When risks intersect, the collective impact on a business can be significant. While this may represent a cause for concern, reviewing their risk landscape to identify these potential connections in advance is helping risk professionals to enhance decision-making processes and build resilience at their organisations.
Risk management frameworks and processes are typically geared towards individual risks and risk owners. In reality, though, these risks and relationships often intersect.
For example, the impact of an external risk event like the Russia-Ukraine war would have been felt throughout organisations that operate in the region and even those impacted by the knock-on effects of the war, potentially in hundreds of different ways: from the evacuation of employees from areas worst affected by the conflict to the global disruption caused to supply chains.
Internal risks can cause similar ripples. If an organisation throws its weight behind a series of product launches, for example, it will have a big impact on the bandwidth available for other activities in different parts of the business.
Getting on the same page: Executives often talk about risks in clusters anyway - think environment and sustainability or legal and regulatory. If the rest of the organisation can be convinced to do the same, these connections can be formalised. This will help everyone to get a perspective on the organisation’s full risk picture. Furthermore, it will also contribute to embedding risk discussions within day-to-day activities.
Building organisational resilience: Establishing this kind of interconnectivity between risks that need to be managed should help boost organisational resilience, as it will enable better scenario planning, testing, and improvements. You want to avoid the danger, however, of overcomplicating things.
Delivering better insights: Embarking on a strategy to map your company’s risk connectivity could provide you with the means to provide insights that extend beyond your traditional heat map and associated KRIs. It’s important, though, to present these findings in an enticing way that isn’t going to confuse or scare off management.
New approaches to risk interconnectivity
Risk leaders have discussed this subject during member meetings over the last few months, which have helped to identify the major gains from an interconnected approach to risk. Some of the recent new ideas shared include:
Breaking down siloes: When a risk event or threat emerges that the business needs to handle, the approach to managing the situation should be applied consistently. If siloes can be eliminated – so that people view the threat from a broader, enterprise-wide perspective – this will enable a more coordinated effort to manage the myriad risks associated with a particular event or circumstance.
Scenario testing: If risks are thought about in connection with other risks that could materialise, it may be easier to visualise (and then test) potential scenarios that will have an impact on the organisation. On the other hand, you could flip this process and use scenario testing to determine how risks intersect with each other in certain contexts.
Reducing the business’ reliance on dashboards: For organisations with decentralised risk functions, it can be easy to rely on dashboards and visualisation tools to understand the risks other teams are managing. Even centralised risk functions that use dashboards can sometimes forget the importance of context when reviewing results. By implementing a more interconnected approach to risk identification and monitoring, people can communicate more effectively without having to refer to a dashboard that may take time to update or blur the full picture of the organisation’s risk landscape.
Taking the first steps . . .
Finding a way to establish more formal connections and monitoring and reacting to risks requires input from a range of stakeholders. These employees and teams will require space to meet, discuss and ask questions about risk. Risk managers can facilitate these discussions and learn from them, using the insights gained to build a more interconnected risk picture for the organisation.
A lack of understanding around risk interconnectivity can lead to a lack of accountability and transparency: you want the business to be clear on who the risk owners are and, equally, which people are responsible for mitigating transversal risks. Interconnectivity gives you the means with which to identify and spot gaps in risk management controls, too.
. . . And the next steps
The process shouldn’t end with the identification of the connections. Work out how to properly visualise the results of this discussion and show how your organisation’s risks connect. This is key for reporting purposes and could produce a more nuanced, intuitive tool for executives to use than a standard heat map.
For instance, at a recent member meeting, one member shared their step-by-step process to visualising interconnected risks. This involved classifying risks as either strategic, operational, tactical or project related. They shared with peers how they used digital software to visualise their risk register, coordinated with different teams to identify their relationship to certain risks, and performed cross-functional and integrated market risk reviews.