Building a Bridge between Risk Management and Business Objectives
Strategic risk management has long been lauded within businesses both large and small as a key contributor to successfully achieving business objectives. However communication between risk teams and a business can often be lost in translation. Richard Pike, Founder and CEO, Governor Software, argues that in order to link risks to objectives, businesses must transition from a risk register to a network view. This approach not only allows organisation to visualise the interconnectedness of risks but also provides the context associated in a clearly recorded and digestible fashion.
Regardless of industry, there is a significant focus on risk management as a core part of a well-run regulated entity, with risks generally separated into categories that are dealt with depending upon the approaches to their measurement, monitoring and management.
However, the creation of lists of risks (often termed risk registers) has traditionally led to core business functions not taking full responsibility for their risk exposure or the risk function’s work not aligning with the business functions. For example, when the risk function is used for gathering risk information and reporting it to senior stakeholders and regulators, the risk information often becomes divorced from business information – exacerbating the issue.
With regulatory pressure unrelenting, particularly in the financial services industry, there is a clear need for all levels of a business to understand the risks they are running in order to clearly communicate these risks, and their status, to stakeholders including the three lines of defence, regulators, senior management and investors.
In order to mitigate this problem, a number of institutions have taken to linking the business objectives of the firm to its risks. This serves not only to anchor the risks within the business lines but also make them more relevant.
How it works today
The current practice of risk teams providing lists of risks to management for their review has some major faults and recognising these is a precursor to usefully linking risks to business objectives.
Firstly, modern business is complex and interconnected; the higher up the organisation the more interconnected things become, with risks often being combined and having multiple different outcomes. For example, the risk associated with internal fraud can be categorised as a compliance risk and also as an operational risk.
Secondly, and particularly evident in non-financial risks, is the hierarchy and aggregation effect that a simple list does not communicate. Why is a particular risk important to my business? So what? These are regular questions that result from a senior executive reviewing a risk register. While one solution is to add context - setting out how a risk might arise and how it might impact the business - this can quickly result in information overload.
Finally, within a standard risk register, it is often difficult to assign ownership and responsibility. This can result in either no ownership being attributed or defaulting to a second line resource, which could leave an organisation exposed.
From risk register to network
In order to prepare a firm to link risks to objectives, it needs to transition from a risk register to a network. This allows for the interconnectedness and context associated with risks to be recorded and communicated as a network.
The benefit of a network is that it can handle multiple connections between items, at the same time they can be easily separated (into different levels or categories) while retaining their connectivity. Other object types can also be added to the network to incorporate context where necessary (e.g. policies and regulations).
In addition, when risk teams communicate risks within a network environment it stimulates conversations and challenges people to explore the linkages and interdependencies.
Linking risks to business objectives
As useful as a network of risks is, it is not directly related to the business. In order to make risk discussions more relevant it is important to anchor the risk network to key dimensions within the business.
While there are a number of dimensions that a firm could use – from organisation units, processes, legal entities and policies - it is becoming clear that linking to business objectives is the most beneficial, as modern businesses are increasingly organising themselves using this method. Indeed, as the link between strategic objectives and risks is realised at the top of an organisation, it makes sense to continue that process throughout the firm.
As objectives cascade down a company, it is possible for risk teams to sit with individual managers to understand those objectives and glean the risks that most effect the achievement of them. In cases where managers are also utilising Critical Success Factors, it will also be possible to drive out the risks to those.
The second part of the process is to understand and document the control environment in light of the new linkages. This new perspective will better identify key controls and those controls that provide little or no value regarding the achievement of objectives.
Once the set of risks are linked to objectives, it is vital to report progress using Key Risk Indicators against those same objectives. If you consider the accounting world, all managers expect to get a report of accounts on a regular basis, so they can understand their financial performance. The same should be available in the ‘objectives and risks’ world. A clear set of reports from the risk team of the main risks to a set of objectives will help a manager to control those risks and increase their ability to achieve objectives.
As risk teams work with managers to link risks to objectives, it will become clear that risks fall into three separate buckets; internal, transactional and contextual. The reason that these categories emerge is that managers are focused on what they can control or influence in order to achieve their objectives. These categories clearly differentiate risks by the way they may be controlled (or not) and so add real value to the managers involved.
Benefits of linking risks to business objectives
When the exercise is completed across the entire organisation, the result will be a network of risks tied to the relevant objectives.
Each manager will clearly understand the risks inherent to their objectives and be clear on where responsibility for managing those risks lies. They will have explicitly called out the assumptions about their contextual environment that are baked into their objectives and the firm will have a better understanding of all those externalities that are implicit in their entire business plan.
Within this environment, it is possible for risk teams to present reports on items such as loss events and control test results in the context of those risks and objectives, making them very relevant to business managers and senior managers alike.
In turn, individual teams within the company will better understand how they inter-relate and this should result in improved communications throughout the firm.
Regulatory and board pressures along with emerging business standards mean now is the opportune time to embed a risk network within the business objectives of a firm. The long-term aim of which should be that risk reporting and management becomes a normal practice throughout the firm akin to financial management and reporting.
Indeed, the exercise of understanding the risks that relate to a team’s objectives has extra benefits over and above providing context for risk reporting. It greatly enhances a manager’s understanding of their relationships to internal and external parties and will make it more likely that they will achieve their objectives; which is good for the manager, team and overall firm.
Ultimately, the more relevant risk teams can make their work, the more likely they are to both enhance the risk management activities across a firm and achieve their own objectives.