Risk Leadership Network’s risk management pulse: top 3 global priorities

Risk management software, operationalising appetite statements, board reporting, control effectiveness, resilience frameworks, and emerging risks. The ‘how-to’ of these areas form six priorities for our network of risk leaders. In the first instalment of our risk pulse, we review 3 of these areas and summarise the approaches of our Members – helping you to compare & contrast with risk managers from across the world

How often do you think about how your peers from the same or allied sectors are managing their company’s risks?

We often get questions from Members who want to know “how are others doing it?”:

• Are other Members challenged by stakeholder and management engagement in the same way that I am?
• Have they found and implemented an approach for operationalising their risk appetite statements? How different is their approach to mine? Can they share their framework?
• Are they also exploring ways to improve their controls effectiveness or board report? And how?
• Are their challenges the same as mine?

To answer the last question, first, largely the answer is yes. Or, at least, what we’ve found is several common trends and challenges that cut across our entire membership of corporate chief risk officers and senior risk managers.

You can find out more about these top three collective challenges below.

But it is what we, at the Risk Leadership Network, do with this trend analysis that our Members value most – or so they tell us.

By way of example, let me provide a brief response to questions 1-3 (above), based on what I’ve received from the wider network.

They tell me that the answer is generally ‘yes’ or ‘it’s a work-in-progress’: 

“Yes I’ve implemented an approach to operationalising risk appetite statements. And yes I am happy to share my approach.”

“Yes, I’m exploring ways to improve control effectiveness and my approach is a work-in-progress. But yes, I am happy to share my framework.”

We provide granularity and delve deeper into the ‘yes’ and ‘it’s a work-in-progress’ by bringing our Members together in small, collaborative groups to benchmark, compare & contrast their approaches, share lessons learnt, and to provide feedback on each other’s work-in-progress frameworks.

So, based on these discussions and one-on-one conversations we regularly have with our Members, here are three key priority areas that they are currently working through.

If any of the below challenges resonate with you and you’d like to find out more about how you can benchmark, compare & contrast, share and learn from risk manager peers in the same and allied sectors, let us know here.

1. Finding the right risk management software provider

We’ve seen an increase in Members investing time and money into sourcing the most appropriate risk management software for three key reasons. To:

• Optimise and streamline reporting
• Coordinate risk reporting across multiple departments and encourage consistent and constant reporting behaviours
• Collate high-quality and consistent data to provide accurate information on risk trends, control effectiveness and areas for improvement

Many are in the due diligence phase and are mapping out their business requirements before going to the market, while those who have completed or are mid-way through a global or phased implementation are proactively sharing the lessons they’ve learnt.

I’ve summarised some of the key considerations our Members have shared with one another.

Forecast your future needs. And keep it streamlined

“After implementing a system at four or so organisations, what I found is that each business has somewhat different requirements and usually different maturity in the risk space. When starting from scratch, often homegrown was good enough. But in larger industrial organisations, which implemented first line control monitoring, a system was crucial as we were trying to move towards real-time understanding of control performance as a proxy for risk.

“One thing I have seen is having too many different systems that speak to different types of risk can be confusing for those that use them and also can lead to several disparate lists of actions which are incredibly difficult to prioritise.

“I'd also suggest not just picking a solution that meets your requirements of today, switching systems down the road is challenging as it takes up precious change capacity. Thinking about your journey in 5 to 10 years with risk and requirements that go along with them could help avoid needless change.”

Get clear on the audience

“As senior riskies, we are frequently serving two masters: the audit committee who, in my experience, can frequently lean towards the technical and 'best academic practice’; and the Exec team (who pay our wages) and who want simple and practical.

“I am working on getting to a minimum viable product that I can keep stable so I have the bandwidth to influence and support the business rather than chasing the latest risk 'thought-leadership' bubble that directors have read or had presented to them.”

The output from one Member’s risk software implementation

“From a risk evaluation perspective, we have developed an approach where we evaluate the maximum reasonable consequence on a global scale and then apply local risk thresholds set for each management team to translate into a risk class.

“We can also see the class of the risk through the thresholds of our leaders – assisting escalation. This doesn't solve aggregation, but at least lets us compare risks everywhere through the Group thresholds whilst retaining the ability to prioritise locally at the same time.

“The thresholds are also an expression of risk appetite for each team – at what point does a consequence become material for that team?

“In my opinion, to go further and quantify requires business modelling with dynamics, and bottlenecks built in, which we have done some interesting work on – but not put into production as yet.”

“From a risk evaluation perspective, we have developed an approach where we evaluate the maximum reasonable consequence on a global scale and then apply local risk thresholds set for each management team to translate into a risk class.”

