits some of his writing from half a decade ago to see if companies are making good on the promise offered by technology to deepen the effectiveness of their risk management processes.
Five years ago, I contributed an article to these pages titled, “Does ERM Really Matter in Your Organization?” This article described the status quo in risk management as I envisioned it at that time and concluded that more needed to be done to elevate risk management to help organizations face the dynamic realities of the 21st century.
I pointed out that risk management, as a discipline, needs to leverage the advances of digital, cloud, mobile and visualization technologies, exponential growth in computing power and advanced analytics to embed deeper, more insightful risk information in strategy-setting, performance management and decision-making processes. That article briefly touched on three keys to advancing enterprise risk management. In this article, I take a deeper dive into these three keys.
Key #1: Position your organization as an early mover
Market shifts often create opportunities to enhance enterprise value or invalidate critical assumptions underlying the strategy. In today’s rapidly changing markets, organizations are best positioned when they recognize these insights and act on them as quickly as possible. It makes sense to enhance the enterprise’s discipline and ability to recognize changing market realities and act decisively in revising strategic, business and innovation plans in response to those realities. Competitive advantage is attained when an organization obtains knowledge of a unique market opportunity or an emerging risk and creates decision-making options before that knowledge becomes widely known. Organizations committed to continuous improvement and able to embrace breakthrough change are more apt to be early movers.
Following is a summary of the attributes of an early mover:
|RECOGNIZE the opportunities and risks, discerning the ones that are most critical||
|REACT to warning signs to position the organization early in the game||
|REFLECT on experiences to ensure continuous learning||
The pandemic was an object lesson for early movers. When governments instituted shutdown public health protocols, the risk and imperative to act was clear. As they acted, many leaders made mistakes and adjusted on the fly as they learned. But that period was extraordinary. There was no alternative in what amounted to a “do or die” situation for many companies.
But in normal times, becoming an early mover is not easy. Short-termism and the focus on profits can lead to a fixation on the business model and clinging to the status quo. Why did it take Steve Jobs’s return to shift Apple away from near-bankruptcy when it had only three months of working capital left on its balance sheet? What distinguished Netflix from Blockbuster in deciding to disrupt its own business model? Why was Fujifilm able to begin planning for the shift from film to digital as early as the 1980s and Eastman Kodak wasn’t? The attributes of an early mover provide clues.
The following question applies to every organization: When the fundamentals of the industry change, which side of the change curve will it be on? Will it be facing a market exploitation opportunity, or will it be looking at the emerging risk of an outdated strategy? Time advantage is attained when the organization obtains knowledge of a unique market opportunity or an emerging risk and creates decision-making options for its leaders before that knowledge becomes widely known. Companies able to function as early movers see change on the horizon as potential market opportunities rather than potential crises.
For example, consider how streaming has turned all phases of the entertainment industry upside-down. With more people choosing to view films and television shows online, the number of people going to movie theaters and the audience share of television networks and cable services are declining. Competing against the wave of consumers deploying streaming services for their entertainment is like fighting gravity.
The takeaway: Is ERM helping the organization position itself as an early mover in these dynamic times of disruptive change? If the answer is “no,” then what value is it contributing?
Emerging risks are those that cannot yet be fully assessed but could, in the future, affect the viability of an organization’s strategy and business model. A risk savvy culture sometimes calls for an informal adhocracy to identify emerging risks in a timely manner.Read more
Key #2: Elevate risk reporting to the digital world
Rapid advances in the business environment necessitate more timely risk information. Generative AI, cloud computing, advanced data analytics and other technologies are creating the opportunity to deliver to that need. Consistent with the objective of being an early mover, risk reporting should help organizations become more agile, flexible and nimble in responding to a changing business environment. For most organizations, today’s risk reporting falls short of that objective.
To impact decision-making, risk reporting must address three questions:
- Am I riskier today than yesterday?
- Am I going into a riskier time?
- What are the underlying causes?
Risk reporting faces multiple challenges. Traditional methods of risk measurement tend to generate information that is difficult to aggregate and interpret across multiple types of risks, lines of business and geographies. Traditional risk reporting lacks transparency into the underlying data, making it difficult to assess the direction and speed of risk, understand the drivers of risk, consider risk in the context of the enterprise’s strategy and enable a robust risk appetite dialogue. Furthermore, the amount of manual effort required to collect data from multiple sources, update metrics and create presentations to deliver what decision makers require is often excessive. “Dynamic” is certainly not the word that comes to mind when describing the risk reporting process at many companies.
To navigate today’s rapidly changing marketplace, companies need a more comprehensive, comprehensible and actionable snapshot of their organizations’ risk profile so that senior executives and board members become more confident that they understand the most critical risks — and can act quickly when key business objectives are not being met and risk levels rise or fall. A more agile and nimble process would enable value-added risk analysis, resulting in more insight for decision-making.
Simply stated, risk reporting is often not actionable enough to support decision-making processes. Until it is designed to answer the above three questions, it won’t. And once it does, it enables the organization to shift away from reliance on lagging retrospective indicators to a process that incorporates a more balanced family of measures, including leading indicators and integration of advanced analytics.
The schematic below illustrates using an information hierarchy. The bottom three layers of the hierarchy are typical of what is seen for many organizations. Movement up the hierarchy provides transparency into strategic execution risks, augments quarterly strategic reviews to enable timely action to address risks to achievement of strategic goals, identifies signs of stress on the business, triggers early-warning signals of increasing risk exposures or potential market opportunities indicating the need for immediate response and supplements the chief executive’s strategy communications with the board.
The integration of performance management and risk management on matters of strategic importance is where corporate performance management systems often fail. As a result, the organization is unable to monitor the vital signs that help anticipate emerging opportunities and risks. Effectively integrated with performance management, risk reporting is a key to evolving ERM from a “risk listing” process to a “risk informed” decision-making discipline.
The takeaway: The following questions apply to every organization and represent the ultimate measure of strategic resilience: When the company’s fundamentals change, which side of the change curve will it be on? Will it be facing a market exploitation opportunity, or the need to react to the crisis of an obsolete strategy? ERM should help companies attain time advantage, which is realized when the organization obtains knowledge of a unique market opportunity or an emerging risk and creates decision-making options for its leaders before that knowledge becomes widely known in the market. Using forward-looking reporting linked to the strategy, companies are able to function as early movers and view change on the horizon as a potential market opportunity rather than a looming calamity.
Key #3: Maximize the Effectiveness of the Three Lines Model
How can organizations avoid missing out on market opportunities and guard against reputation-damaging breakdowns in risk and compliance management? In 2020, The Institute of Internal Auditors (IIA) issued its updated view of the three lines model. The IIA’s discussion shifts the focus of the model from defense to value to emphasize a fundamental concept: From the boardroom to the customer-facing processes, creating and preserving value is everyone’s responsibility.
It raises the line of sight on the importance of a “governing body” (the board of directors and senior leadership) setting the tone of aligning organizational objectives and activities with the prioritized interests of stakeholders. The point of emphasis here is that the three lines model is much more than business unit management and process owners (whose activities are most directly aligned with the delivery of products and services to customers) comprising the first line, independent risk and compliance functions representing the second line and internal audit the third line.
The tone of the organization — the collective impact of the tone from the top, the mood in the middle and the buzz at the bottom on risk management, compliance and responsible business behavior — lays the foundation for the three lines to function effectively. This is about culture, and the governing body is responsible for establishing a communicative, cooperative and collaborative culture. If the culture is toxic, it doesn’t matter how well the three lines are organized or what their role is.
If one or more of the following conditions exist, the three lines model probably won’t matter:
- Poor top-down and/or bottom-up communications
- Aggressively dominant or unethical CEOs
- Confusing, opaque organizational structures
- Ambiguous decision rights
- Flawed compensation structures that incent a warrior culture, reckless risk taking or harm to consumers
- Business units that are off-limits to the second or third lines
- Strategic disconnects from business realities
- Waivers of conflicts of interest policies
- Significant talent gaps
- Tolerance of toxic, hazardous workplaces
Tone at the top is vital. Leaders are expected to communicate the organization’s vision, mission, core values and commitment to doing the “right thing.” But what really drives behavior is the message employees see and hear every day from the actions of and communications from managers who have direct influence on their compensation and careers. Aligning the tone at the top with this vital mood in the middle has a significant influence on the organization’s risk culture, which in turn affects the effectiveness of the three lines model.
I like to think of senior management and the board of directors as the final line to whom important matters are escalated. (As far as I can determine, Sean Lyons is the first author to have broadened the focus of the traditional three lines concept in a Conference Board paper dated October 2011.)
We often think of escalation as a process pertaining to risk matters or issues obtained through hotlines. But in the broader context of the three lines model, escalation to senior management is really about alignment, which makes it more strategic. While the three lines should pay attention to organizational alignment, they may not be equipped to address true misalignment issues themselves. Therefore, when these issues are identified, they should be escalated immediately if they are not susceptible to a quick resolution.
The takeaway: Under the board’s oversight, executive management carries the responsibility of balancing the inevitable tension between the first-line business unit managers and process owners and the second-line management functions by ensuring that neither of them (and their respective activities) are too disproportionately strong relative to the other. Top management acts on information on a timely basis when significant misalignment and other issues are escalated and involves the board timely when necessary. In this way, the three lines model offers a powerful tool for companies seeking to strike the appropriate balance between creating and protecting enterprise value to avoid irresponsible business behavior that can impair reputation and brand image.
For most companies, risk management has not fully leveraged the powerful tools that have emerged in the 21st century — increased computing power, digitization, advanced analytics, mobile, visualization techniques and “classic” as well as generative artificial intelligence, among others. Until it does, management can’t get serious about linking ERM to strategy, performance and decision-making. The three keys discussed above are about enhancing the odds of the organization achieving its objectives by enabling it to become more adaptive and agile in the face of an increasingly volatile, complex and uncertain world. They will help management and the board face the future more confidently.