The Power Of A Business-Integrated Risk Management Approach 

In the dynamic landscape of today’s digital age, organizations confront a myriad of challenges. From interconnected supply chains, to globalization, technological advancements, and the emergence of risks such as cyber threats, ESG mandates, geopolitical instability, and global pandemics, the landscape is evolving at an unprecedented pace.

Further, regulatory requirements have experienced an exponential surge; over the last 60 years, the U.S. population increased by 98 percent, while the federal regulatory code witnessed a staggering 850 percent growth.

Organizations must navigate these challenges while also managing their own internal complexities with diverse business lines, large administrative bureaucracies, complex and fragile IT infrastructure, massive data environments, extensive vendor relationship, and evolving customer needs.

To thrive in this environment, organizations require a formalized approach to risk management so that they can proactively identify, assess, and mitigate potential risks. Their risk management approach must ensure resilience, regulatory compliance, and strategic decision-making in an increasingly complex and interconnected landscape. Several regulatory bodies have shaped corporate governance, such as the U.S. Securities and Exchange Commission (SEC) that mandates boards of publicly traded companies provide effective risk oversight. These external entities’ mandates emphasize the critical need for a holistic view of risk to enable informed strategic and tactical decisions and have prompted many organizations to develop a formal Enterprise Risk Management (ERM) program.

Unfortunately, even with these programs there have been some high-profile failures — such as the 2008 financial crisis, Boeing 737 crashes, Fukushima nuclear disaster, Enron accounting scandal, and the BP Deepwater Horizon Oil Spill.

In August 2020, Citibank intended to make an interest payment to lenders on behalf of Revlon, a company for which Citibank served as the loan agent. However, due to a combination of human error and a lack of adequate safeguards in the payment system, it transferred the full principal amount of the loans, totaling $900 million, to the lenders. A legal dispute arose as Citibank requested lenders return the money, but several refused. Adding to the ordeal, the error resulted a $400 million fine and a Consent Order from the Office of the Comptroller of the Currency (OCC) to address deficiencies in Citibank’s risk management practices.

While ERM has come a long way in its roughly 20 years of existence, several challenges still lead to blind spots that can become issues or catastrophic challenges such as those cited above.

Quality of data is among the pressing challenges. Some 84 percent of CEOs expressed concern over the quality of the data they’re basing their decisions on. Given the multitude of risks and stakeholders, organizations must maintain a repository for accurate risk management and reporting.

Many organizations manage this information in a GRC (governance, risk, and compliance) platform. GRC platforms encompass the systems, processes, and practices that enable an organization to achieve its business objectives while effectively managing risks and complying with applicable laws, regulations, and internal policies. These platforms handle diverse risks, including financial, operational, compliance, and operational resiliency, along with their corresponding controls. Due to the array of risk stakeholders, it’s essential to provide multiple views of data that connect to resources like people, technology, data, and third-party vendors. The platform needs to offer comprehensive views that accommodate both detailed insights for functional teams and broader perspectives for senior-level stakeholders — ranging from the entire forest down to individual leaves.

To ensure effective deployment, it’s crucial to place risk and control data within a consistent business context. While many platforms anchor data to “core processes” or standard reference models to achieve this goal, it often leads to data quality issues. In a survey, 74 percent of respondents found maintaining reliable data for nonfinancial risk challenging. The complexity of organizations, beyond what core processes or models can represent, is a considerable factor, as any process an organization performs can pose an unacceptable risk. Misalignment may result in inconsistent or inaccurate risk data due to misinterpretations across different stakeholder perspectives.

Another challenge lies in the operating model, which requires coordination across diverse stakeholder sets. Many organizations have embraced the Three Lines of Defense model, where the first line represents business units, the second line oversees the process from an aggregate perspective, and the third line is the independent internal audit function. However, this model presents challenges. A survey reported concerning statistics, with 50 percent facing difficulties in defining roles and responsibilities between the first line and the second line. The root cause of this issue is the lack of precision in defining business context, ownership, and accountability.

To tackle these challenges, there needs to be a stronger integration of the “what” the business does into the ERM program. This involves creating and maintaining a comprehensive inventory of processes within a Process Inventory taxonomy, outlining ownership at each point in the chain. Integrating this taxonomy into the GRC data model is crucial for providing more precise business context. This integrated approach addresses many challenges in risk data and the risk operating model, leading to more comprehensive risk assessments. This, in turn, is critical for delivering an accurate view of the risk landscape to executive decision-makers.

This means that an effective ERM program must be paired with a strong process capability through a Process Center of Excellence (COE) that’s accountable for creating and maintaining this comprehensive information repository.

Such a process requires an organizational investment and commitment. Yet, as we navigate the digital age, organizations embracing this business integrated approach can stride confidently, safeguarding themselves, their customers, and the markets they serve.