No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Governance

Is Risk Management Actually Making a Difference in Your Organization?

Many companies still haven’t adequately connected risk management and technological advances

by Jim DeLoach
September 19, 2023
in Governance, Risk
bubble floating near cactus

Protiviti’s Jim DeLoach revisits some of his writing from half a decade ago to see if companies are making good on the promise offered by technology to deepen the effectiveness of their risk management processes.

Five years ago, I contributed an article to these pages titled, “Does ERM Really Matter in Your Organization?” This article described the status quo in risk management as I envisioned it at that time and concluded that more needed to be done to elevate risk management to help organizations face the dynamic realities of the 21st century. 

I pointed out that risk management, as a discipline, needs to leverage the advances of digital, cloud, mobile and visualization technologies, exponential growth in computing power and advanced analytics to embed deeper, more insightful risk information in strategy-setting, performance management and decision-making processes. That article briefly touched on three keys to advancing enterprise risk management. In this article, I take a deeper dive into these three keys.

Key #1: Position your organization as an early mover

Market shifts often create opportunities to enhance enterprise value or invalidate critical assumptions underlying the strategy. In today’s rapidly changing markets, organizations are best positioned when they recognize these insights and act on them as quickly as possible. It makes sense to enhance the enterprise’s discipline and ability to recognize changing market realities and act decisively in revising strategic, business and innovation plans in response to those realities. Competitive advantage is attained when an organization obtains knowledge of a unique market opportunity or an emerging risk and creates decision-making options before that knowledge becomes widely known. Organizations committed to continuous improvement and able to embrace breakthrough change are more apt to be early movers.

Following is a summary of the attributes of an early mover:

RECOGNIZE the opportunities and risks, discerning the ones that are most critical
  • Understand critical strategic assumptions
  • Apply contrarian, scenario analysis capabilities to identify scenarios that invalidate the assumptions
  • Conduct competitive intelligence with early alert mechanisms to flag when key scenarios are developing
  • Distill information for decision-making in a timely manner
REACT to warning signs to position the organization early in the game
  • Inculcate a listening and learning culture that is sensitive to changing market realities
  • Foster managerial intuition and ingenuity to embrace new market realities
  •  Avoid letting the core business suffocate innovation
  • Manage the bias, short-termism and dysfunction that can create potentially lethal organizational blind spots
REFLECT on experiences to ensure continuous learning
  • Encourage admission of errors and learn from them
  • Internalize and convert lessons learned into process, product, service and business model improvements

The pandemic was an object lesson for early movers. When governments instituted shutdown public health protocols, the risk and imperative to act was clear. As they acted, many leaders made mistakes and adjusted on the fly as they learned. But that period was extraordinary. There was no alternative in what amounted to a “do or die” situation for many companies.

But in normal times, becoming an early mover is not easy. Short-termism and the focus on profits can lead to a fixation on the business model and clinging to the status quo. Why did it take Steve Jobs’s return to shift Apple away from near-bankruptcy when it had only three months of working capital left on its balance sheet? What distinguished Netflix from Blockbuster in deciding to disrupt its own business model? Why was Fujifilm able to begin planning for the shift from film to digital as early as the 1980s and Eastman Kodak wasn’t? The attributes of an early mover provide clues.    

The following question applies to every organization: When the fundamentals of the industry change, which side of the change curve will it be on? Will it be facing a market exploitation opportunity, or will it be looking at the emerging risk of an outdated strategy? Time advantage is attained when the organization obtains knowledge of a unique market opportunity or an emerging risk and creates decision-making options for its leaders before that knowledge becomes widely known. Companies able to function as early movers see change on the horizon as potential market opportunities rather than potential crises.

For example, consider how streaming has turned all phases of the entertainment industry upside-down. With more people choosing to view films and television shows online, the number of people going to movie theaters and the audience share of television networks and cable services are declining. Competing against the wave of consumers deploying streaming services for their entertainment is like fighting gravity.

The takeaway: Is ERM helping the organization position itself as an early mover in these dynamic times of disruptive change? If the answer is “no,” then what value is it contributing?

A rhino (symbol of risk) sits in profile in black and white.
Governance

Leverage the Power of Adhocracy to Identify Emerging Risks

by Jim DeLoach
January 11, 2022

Emerging risks are those that cannot yet be fully assessed but could, in the future, affect the viability of an organization’s strategy and business model. A risk savvy culture sometimes calls for an informal adhocracy to identify emerging risks in a timely manner.

