Communication plays a vital role in enabling organizations to integrate the concept of risk management into day-to-day operations. Your risk program communication isn’t just a way to manage your reputation and image with third parties, media, and regulators. Being able to effectively communicate risk within the four walls of an organization is a crucial tool for creating a more risk-aware organization in order to optimize your business while managing risk.
Communicating risk effectively is a continuous process requiring all parties to articulate not just the sources of risk, but the bottom-line consequences. All involved must be made aware of potential risks, and the lines of communication must always be left open. It isn’t enough anymore to treat risk communication as a simple tick-the-box exercise that only demonstrates process compliance without connecting to the real-world consequences of the risks being communicated.
Being able to place hard and fast numbers on the consequences of types of risk allows for real-world effects to be communicated in a universal language. This can increase operational resilience by helping to align responses to threats with the goals of the organization. Increasing operational resilience with risk communication is only one part of a mature integrated risk management strategy, which we outline in our whitepaper, “The State of Integrated Risk Management.”
Communicating Risk across Departments
Effective communication of operational risk should put specific eventualities in the context of the disruption that could occur. For many organizations, translating risk between departments can be a serious challenge. Traditional tools like qualitative risk analysis try to use subjective terms or visual heat maps to communicate the severity of various eventualities, but this can fall flat when two different domains are being compared.
An organization’s reduced ability to operate might mean lost uptime, lower profits, or other negative outcomes. This needs to be quantified and communicated to the personnel that are in a position to mitigate risk. Furthermore, when the likelihood and impact of risk are quantified, it becomes possible to communicate and aggregate the impact of risks to stakeholders without hitting interdepartmental language barriers.
How Risk Quantification Helps Risk Communication
Risk management is the core ingredient toward mitigating any potential threats to the success of an organization. Threats should ideally be identified and dealt with before their effects can be felt in your project. Risk assessment involves the measurement and analysis of risk to provide concrete information for risk control programs.
The process of quantitative risk assessment involves four fundamental steps which include;
Identification of risk and establishment of an applicable mathematical model.
Collection of the basic and necessary information or data available via historical records, extrapolation, expert surveys, and so on.
Select suitable analytical methods and models to evaluate the data and modify models about specific circumstances.
Define the scale and likelihood of risk
The process of identifying risk has traditionally been either a top-down exercise or the domain of risk management departments or consultants. New digital tools have made it possible to have front-line personnel communicate emergent risk in real-time. Instead of risk communication tools being an output-only means of relaying directives to the front lines, organizations utilizing integrated risk management software can gather information from stakeholders about conditions on the ground.
The ability to monitor conditions with real-time reporting from personnel closest to the risks couldn’t come at a better time. Today's challenges require managing a cultural shift from reactively checking the boxes for compliance to a proactive risk management model that necessitates participation across the organization. Instead of front-line workers only identifying risks during an audit or during an emergency, integrated risk management platforms allow for constant communication through every level of an operation. A study by PwC (1) found organizations that shift risk management responsibilities to the front line were more likely to show profit and revenue growth over the next two years and were able to recover from adverse events more quickly.
Communication, Compliance, and Management
Organizations that have established programs in individual domains should be working to expand their risk focus and improve visibility, analysis, and metrics. Finding common processes or data to share is a great first step to bring together risk management functions and achieving risk maturity. The overwhelming majority of organizations that have begun to use the Archer platform for operational risk management extend their engagement with our tools into compliance management. In fact, 91% of our customers who license operational risk management use cases also license compliance use cases substantiating the close connection between risk and compliance processes.
With a well-established and integrated communication program, stakeholders should understand that they are not just passive participants in an organization's operations. Compliance and risk management are everyone’s responsibility. We recommend organizations establish formal processes for stakeholders to understand and manage changes that may affect the organization’s compliance including how new and changing activities may impact the organization’s obligation.
We also recommend organizations implement controls based on issues or gaps identified via the compliance process to reduce risks and prevent compliance issues from happening again. New technologies can provide a tight connection between issues being identified on the ground and organizational responsiveness.
A technology-enabled approach to build operational resilience across the organization will transform the efficiency of your incident, crisis, and recovery teams. By knowing the most critical areas of the business and effectively handling day-to-day incidents, you can respond swiftly in crisis situations to protect your ongoing operations. The last year has shown just how rapidly changes in operational risk and regulatory compliance can be.
Fitting Risk Communication into an Overall Integrated Risk Management Strategy
Without the ability to effectively and efficiently address increasing risk, organizations struggle to respond to business risks and miss opportunities to capitalize for growth or to meet other strategic objectives. That’s why organizations need to focus on achieving operational resilience through integrated risk management. Benefit from our 20+ years of industry leadership knowledge. Get our whitepaper, “The State of Integrated Risk Management” today to discover how your organization can break down communication siloes to better mitigate and thrive through disruptions and an evolving risk landscape.
(1) PwC. 2020. PwC 2020 Global Risk Study. [online] Available at: < https://www.pwc.com/us/en/services/consulting/risk-regulatory/library/2020-global-risk-study.html/> [Accessed April 12 2021].