Excerpt from Richard Chambers’s New Book, Connected Risk: Conquering the Perilous Risk Exposure Gap

I truly thought I was done writing books. As I updated my first three books for a new publisher in early 2024, however, I was struck by the realization that the last word on risk management cannot be written in an era of perpetual risk-induced disruption. I set to work on my fourth book, Connected Risk: Conquering the Perilous Risk Exposure Gap, sponsored by AuditBoard, and I’m thrilled to announce its official release on October 22 at AuditBoard’s Audit & Beyond conference. The below excerpts offer a preview of the book’s themes and central objective — no less than a cross-functional call to action to transform risk management for the modern age. 

*    *    *

The first half of the 2020s has taught us a profound and unforgettable lesson in the ripple effects of risk, and ultimately the speed of risk and value destruction. 

This hard lesson on risks’ far-reaching impacts embodies the new reality of risk management: organizations must become better at understanding, monitoring, and responding to the chain of risks as it unfurls. What potential threats and opportunities are created by each new crisis? When a significant disruptive risk event occurs, how can we plan for the downstream impacts? Perhaps most pressingly, how can we hope to anticipate the risks that will be unleashed next? 

No crisis will be like the last one. There is no playbook. Instead of trying to write new playbooks that will quickly become outdated, we must come at the problem differently. 

*    *    *

These unprecedented conditions have yielded a growing risk exposure gap — the widening gulf between the risks an organization faces and its capacity to manage those risks. The risk exposure gap modern organizations face is created by two principal factors: the rapid expansion of critical risks and the limited (and largely stagnant) pool of resources organizations have to assess and address these risks. Bridging the gap is absolutely vital for operational resilience and enabling organizations to achieve their strategic objectives. 

*    *    *

If we have learned anything in the first half of the 2020s, it is that the traditional “three lines” approach creates its own set of risks. Management cannot simply assess risks and design and implement controls in isolation from those who monitor or provide assurance on risks. Those who monitor risks cannot do so in silos that enable no engagement with risk owners or those who ultimately provide assurance on its effectiveness. Further, internal auditors cannot sit contently in the third line awaiting their turn to identify the other lines’ shortcomings.

In today’s world, these silos must give way to collaboration fueled by technology and a common objective — the success of the enterprise served by each player in the three lines. We must collaborate, coordinate, and communicate with each other to not only protect, but create organizational value. The approach I advocate in this book is one I refer to as “connected risk” — a modern, cross-functional, technology-enabled approach to managing risk across the enterprise that empowers new ways of collaborating across traditional lines. 

Connected risk helps organizations reduce silos, more effectively leverage technology, and improve how teams work together to protect and create value for their organizations. It requires the involvement of all of the key risk players, as well as buy-in and support from the board, audit committee, and C-suite. Connected risk brings together all of these players’ perspectives, capabilities, and strengths to drive more benefit from the valuable risk resources organizations already have. 

My objective in this book is to advance the new way of thinking required for effective risk management in the era of permacrisis and beyond. I am reaching beyond my usual audience to appeal to key risk players across all three lines, including not only internal auditors, but also professionals in risk management, information security (InfoSec), compliance, the C-suite, and other members of front-line management. Drawing on my perspective as an internal auditor, business leader, and board member, I lay out the case for connected risk in five parts.

• Part 1 begins by examining the conditions we’re working under — the era of permacrisis. We survey the evidence, inspecting the root causes behind the speed of risk and the devastating value destruction effects we have observed as a result. 
• Part 2 assesses the phenomenon of the “risk exposure gap”: what it is, how it has emerged, and the existential threats it presents for many organizations.
• Part 3 considers how the conditions, causes, and effects of the risk exposure gap are impacting risk management and organizations, and starts laying out potential solutions. 
• Part 4 offers a deep dive into connected risk, including identifying the key attributes of connected risk thinkers and the “wow factor” that differentiates connected risk organizations from those still on the journey.
• Part 5 shifts our glance forward, sharing continuous risk monitoring strategies, a connected risk maturity model, and thoughts on the future of risk management.

In the era of permacrisis, our risk management platforms are burning. As with any burning platform, we need fire extinguishers in a hurry. Connected risk not only helps us navigate the smoke-induced uncertainty engulfing our organizations, but also positions us for the value creation essential for ensuring their future prosperity. 

Order your copy of Connected Risk: Conquering the Perilous Risk Exposure Gap (available in paperback and Kindle). 

The book will officially launch on October 22, 2024, at Audit & Beyond. To hear Richard speak about the themes of the book at his October 23 Audit & Beyond keynote session, register for the free virtual event and earn up to 4 CPEs during the conference.