Too often, risk managers are so focused on compliance-based mitigation & regulatory requirements, that they fail to see the bigger picture. This preventive risk management approach doesn’t add strategic value and risks that are worth taking to grow the company, can often end up being overlooked.
Recently, I sat down, virtually with Norman Marks, renowned, Author, Speaker, Thought Leader, OCEG Fellow, and Honorary Fellow of the Institute of Risk Management; to discuss how to strike the right balance, to keep regulator’s happy, and incorporate a proactive approach to risk management to uncover opportunities and achieve strategic objectives.
For those who missed the live session, here’s a quick snapshot of the highlights and key takeaways.
A Balanced Approach to Risk Management
When asked ‘what does a balanced risk management approach look like to you?’, Norman shared:
A balanced risk management approach doesn’t necessarily mean an equal one. It just means that you’re addressing the requirement to satisfy regulators – that the people leading the or ganisation are not being reckless and taking unnecessary risks in the pursuit of earnings per share, and share price growth. Whereas management is more concerned with leading the organisation to success and recognising that certain risk needs to be taken to be successful. In a nutshell, it’s about recognising these two sides, rather than seeking a specific balance.
This insight really highlights the importance of having a purpose behind the risk data and metrics you are accumulating. Be sure you are only collecting data that can add real value to your organisation, whether protecting the business from a regulatory perspective, or looking at business outcomes to support strategic decision making and explore opportunities, make sure the data is purposeful. Ensure you have the facility to easily slice and dice the information using reports and dashboards to get the insights you need.
Are Risk Frameworks Beneficial?
I questioned Norman on the various risk frameworks and risk taxonomies that are out there, as many of our clients are using as them as guiding principle to establish a risk framework within their organisation. I was keen to know what advice Norman would give to companies that are probably lower on the maturity scale but need to embrace some type of risks to start to get a handle on it. Norman shared:
Firms need to be able to take the right risks for success and make informed decisions in the process. Rather than picking a particular framework of either COSO Framework or ISO 31000, it’s a matter of understanding what the org anisation needs. The information they need to make intelligent decisions, bring the right people into the process to achieve success, and more importantly recognise that they have to take a risk to succeed. At the same time, we have to balance that against the need for regulators to work within the risk appetite concept.
Sometimes it is necessary to take the greatest and highest level of risk because it’s the right thing to do. When we have to talk within a regulated organisation, we have to be able to demonstrate that we’re doing that intelligently. Regulators recognises that there are times we have to exceed a risk appetite. For me, this is the part of balancing – meeting the regulatory requirements but at the same time doing what is necessary to run the business.
Of course, popular frameworks like COSO and ISO 31000 add structure to a business’s risk approach, but organisations still need to consider their own bespoke needs and define key risk indicators when establishing their stance on risk. The framework alone does not necessarily cover all bases for complex organisations. But, for businesses looking to improve their risk posture, implementing software like Camms that supports businesses to set up best practice processes aligned to popular risk management frameworks, will put businesses in a great position to continue to build and futureproof their risk management function.
Where Does Policy Management Fit In?
I asked Norman, where ‘policy management’ fits in to a balanced approach to risks, objectives, and regulations, and how he sees this evolving in the future, he shared:
It’s about helping people understand what they need to do when it comes to making decisions. Essentially, it’s a matter of being able to guide the people making the decisions in the trenches as to what is necessary. And there are a lot of different ways to do that. Sometimes it’s policy, sometimes its risk appetite, or with tolerances that people can develop, through experience. Perhaps they’re able to write policies that will guide individual credit managers. At the same time, that credit manager needs to know when it’s appropriate to escalate or elevate that decision, to more senior management, because of the opportunity that presents itself.
Risk managers need to understand their job is not to police the organisation, it is to make sure they comply with policy and to help the business make the right decision to succeed.
These insights really demonstrate that being able to use risk management data to weigh up businesses decisions is a key factor when setting up a risk framework. It highlights the importance of linking regulatory changes to risk registers and internal policies. The businesses that are doing this well, utilise software to link regulatory changes to their policies and procedures using automated workflows and alerts. This clarifies accountability for any changes and tracks when they were implemented and how, this time stamped audit trail provides assurance and keeps regulators happy. Business can advance this even further by automatically adding any risks of noncompliance to their risk register via software API’s.
Dispersed Systems and Silos
I quizzed Norman about how to tackle dispersed systems and various departments running their risks in silo, and the lack of enterprise oversight that brings, he shared his thoughts on the best way to overcome this problem:
We talk a lot about how GRC is all about breaking down a lot of these silos. And that functions like risk management or activities like compliance can be fragmented. Silos are some of the key problems with GRC. However, there is value in some specialised activities because there are some special, needs there. Whether it’s Treasury or Credit, Foreign Currency activities or Commodity Trading – there are some special skills and tools that need to be developed. At the same time, we need to be able to understand how they all fit together. There are two ways of doing this. The top-down, which is my preference, is to say – ‘What do I need to be successful?’ What are the things that need to go right & what are the things that could go wrong that I need to address? What am I relying upon to be successful and what are those risks? Then you are then able to manage from the top-down what is critical to success, that way you are going out and finding those activities in silo and bringing them back into the fold for discussion.
The bottom-up method is, where you’re identifying things that are happening at lower levels of the organisation and looking at how the affect other areas on the organisation and bringing them up for discussion. I think there is value in silos, especially in special operations, but you’ve got to see the big picture if you want to make the right business decision overall.
It is certainly true that businesses should look to specialised tools to manage certain niche activities but it really highlights the importance of having the facility to link systems via API integrations and centralise data so you can view relevant information from specialised systems in relation to other risk & compliance data, while still using the specialised tool for its intended purpose.
Internal Control
I asked Norman to share his thoughts on building a structured control framework to facilitate ongoing risk management and how that has worked for him, he added:
For me, controls are part of your risk response. This is what you do to make sure that risks are within acceptable levels, and also that you are sizing the opportunities that you recognise. So, controls are, to me are what you do. They can be automated or manual. What matters is, it’s what you do to make sure that things happen how you want them to happen.
Norman’s response really shows that controls are not just to stop bad things happening, but they can also be used to indicate good things, like opportunities and growth and they can even be used to enable you to track your journey towards a goal or objective.
The ‘Three Lines’ Model
I asked Norman about the three lines of defence model, or the’ ‘three lines model’ as it is currently known, and how does that play into all this, in terms of a mindset perspective, Norman added:
What is confusing is that the regulators want to see an independent risk management function with oversight – an almost policing of management. In my view risk management should be there to help management succeed. I think the key is to understand the relationship between the different functions, and what they need to do independently and together to help the organisation be successful. This (3 lines) model is useful for internal auditors who are trying to explain their relationship with these other functions. But in terms of a model, or governance framework, the 3 lines is not a governance framework.
A governance framework needs to do two things in particular, one of them is to make sure we are in fact, as an organisation complying with the regulator’s requirements and applicable laws – and societal expectations and community expectations, you’ve got to bring the ESG side into it. And the other side of it is they’ve got to make sure that the people making decisions in management have the information they need to make informed and intelligent ones. They’ve got to be there to bring people together for facilitating discussions, make sure people are sharing information, and then use their tools. Because risk officers have great sophisticated tools like Monte Carlo simulation and they can help with scenario analysis, to help with that decision making getting involved to drive those decisions forward.
This feedback from Norman really shows that the risk management function can be elevated from simply managing and mitigating risk, to providing valuable insights to the business to explore business outcomes and support strategic decision making. This turns risk management into a much more strategic and worthwhile function.
Proactive Vs Reactive
I spoke with Norman about being ‘proactive’, versus ‘reactive’ when to comes to risk, and I asked him to share his thoughts:.
Risk management means essentially looking forward the whole time. It’s about anticipating what might happen to affect the business both negatively and positively. This means understanding where you are – forgetting about where you’ve been, to a large extent – and simply focusing on what lies on the road ahead. Through which you can then anticipate and project the likelihood of achieving each of your business objectives. The best thought leaders always talk about how you need to think for the long term, not just this quarter or this year, but longer. Risk managers, risk practitioners, and executives all need to be on the same page, thinking about anticipating and achieving their objectives and then making quality decisions with that information.
Risk management really is as much about predicting the future, as it is mitigating risk. To look into the future and make predictions you need data to analyse past events and understand your current position. That is where risk management software really comes into its own. It houses a whole host of information that can be sliced and diced to anticipate business outcomes and explore scenarios.
What Does Success Look Like?
When I asked Norman ‘what does success look like in terms of risk management?’ he replied:
It’s when each of the executives can say, ‘’ I have the information and the confidence that I need, to make informed and intelligent decisions, to take the right risks for success’’. It is even more effective when people are thinking about anticipating what might happen, getting all the information, consulting the right people, and making these quality decisions by themselves without a risk manager present to make sure it happens.
This vision shows just how powerful risk management can be when it is done well. Executives should be armed with the data and metrics they need to make decisions at the click on a button. Risk data should be used as business intelligence to drive decision making, as well as preventing risk.
Tooling & Systems
We know that the right tooling can bring huge benefits for a risk management programme. So I asked Norman what a well-balanced risk management programme look like in regards to tooling and systems that support the risk management function, he shared:
For the challenges that you have, as an organisation, it’s vital to understand your needs before you go out and look for something. Unfortunately, a lot of companies don’t do this. They amass a bundle of functionalities, which may or may not match their needs. I think every organisation needs to clearly define its needs while anticipating how those might change over time and invest for the long term and not just for the short term.
It is certainly true to say that choosing a risk management tool that enables your risk management programme to grow and mature is essential. You should also look for flexible configuration so you can make edits and updates without professional services fees and coding. You should also consider any frameworks you are following and think about the outputs you want to achieve when setting out the initial concept.
At Camms, we believe in starting small while always thinking big, and we certainly echo Norman Mark’s sentiments of building for the future to succeed over time. Reach out to us to learn how our award-winning, GRC platform can help your business strike the right balance between keeping regulators satisfied and adding strategic value in 2022.
Catch up on the entire interview here.