Top 3 legacy risk approaches to rethink and reform

Are long-held risk practices still fit for purpose?

Our community of risk managers named three approaches that must be challenged – the three lines of defence (3LoD), risk appetite and tolerance statements and horizon scanning.

They are not irrelevant or redundant – but they run that risk if they are not viewed through a different lens.

We summarise the ideas put forward by our community of risk managers and provide you with initial questions to test your approaches.

But stay tuned. We will be providing tried and tested tips for updating these legacy approaches in coming weeks.

1. Is your 3LoD model fit for purpose?

Changes to the 3LoD are long overdue.

Senior risk managers who implemented the 3LoD in previous roles are now challenging the value it promised risk management some 30 years ago when it first came into being.

They ask:

• How effective is the 3LoD?
• Is it fit for modern-day business?
• Does it consider opportunity and performance?
• Does it reinforce effective decision-making?
• Does it create the foundation for an effective risk culture?
• Can we create a more robust model?

Bar the last question, the answers, by and large, was no. No – because the 3LoD is about defence.

It sits at the core of long-held misconceptions: that risk management is negative; a function that restricts business development and innovation.

It does nothing for upside risk. In other words, it fails to recognise risk management for all the benefits it provides in supporting opportunities and calculated risk-taking.

Senior risk managers who implemented the 3LoD in previous roles are now challenging the value it promised risk management some 30 years ago

As one risk manager put it, the acid test is this: has the 3LoD safeguarded businesses from the type of high-profile scandals that have now become textbook examples for the failures in risk management?

The answer, again, is no. So, if risk management is about defence, are we ‘defending’ with any effect?

This plays into the reasons our community of risk managers argue for the need of an alternative model. Because risk management has less and less to do with defence.

3 questions to test your 3LoD model

Here are 3 critical questions risk managers should ask of their model:

1. Does your model create duplication in processes, effort and cost? 3LoD is designed to encourage co-ordination of risk and controls among all risk and assurance functions. But grey areas exist in terms of risk accountability. Does the first line own and take complete accountability for risk? And if they do, does the second line operate in silo? And if this isn’t appropriate, are there duplications between the first and second lines? And if so, to what extent?
2. Is your model appropriate for today’s agile business models? Teams are smaller and nimbler; workflows are more fluid. Does the 3LoD force too much rigidity into agile workflows? Are we trying to shoehorn a legacy approach that is ineffective in fast-changing business environments?  
3. Does your model address opportunity and performance? Or is it focused solely on defence and internal controls?

2. Are your risk appetite and tolerance statements usable?

Are your risk appetite and tolerance statements meaningful to leadership teams and stakeholders? That is, can they practically apply them to their day-to-day decision-making process?

The issue is that these statements typically exist as flat documents to which teams give a cursory nod. That’s because they appear as statements and therefore lack practical prowess.

Let’s first review their purpose.

According to ISO 31000, risk appetite defines the risks you are willing to take as business. In other words, we should refrain from managing risks that are within our agreed appetite.

Risk tolerance are the risks you are prepared to take (but may be unhappy doing so) in pursuit of value. In other words, risks exceeding this threshold must be reduced.

But defining the granular details is a vexing challenge. You will be thinking about your definitions on various levels:

• What is your risk capacity, tolerance and adjusted appetite?
• How should these be quantified?
• How do we define it at board level?
• Do we need to create separate statements for each of our strategic priorities?
• Do we need individual statements for each unique project or department?

Our attention is so focused on sourcing clear answers in our statements that we overlook its precise function: to aid decision-making.

3 questions to test your risk appetite statements

Here are 3 questions that will help refocus your attention to creating practical and meaningful statements.

Our attention is so focused on sourcing clear answers in our appetite statements that we overlook its precise function: to aid decision-making

1. Do your statements help managers tell a story of how they will support the organisation’s strategy? What are the opportunities and risk?
2. Do your statements link into the company’s key performance indicators? Alignment will help embed risk management into day-to-day decision-making
3. Can your statements be understood by everyone (outside of the risk department)? That is, is it free of jargon?

3. Does your horizon scanning framework address bias?

Horizon scanning can play a crucial role in optimising risk management – if its full value is recognised.

You may have fallen into the trap of limiting the practice of or misunderstanding horizon scanning to be:

• A tool for predicting the future
• A method for identifying risks and determining our risk profile

But if we carry out horizon scanning effectively, it can also help achieve the following:

• Change mindsets
• Challenge risk assumptions
• Provide greater options to aid decision-making
• Provide a focus on opportunities and emerging developments

3 questions to test your horizon-scanning approach

To move closer to this framework, here are 3 questions to ask:

1. Are you proactively addressing bias in your horizon-scanning approach? Without doing so, we mistakenly search for answers to validate what we want to know. To paraphrase the former US secretary of defence Donald Rumsfeld, “there are known knowns”. There are also “known unknowns” Horizon scanning can help get to the emerging risks and opportunities.
2. Can you bring your findings to life? A list of risks won’t cut it with the leadership team. What does your findings mean to the strategic direction of the business? Is there a high-profile case-study to bring your findings to life? What are the opportunities, the rewards? Be armed with answers to the perennial question from the leadership, ‘so what?’
3. Are you relying on textbook definitions and legacy frameworks? There are numerous definitions for what constitutes ‘horizon scanning’: is it a formal process for identifying and analysing risks? A systematic approach for examining potential and emerging threats? Or is it an analysis of what the future looks like? None of this will be relevant to you if it doesn’t directly relate to your business. Define your own terms. And take learning from validated sources – risk managers who have a successful horizon-scanning approach.

If you answered negatively to most of these questions, then perhaps now is the time join our discussion. To hear and learn from other risk managers, click here.

We will be taking a detailed look at all three approaches with the launch of our Intelligence platform in April. To find out more about the benefits of becoming a Member of the Risk Leadership Network, click here.