Read moreDetails

Key #2: Elevate risk reporting to the digital world

Rapid advances in the business environment necessitate more timely risk information. Generative AI, cloud computing, advanced data analytics and other technologies are creating the opportunity to deliver to that need. Consistent with the objective of being an early mover, risk reporting should help organizations become more agile, flexible and nimble in responding to a changing business environment. For most organizations, today’s risk reporting falls short of that objective.

To impact decision-making, risk reporting must address three questions:

  1. Am I riskier today than yesterday?
  2.  Am I going into a riskier time?
  3. What are the underlying causes?

Risk reporting faces multiple challenges. Traditional methods of risk measurement tend to generate information that is difficult to aggregate and interpret across multiple types of risks, lines of business and geographies. Traditional risk reporting lacks transparency into the underlying data, making it difficult to assess the direction and speed of risk, understand the drivers of risk, consider risk in the context of the enterprise’s strategy and enable a robust risk appetite dialogue. Furthermore, the amount of manual effort required to collect data from multiple sources, update metrics and create presentations to deliver what decision makers require is often excessive. “Dynamic” is certainly not the word that comes to mind when describing the risk reporting process at many companies.

To navigate today’s rapidly changing marketplace, companies need a more comprehensive, comprehensible and actionable snapshot of their organizations’ risk profile so that senior executives and board members become more confident that they understand the most critical risks — and can act quickly when key business objectives are not being met and risk levels rise or fall. A more agile and nimble process would enable value-added risk analysis, resulting in more insight for decision-making.

Simply stated, risk reporting is often not actionable enough to support decision-making processes. Until it is designed to answer the above three questions, it won’t. And once it does, it enables the organization to shift away from reliance on lagging retrospective indicators to a process that incorporates a more balanced family of measures, including leading indicators and integration of advanced analytics.

The schematic below illustrates using an information hierarchy. The bottom three layers of the hierarchy are typical of what is seen for many organizations. Movement up the hierarchy provides transparency into strategic execution risks, augments quarterly strategic reviews to enable timely action to address risks to achievement of strategic goals, identifies signs of stress on the business, triggers early-warning signals of increasing risk exposures or potential market opportunities indicating the need for immediate response and supplements the chief executive’s strategy communications with the board.

early mover enterpriseThe integration of performance management and risk management on matters of strategic importance is where corporate performance management systems often fail. As a result, the organization is unable to monitor the vital signs that help anticipate emerging opportunities and risks. Effectively integrated with performance management, risk reporting is a key to evolving ERM from a “risk listing” process to a “risk informed” decision-making discipline.

The takeaway: The following questions apply to every organization and represent the ultimate measure of strategic resilience: When the company’s fundamentals change, which side of the change curve will it be on? Will it be facing a market exploitation opportunity, or the need to react to the crisis of an obsolete strategy? ERM should help companies attain time advantage, which is realized when the organization obtains knowledge of a unique market opportunity or an emerging risk and creates decision-making options for its leaders before that knowledge becomes widely known in the market. Using forward-looking reporting linked to the strategy, companies are able to function as early movers and view change on the horizon as a potential market opportunity rather than a looming calamity.

Key #3: Maximize the Effectiveness of the Three Lines Model

How can organizations avoid missing out on market opportunities and guard against reputation-damaging breakdowns in risk and compliance management? In 2020, The Institute of Internal Auditors (IIA) issued its updated view of the three lines model. The IIA’s discussion shifts the focus of the model from defense to value to emphasize a fundamental concept: From the boardroom to the customer-facing processes, creating and preserving value is everyone’s responsibility.

It raises the line of sight on the importance of a “governing body” (the board of directors and senior leadership) setting the tone of aligning organizational objectives and activities with the prioritized interests of stakeholders. The point of emphasis here is that the three lines model is much more than business unit management and process owners (whose activities are most directly aligned with the delivery of products and services to customers) comprising the first line, independent risk and compliance functions representing the second line and internal audit the third line.

The tone of the organization — the collective impact of the tone from the top, the mood in the middle and the buzz at the bottom on risk management, compliance and responsible business behavior — lays the foundation for the three lines to function effectively. This is about culture, and the governing body is responsible for establishing a communicative, cooperative and collaborative culture. If the culture is toxic, it doesn’t matter how well the three lines are organized or what their role is.

