Achieving high performance in the current business environment demands an understanding of not only risk and risk management, but also truly integrated risk management and how to realize it. High-performing organizations accept that risk accompanies the pursuit of growth and profitability. They develop, adopt, deploy and integrate risk management methods that enable performance amid the disruption that now characterizes business. Forward-thinking organizations are recognizing the need to achieve truly integrated, performance-driven risk management, as exhibited in the following activities:
Integrating the value proposition and risk culture:
Organizations with a clear value proposition, and a risk culture that supports it, can achieve higher performance than those lacking either. This is the starting point in aligning risk management with strategy. Even when management takes a risk and fails, the organization will weather the event — provided the risk-taking served the value proposition, risk management was aligned with strategy and risks were proactively managed.
Creating true risk management cultures:
In a sound risk management culture, everyone plays a role in risk management. People do not view risk management as an afterthought or believe it’s solely the risk management function’s job. They understand that their decisions and actions hold opportunities as well as risks for the organization, and they conduct themselves accordingly.
Distinguishing between compliance and risk management:
The NCMM survey showed middle market leaders are unprepared for the challenges and complexities of the M&A process. Becoming deal-ready requires that the necessary capabilities and connections be in place well before a transaction. Tips for success include:
Organizations are increasingly viewing compliance as a cost of doing business and treating compliance risk as part of operational risk — one more risk to be managed. Organizations focused mainly on compliance (and loss prevention) define risk and risk management too narrowly. As a result, they find integrated risk management hard to achieve. Performance-driven risk management recognizes the importance of compliance and compliance risk, but addresses them in the context of operational risks within the larger risk management framework.
Integrating cyber risk into overall risk management:
Cyber risk management capabilities can either boost or limit an organization’s growth and profitability. Organizations with superior cyber risk management can develop or adopt new technologies, partner with emerging companies and pursue new solutions more aggressively. These organizations are increasingly looking beyond traditional IT risk management. They are strengthening cyber risk management by having the chief information security officer or other IT risk manager report to the Cyber Security Officer (CRO). They are strengthening cyber risk governance by including cyber within operational risk, conducting more rigorous cyber threat reviews and having internal audit provide independent assurance to the board regarding cyber risk management.
Bringing risk management into real time:
Companies integrating risk management into real-time operations put the related tools in the hands of those who actually manage risk — those in the first line of defense in the businesses and functions — as well as those who advise on and oversee risk in the second and third lines. The more visibility everyone has into risks before or as they arise, the better they can manage risk while pursing high performance.
A truly integrated approach to risk management creates a context for adopting innovations ranging from strengthening internal audit to assessing risks in real time and adopting predictive analytics. As a result of true integration, the organization can pursue high performance by reinforcing its value proposition at the strategic level, protecting and delivering value at the operational level, and managing the full range of risks at every level. This approach amounts to performance-driven risk management in that it enables the organization to take risks that are worth taking, avoid those that could be devastating and clearly perceive the difference between the two.
This article is an excerpt of Grant Thornton’s LLP whitepaper titled “Performance-driven risk management: An integrated approach”.