As risk leaders begin to shift their focus away from risk registers and other examples of bottom-up risk management, they're placing an increased emphasis on top-down risk management. Many of these practitioners face the challenge of remarketing or repositioning the role of the risk function. Their aim? To demonstrate Risk's value and better embed risk management across the business.
“Risk management is a tool that makes business conversations more transparent and allows stakeholders to enter into strategic decisions with their eyes wide open”
member of Risk Leadership Network
For many organisations, the value of Risk quoted above is not well understood, which has prompted conversations between our members about how risk can be more effectively embedded across the business.
Many risk leaders are prioritising the use of a more top-down approach in their risk strategy plans. Here are just five of the approaches CROs in the network are taking to embed Risk within the business and create additional value that underscores the importance of risk management.
1. Evolve the use of risk appetite
Many risk leaders are reframing conversations about risk appetite to apply more focus to the strategic impact of threats and opportunities, rather than the traditional classification of impact based on severity or likelihood.
In fact, several CROs have explained how they have begun adding an appetite lens to existing business processes; this includes, for example, adding appetite to the list of questions asked when a business considers entering a new country.
Furthermore, in situations where two different risk appetites conflict (e.g. financial risk appetite versus climate risk appetite), risk leaders are facilitating stakeholder discussions within the business to determine the best strategic course of action.
2. Integrate Risk and Strategy
One CRO, who shared their approach to embedding risk management at a recent strategy forum within the network, is currently working with their head of strategy to incorporate a risk lens into their strategic presentations.
Delivered to senior leaders at the board level, these presentations begin with a review of the company's current external environment, flagging approximately eight key risks (emerging and strategic) and their associated metrics. Then, later in the presentation, appetite and tolerance (as well as opportunity) are also embedded into supporting information about recommended decision-making.
Where did this insight come from?
A number of Risk Leadership Network members are prioritising the use of top-down risk management. Through the collaborative meetings and one-to-one discussions that we're facilitating, CROs and heads of risk are sharing steps they are taking to further embed risk management across their organisations.
Key questions risk leaders are asking each other to address their priority to embed risk across the business:
3. Apply risk-thinking to investment decisions
Several risk leaders in the network sit on their respective businesses' Investment Committees, which has been an invaluable way to push the risk agenda forward and ensure a risk lens is being applied to major company decisions.
Based on case studies shared by our members, the best results are usually seen when risk is integrated with business cases and/or presentations on investments. CROs have supported this integration further by providing Investment, Strategy and M&A teams with a portfolio view of risks, as well as a dynamic, regularly reviewed update on risk appetite for specific countries.
4. Embed risk into business performance management
A useful way to determine how embedded risk management is across the organisation is measuring how risk is discussed when the CRO (and their team) are not in the room.
As part of the push by many CROs for greater management accountability, they are working with People, Culture and Talent teams to embed risk management into executives' scorecards, as well as management appraisals and career progression.
This may involve collecting and analysing data to understand how embedded risk is currently in executives' day-to-day activities. Questions risk leaders are asking include:
- Which risks impact your area of the business?
- Which risks impact your performance?
- Which risks did you recognise in advance of them materialising?
- Were the risks managed well? If not, what barriers were there to managing them?
5. Take advantage of existing data
Unlocking existing data across the business and repurposing it can be a powerful method of embedding risk even further. For example, one member launched a "soft signals" pilot which their board and executive committee have loved.
Using existing metrics monitored across the business outside the risk function's remit - for example, high off-contract spend, number of safety incidents, number of whistleblower cases - the risk team brings these together in a dashboard to show the 'bigger picture risk landscape'.
The risk leaders at this company noted that management and senior leaders (as well as internal audit) use the dashboard as a prioritisation and expectation management tool.
CASE STUDY: Embedding emerging risk into an organisation's risk management process
Risk leaders who participated in our recent strategy forum - one of the many collaborative meetings we have facilitated on the topic of strategy risk - agree that, in the short to medium term, an evolved use of risk appetite may be the most effective, and most realistic, way to change the business' perception of Risk.
As well as providing additional support to the board when they are faced with challenging high-exposure, low-likelihood events, evolving risk appetite to focus on strategic considerations can help resolve conflict between different appetite and can be the springboard to create dynamic performance metrics that actually reflect the business' ability to achieve its long-term goals.
Are you a CRO or head of risk who could benefit from collaborating with a global network of practising risk leaders on ways to further embed risk management principles and processes within the business? Or do you have another risk priority you're keen to tackle with peer validation and support? Find out more about our approach here.