What you may have missed

The discussion doesn't stop here. At our Members’ request, we’ve facilitated numerous meetings about specific software providers – from a risk manager’s perspective. That is, risk managers who have had experience with a particular vendor have provided their frank assessment – in a non-commercial and trusted fashion. 

They’ve talked through areas such as:

• Experience of their account manager: to what extent did they consult and advise? Was adequate support provided throughout the implementation phase? To what extent did the account manager/vendor probe the client to ensure that the product was fit for purpose?
• How much customisation was required: what was the extent of customisation and how much time did this require?
• The good and the bad of embedding the software: How tricky was it to embed the software into existing processes and what was learnt from this experience?
• Improvements to risk reporting and engagement: Are you doing anything new with reporting that you couldn’t perhaps do in the past? And examples of what reporting now looks like. Has implementation improved risk management engagement among stakeholders and senior executives? Are they talking more about risk and other risk management related issues?

Future meetings you can get involved in as a Member

This isn’t a subject that we are going to drop any time soon. After all, our Members are working through finding the most suitable solutions. In fact, some are even weighing up the benefits of a ‘home-built’ system versus going to the market in one of the many Member meetings we will be facilitating on this topic.

The next Member meeting will be an objective product comparison.

Ollie de Boer, software lead for Satarla, researcher and author of a software comparison study will present the findings from his report and give an impartial overview of differences among some of the major players.

This will take place on 18 November 2020, 9:00 am AEDT.

Members can register via the Member Portal. And if you’re not a Member, get in touch with us here to discuss how you can get involved – we’d love to hear from you.

2. A collective goal to operationalising risk appetite statements

Risk appetite is getting prime airtime among our Members, each of whom share this common goal: to transform the traditional ‘static’ and ‘flat’ appetite statement into a ‘live’ tool that gets everyone talking and thinking about risk – and opportunities – as part of their decision-making process, as we’ve previously touched upon in this blog, 3 simple tips for turning your risk appetite statement into a practical tool.

For some, the aim is driven by local regulation. For example, Australian regulator – the Australian Securities and Investments Commission and the Royal Commission – have published various reports highlighting the importance of an effective risk appetite statement. This has piqued the attention of board of directors from non financial institutions, many of whom have tasked their CROs to do just that.

For others, risk appetite is one key step towards socialising risk management within every single department and across all levels of seniority.

They utilise this network to garner further insights on:

1. How industries outside of financial institutions have created and applied risk appetite statements
2. Understand the practical value of risk appetite statements and how to derive practical value
3. Approaches to operationalising risk appetite statements so that statements are meaningful and directly applicable to the business
4. New and modern ways to present and report its risk appetite
5. To bounce ideas with risk manager peers in a similar position

So, how are Members dealing with this perennial challenge?

You may have come across an earlier case study we shared, on operationalising risk appetite, where risk advisor Anthony Reardon outlined a three-tiered approach comprising:

• Establishing categories, sub-categories and events
• Getting governance right
• Creating qualitative statements and quantitative metrics

Here, I’ve summarised two other approaches that Members have developed and implemented within their organisations.

A consequence and likelihood approach to appetite

Here’s the starting point for one Member: risk appetite criteria was not aligned with the organisation’s values or strategic objectives. The consequence was a risk process that was ill-integrated with business processes, which meant both upside and downside risks failed to support day-to-day and strategic decision-making.

The goal for this was to put the organisation’s key outcomes at the centre of the risk framework and to develop an integrated risk management model.

Here’s how they did it in four headline steps:

1. Start with the outcomes: identify strategic outcomes that the company cares most about and use them to form the basis of your consequence assessment criteria. For this Member, five levels of consequences were identified and mapped out.
2. Define appetite for variance: determine appetite thresholds and behaviours for any uncertainty connected to your outcome (as identified in step 1), and map out an escalation scale.For example, if a particular risk category has a low appetite descriptions will start at a relatively conservative threshold and require quick escalation through to higher levels in the management hierarchy.
3. Integrate appetite into decision-making: In the same way consequence criteria were mapped out, map out your likelihood criteria. This results in a 5x5 risk matrix and  five levels of assessed risk. Sitting alongside each level of assessed risk is the guidance relating to decision-making authority and level of reporting required.
4. Measure performance against appetite: key risk indicators should be the same as key performance indicators. Assess the company's KPIs and apply a risk appetite lens to them. This will help interrogate how well the organisation is operating within appetite.

The goal for this was to put the organisation’s key outcomes at the centre of the risk framework and to develop an integrated risk management model.