If one or more of the following conditions exist, the three lines model probably won’t matter:

  • Poor top-down and/or bottom-up communications
  • Aggressively dominant or unethical CEOs
  • Confusing, opaque organizational structures
  • Ambiguous decision rights
  • Flawed compensation structures that incent a warrior culture, reckless risk taking or harm to consumers
  • Business units that are off-limits to the second or third lines
  • Strategic disconnects from business realities
  • Waivers of conflicts of interest policies
  • Significant talent gaps
  • Tolerance of toxic, hazardous workplaces

Tone at the top is vital. Leaders are expected to communicate the organization’s vision, mission, core values and commitment to doing the “right thing.” But what really drives behavior is the message employees see and hear every day from the actions of and communications from managers who have direct influence on their compensation and careers. Aligning the tone at the top with this vital mood in the middle has a significant influence on the organization’s risk culture, which in turn affects the effectiveness of the three lines model.

I like to think of senior management and the board of directors as the final line to whom important matters are escalated. (As far as I can determine, Sean Lyons is the first author to have broadened the focus of the traditional three lines concept in a Conference Board paper dated October 2011.) 

We often think of escalation as a process pertaining to risk matters or issues obtained through hotlines. But in the broader context of the three lines model, escalation to senior management is really about alignment, which makes it more strategic. While the three lines should pay attention to organizational alignment, they may not be equipped to address true misalignment issues themselves. Therefore, when these issues are identified, they should be escalated immediately if they are not susceptible to a quick resolution.

The takeaway: Under the board’s oversight, executive management carries the responsibility of balancing the inevitable tension between the first-line business unit managers and process owners and the second-line management functions by ensuring that neither of them (and their respective activities) are too disproportionately strong relative to the other. Top management acts on information on a timely basis when significant misalignment and other issues are escalated and involves the board timely when necessary. In this way, the three lines model offers a powerful tool for companies seeking to strike the appropriate balance between creating and protecting enterprise value to avoid irresponsible business behavior that can impair reputation and brand image.

Summary

For most companies, risk management has not fully leveraged the powerful tools that have emerged in the 21st century — increased computing power, digitization, advanced analytics, mobile, visualization techniques and “classic” as well as generative artificial intelligence, among others. Until it does, management can’t get serious about linking ERM to strategy, performance and decision-making. The three keys discussed above are about enhancing the odds of the organization achieving its objectives by enabling it to become more adaptive and agile in the face of an increasingly volatile, complex and uncertain world. They will help management and the board face the future more confidently.


Tags: Artificial Intelligence (AI)Enterprise Risk Management (ERM)
Previous Post

What Does Lease Accounting Have to Do With ESG?

Next Post

Stuck in the Middle? Succeeding in the Industrial Sustainability Revolution Requires Root & Branch Reform

Jim DeLoach

Jim DeLoach

Jim DeLoach, a founding Protiviti managing director, has over 35 years of experience in advising boards and C-suite executives on a variety of matters, including the evaluation of responses to government mandates, shareholder demands and changing markets in a cost-effective and sustainable manner. He assists companies in integrating risk and risk management with strategy setting and performance management. Jim has been appointed to the NACD Directorship 100 list from 2012 to 2018.

Related Posts

robot nurturing a good idea

Innovation vs. Compliance: In the Age of AI, Why Not Both?

by Asha Palmer
June 17, 2025

As governments scramble to regulate AI, forward-thinking companies are writing their own compliance playbooks

human robot working as team pie chart

Smart Machines, Smarter Humans: Why Compliance Still Needs a Human Touch

by Roman Eloshvili
June 17, 2025

From the 2008 financial crisis to everyday judgment calls, the case for keeping humans in the compliance loop

surrealist businessmen on platforms doing tug of war

Regulation vs. Innovation: The Tug-of-War Defining Finance’s Future

by Alex Tsepaev
June 6, 2025

AI compliance creates a global patchwork where EU fines reach €35 million while the US encourages growth — leaving financial...

Ethiciti AI Transforming Online Compliance Training

How AI is Transforming Online Compliance Training

by Corporate Compliance Insights
June 3, 2025

Is your compliance training keeping up with AI innovation? Whitepaper How AI is Transforming Online Compliance Training What's in this...

Next Post
Women-working-machines-American-Woolen-Company-Boston-1912

Stuck in the Middle? Succeeding in the Industrial Sustainability Revolution Requires Root & Branch Reform

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights