As the Greek philosopher Heraclitus once said: “Change is the only constant in life.” Fast-forward over 2,500 years and this still rings true for businesses – who must do all they can, to mitigate unwanted risk, remain agile and pivot plans at a moment’s notice. According to Benjamin Franklin, “Time is Money” – something that continues to play out in the volatile world of risk management. The more time you lose making decisions, implementing mitigating actions & regulatory changes, or performing laborious administrative tasks, the more your business is exposed to risk.
In the league table of the most damaging risks to a business, operational risk vies for top spot – competing with other common risk areas like financial risk, reputational risk, strategic risk, and regulatory risk. Understanding the impact and likelihood of these risks must not be relegated to the bottom of the corporate agenda – because if left unaccounted for, risk can pose a significant threat to the long-term sustainability of a business. Therefore, risk management programmes must be underpinned by an agile approach to remain effective.
So, what type of risks should businesses consider? According to the Basel Committee on Banking Supervision, operational risk is “the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.”
Businesses must, therefore, be proactive and agile in their approach to operational risk – to prevent it from disrupting the flow of their operations – rather than crossing their fingers and hoping it goes away. Businesses that wait until they are in the red and have reached an intolerable level of risk, engender a reactive approach to operational risk management that perpetuates a vicious cycle of risk reoccurrence. Meanwhile, businesses that set proactive key risk indicators (KRIs) that warn them when they are nearing their level of ‘intolerable risk’, have the ability to act fast and make the appropriate changes to minimise the impact of any risks that come to fruition. Organisations must also consider broader strategic risks, compliance risk, cyber & IT risk, financial risk, and reputational risk to ensure an all-encompassing approach.
To achieve a proactive agile approach, organisations need both visibility into possible risks that could affect their business and the ability to make changes quickly to minimise impact.
Getting visibility of risk
To get the risk oversite they need, businesses must build a comprehensive risk register as a first step. This should act as a library of all the key risks and associated opportunities that could have an impact on the business and should include strategic risk, reputational risk, and financial risk, alongside more traditional operational risks. These risks should then link to real life transactional and operational data – enabling businesses to monitor their likelihood and impact. Organisations should set Key Performance Indicators (KPIs), Key Risk Indicators (KRIs), and define risk tolerances to help them know when they are nearing their limit – enabling action to be taken.
Proactive businesses automate risk monitoring and alerts by embracing highly configurable GRC technology. The benefits promote an agile approach to risk management and enable organisations to:
- Implement strict data governance rules using standardised fields with dropdowns, ensuring staff enter data accurately and on time.
- Link risk to live transactional business data – building a single source of truth and providing risk insight based on real business data
- Set controls to flag areas of concern, including missed deadlines, anomalies in data, budget overspending, too many incidents, or when KRIs reach intolerable levels.
- Set automatic risk notifications to be sent to the relevant business owner enabling action to be taken quickly.
- Monitor risk cumulatively over a period of time and consider the business’s tolerance during that timeframe – enhancing risk oversight.
- Get a holistic view of your overall risk profile using dashboards and reports
The agility to act fast and respond to risk
With all this information at their fingertips, businesses will be well equipped to anticipate risk and understand the potential impact, enabling them to build contingency plans. But armed with this arsenal of information, businesses must also possess the agility to act fast. This could mean – rolling out a new policy or process, reducing spending, or could even involve large strategic decisions like buying a competitor or new premises. Many of the changes that a business needs to make to mitigate risk will affect other core business processes and functions. Organisations may want to amend their strategy or introduce and new policy or procedure to reduce the impact of a risk. Additionally, some risks that were not able to be mitigated might turn into full blown incidents. Therefore, for ultimate agility, businesses should look to integrate their risk management processes with strategy planning tools, policy management and incident reporting processes.
Businesses that are willing to leverage innovative GRC and strategy planning tools – and harness their benefits – will gain a competitive advantage over organisations in their sector that deploy manual, siloed strategy planning and GRC processes. Organisations that adapt and adjust to operational change successfully, will not only have the foresight to mitigate unwanted risk quickly, but they will also be well positioned to take advantage of any opportunities that arise from risk.
Organisations must embed an agile approach to strategy planning that allows them to pivot their operational and strategic plans according to the risks and opportunities that present themselves. This requires business leaders to make critical decisions in tight timeframes that exploit opportunities while ensuring the business isn’t exposed to an intolerable level of risk.
This ability to react expeditiously is best facilitated by a software tool that has the power to map possible outcomes and weigh up the pros and cons – critical information that will facilitate informed decision-making. Each ‘risk outcome’ could impact both the overall strategy and daily operations, meaning the business must integrate these key business functions to remain agile enough to pivot rapidly and execute change.
Having a strategy planning software that integrates with your GRC process, adds a layer of agility for a business. These solutions enable organisations to break down strategic goals and objectives into a series of programmes, projects, tasks, and actions, and allocate them out across the business, enabling owners to complete actions and tasks within the system. This ensures the entire organisation is accountable for achieving the strategic goals created by the board and senior executives and makes it easy for leaders to roll out any changes.
Each project, task and action is allocated ownership with timelines, dates, and key actions, with associated risks added to the risk register. This structure allows change to be easily implemented and rolled out to the relevant teams, whatever stage of the strategy it occurs at. The software streamlines this process by facilitating effective channels of communication from the top-down and bottom-up that foster a collaborative approach with complete transparency for stakeholders.
By aligning the risk management process with strategy planning in a centralised software platform, collaboration and integration become second nature. Business leaders gain invaluable insights via built-in dashboards and automated reports, providing the agility needed to make decisions and action change expeditiously. Communication and information sharing across teams drives informed agility and consigns siloed approaches to the past.
Why An Agile Integrated Approach to Risk Matters
Operational risk typically results from inadequate or failed internal processes, people, and systems, and strategic risk is often driven by external factors. Business leaders that recognise this broad spectrum of risk are well-placed to do something about it. To become agile from a risk perspective, organisations must eradicate laborious and time-consuming manual processes and consider both internal and external risks and their subsequent impact on different departments and teams.
To achieve this, businesses should embrace GRC solutions that offer automated reporting and live dashboards for a holistic, real-time view of risk at any time, for anyone. These solutions have the potential to reduce data entry times and eliminate different data sets to guarantee accurate information that drives informed decision-making, allowing the business to remain agile in the face of adversity – which ever risks it might face.
For more information about how the Camms solution can help you achieve an agile approach to risk management that integrates with core business processes, request a demo.