This approach is further detailed in a set of templates that this Member has contributed to Risk Leadership Network’s Intelligence platform (our searchable database of risk management case studies, tools and templates). They include the following:

• Risk consequence table
• Risk appetite matrix
• Consequence assessment criteria

A combined quant and qual approach to operationalising risk appetite

A large, listed retailer operating internationally needed to create risk appetite statements that made sense across its divisions and at the shareholder level. A dual-statement was created. Here’s how the head of risk achieved this goal in five headline steps:

1. Define the audience: in other words, ask, what is risk appetite really about?’ Or, ‘who are we really protecting?’.
2. Design the qualitative statements: In risk language, this may be determined in terms of ‘low’, ‘medium’ and ‘high’: “We have zero appetite for health and safety risk” or “we are willing to accept risks that may result in some financial loss”.
3. Design quantitative metrics – at group level: complement the qual with the quant. Start by selecting metrics that are pragmatic and would make sense within the business context.
4. Determining the metrics – division level: work to one defined group of metrics at division level. If the metrics are different between each division, this would add a layer of complexity and decrease the chances of engagement. With one set of metrics, we’re speaking one language across the group.
5. Determine your thresholds: work through the qual, group level and division level and set clear thresholds.

What you may have missed

We’ve expanded on these two approaches in our Intelligence platform. The two Members in question provide detailed steps in the form of written case studies.

We’ve taken it a step further and have held several virtual meetings to share new and alternative approaches, pioneered by risk leaders who form part of the network.

And there’s more.

Future meetings you can get involved in as a Member

Risk appetite clinics

To support Members with the day to day challenges of managing risk, we’ve introduced Risk Clinics. Hosted monthly, Risk Clinics are chaired by a panel of risk management peers on hand to provide insight, advice and answer your specific questions.

Our next Risk Clinics will focus on risk appetite and take place on Friday 13 November, 9.00am AEDT and Tuesday 17 November, 7.30pm AEDT/8.30am GMT.

Roundtable: Operationalising risk appetite

Anthony Reardon, former head of risk strategy and development at BHP will kick-off the roundtable by sharing his experience of creating risk appetite statements and how best to ‘operationalise’ them, including:

• Engaging the board and management – striking the right balance post board approval
• Mapping and aligning appetite against organisational values and corporate values
• Categorising risks and embedding KRIs

Members can register via the Member Portal. And if you’re not a Member, get in touch with us here to discuss how you can get involved – we’d love to hear from you.

Global risk appetite report

We’re just about to publish our global risk appetite report. It will offer extra insights and analysis, as well as short, sharp case studies from practitioners around the world. For more information, get in touch with me: kin.ly@riskleadershipnetwork.com

3. Getting visual with reporting risks

Aligned to the above two priority areas, presenting risks to the board along with data visualisation are hot focus points.

Discussion in this area was first triggered by a post in our private messaging app. A Member asked this simple question: “How are other risk managers presenting their top risks to the board? And is anyone willing to share their templates with me?”

This resulted in tips and lessons learned shared by some of the most senior risk managers from across the world. We’ve summarised in brief some of the tips in this blog, 11 ways to present top risks to the board. While this blog summary may be useful, the real gems are held inside the network.

Members shared with one another their risk report – in editable formats! Dashboards, 360° charts, matrices from across sectors were generously shared.

This gave a number of risk managers the reassurance that their risk report is – comparably – on the right track. For others it inspired new ideas.

And new ideas keep coming, which we will explore in upcoming Member meetings.

Future meetings you can get involved in as a Member

Risk reporting programme

Expert Network programmes will provide a deep dive into risk reporting and assessments. Facilitated by an industry expert, each programme runs for about 4-6 weeks and incorporates brainstorming, Q&As, guest speakers and Member presentations.

Attendees can either join the full programme or attend in parts. Delivered through virtual meetings, our Expert Network Programmes are structured to help you learn from the ideas and practical experiences of your peers.

Want to know more? Email me: kin.ly@riskleadershipnetwork.com

How I used Tableau to build an effective risk management dashboard

Catarina Le Guimarães, group manager risk and compliance at St John of God Health Care will walk us through how she used Tableau to create a risk management dashboard for presenting risks.

This takes place on 29 October 2020, 7:30 pm AEDT/ 8:30 am BST.

Members can register via the Member Portal. And if you’re not a Member, get in touch with us here to discuss how you can get involved – we’d love to hear from you.

Building a resilience framework, control effectiveness, and emerging risks

These are three other areas that top the priority lists of our CROs and heads of risk. We’ll be bringing you more on how our Members are approaching these areas in the second instalment of our risk pulse series.

Are you an in-house risk manager who could benefit from access to a global network of risk leaders? Talk to us about becoming a Member today.