How to Achieve Integrated Risk Management Maturity
As new technologies are rapidly adopted, new opportunities open. At the same time technology also carries the burden of potential negative events. In addition, evolving regulatory environments add new compliance requirements, making the task of managing and mitigating risk ever-expanding.
We wanted to know how the organizations are contending with digital risk management maturation, so we analyzed how our customers are dealing with evolving risks. We observed the majority felt that their organizations were able to manage at least some of their new, existing, and developing digital risks – in large part because of their path towards an integrated risk management strategy. This is a promising start and shows that even when facing unprecedented challenges, the road to maturing an integrated risk management program leads to not only reduced risk but more agile and informed business decisions
Reaching a high level of maturity with integrated risk management can benefit an organization greatly. Managing a greater variety of risks across domains, and smaller categories of risk within domains are part of a maturing integrated risk management strategy. Maturity also means finding better ways for a risk management program’s findings to be communicated within a department or organization. Discover if your organization is making the right moves to mature your risk management program to guard against expanding risk by reading our report “The State of Integrated Risk Management.”
Creating a Culture of Integrated Risk Management
A risk management department doesn’t absolve stakeholders from managing the risk in their domains. In the same way that compliance is the responsibility of every person in an organization, integrated risk management strategies place risk reporting and mitigation in everyone’s hands. Today's challenges require managing a cultural shift from reactively checking boxes in a risk assessment program to a proactive risk management model that necessitates participation across the organization.
Integrated risk management is a journey - not a destination. Even organizations with well-structured programs must continually monitor and evolve their program to ensure risk management is connected to business goals with cross-functional processes. Risk management processes and procedures that become fixed and no longer connect with the conditions on the ground can create more issues than they solve.
When engaging front-line stakeholders, it is crucially important to ensure that when personnel report on evolving risks, that information is at the very least acknowledged and, ideally, acted on by the organization. In years past this would require taking time to fill out paperwork, something that might not always be practical if the front line is a warehouse or industrial site.
The ubiquity of smartphones and wireless networks has created a powerful and rapid method to tighten the loop on reporting, monitoring, and communicating sources of risk. We developed Archer Engage to offer a straightforward risk analysis and treatment platform that allows any stakeholder with a smartphone to report and collect risk data in real-time.
The process of engagement can extend to third parties as well. An understanding of the relationships you have with third parties to mitigate risk is key to managing risk and operational resiliency. Engaging a third party to report conditions in real-time helps make the priorities of an organization clear.
How Risk Management Matures
When an organization begins to develop an integrated risk management program, it is useful to focus on quick wins within the context of a broader strategy. This helps to establish that an integrated risk management program is effective and can deliver on the organization’s strategic goals.
Risk is changing so dramatically across so many areas that siloed and manual processes make it difficult to get complete information to stakeholders quickly. Even the most successful point solutions will only magnify this challenge, with information stored in different locations and used in different ways by each department. As an integrated risk management approach matures, risk from multiple domains can be managed centrally, in a coordinated and consistent way. In fact, almost 80% of our customers manage multiple domains of risk on Archer.
Expanding an integrated risk management program across and within domains doesn’t just mean taking the same cookie-cutter solution and thoughtlessly applying it. The process of expansion should be sensitive to what is novel about the different domains being managed. There is no guarantee that, for example, the threat of a cyberattack will map directly onto a compliance issue, so procedures to mitigate or manage one may not make sense for the other. However, even when the details differ, the platform on which those procedures are developed and deployed should offer a common interface for managing both.
It is important to keep in mind that a mature integrated risk management approach will evolve over time. Steps that are taken to increase maturity will not deliver a final product, destination, or steady-state of risk management. Stakeholders in an organization need to understand that integrated risk management means constant vigilance for existing and novel risks to increase operational resilience.
Mature integrated risk management is woven into everything an organization does. Think of how ubiquitous the use of digital technology is in a modern organization and you can start to get an idea of how deeply integrated mature risk management should be.
Expanding and Extending Risk Management Strategies
With a mature risk management strategy, risk is not a ‘black box’ but a key input into making decisions to exploit business opportunity. If your organization can successfully manage disruptions that sideline other players in the field, those disruptions become a chance to grow. Effective risk management is more than avoiding major failures and business disruptions. Creating a culture of risk awareness can protect your organization and enhance its value.
An organization with a mature integrated risk management process that can maintain operations during a crisis is able to take advantage of the new opportunities the changing landscape offers. For example, Home Depot proactively distributes plywood, generators, and equipment to clear fallen trees to stores where hurricanes are expected to make landfall. While other hardware and lumber stores may struggle to meet demand or even stay open, Home Depot is the go-to business for people preparing for or recovering from a disaster (1).
The individual components of mature integrated risk management are themselves beneficial to an organization. For example, organizations that engage front-line stakeholders in the risk management process were more likely to experience revenue growth and were faster to recover from disruptions (2). Make your organization more competitive and resilient by downloading our report, “The State of Integrated Risk Management,” which will teach you how the journey toward mature integrated risk management actually provides tangible benefits and better business outcomes.
(1) https://fortune.com/2017/08/31/home-depot-hurricane-harvey-damage-impact/ (2) PricewaterhouseCoopers. Risk in Review: Managing Risk from the Front Line Correlates to Higher Revenue and Profit Growth, Says PwC. 2017. https://www.pwc.com/us/en/press-releases/2017/risk-in-review-managing-risk-from-the-front-line.html