How to Measure and Enhance Organizational Performance and Resilience With IRM
Facing a constantly expanding risk spectrum, today’s business leaders are prioritizing efforts to improve and connect risk management efforts. Many are turning to integrated risk management (IRM), which offers a practical, balanced, and comprehensive approach that accepts risk as a part of doing business — helping to create a risk-aware culture that manages risk as part of both long-term strategy and day-to-day operations.
How can business leaders create a foundation for sustainable, successful IRM? They can begin by better understanding and prioritizing their companies’ risks through four universally applicable risk management objectives of Performance, Resilience, Assurance, and Compliance (PRAC).
We’ll take an in-depth look at performance and resilience below, and assurance and compliance in a second article For a bigger-picture look at the business case for IRM, integrated risk priorities important in the current environment, and how PRAC can help your organization get on the right track, download AuditBoard’s new ebook, The Integration Imperative: Connecting People, Technology, and Business in a New Era of Risk.
Assess PRAC to Better Understand, Prioritize, and Manage Risk
Every business looks to achieve better performance, stronger resilience, greater assurance, and more cost-effective compliance. The IRM Navigator illustrates how performance and resilience interconnect and overlay with key risk areas, disciplines, organizational leadership roles, and the complementary objectives of assurance and compliance.
Performance: How Well Are You Running the Business?
Why It Matters
Priority risk areas such as digital, ESG, resilience, health and safety assurance, and cybersecurity compliance are contributing to how organizations grow and move forward, advancing into new phases of using technology and operating in a business world with a whole new set of expectations. Measures of business success are evolving beyond financial performance, combining the quantitative and qualitative to more holistically explain risk and value creation over time.
Operational risk management, or ORM — both as a program area and technology category — gets to the heart of what the performance vector is about, making sure operations are well-managed within a specific and aligned risk appetite that boards and business leaders are looking for. Operational risk has rapidly expanded to systemic proportions due to the global nature of business today. Everyone shares in the impact of risk events, but risks are opaque and remedies are difficult to identify due to limited visibility and understanding of the complexity of business relationships and how operational risks are related.
Many organizations still view risk primarily as a performance impediment rather than a potential opportunity. In actuality, a better understanding of operational risk is key to better performance, helping organizations to improve ORM, avoid loss scenarios, and even capitalize on risk. Better understanding a specific strategic risk, for example, could help an organization manage it more efficiently than its competitors.
Performance: How It’s Measured
Operational metrics that measure a company’s performance in non-financial areas (e.g., sustainability, cybersecurity) are being disclosed more formally and will soon become standard for broad-based, annual corporate reports. The era of voluntary, unregulated ESG reporting is ending, and integrated reporting frameworks will ultimately become the norm. Integrated reporting blends together multi-capital information across the organization to provide a qualitative understanding of a company’s strategy and outcomes that is underpinned with quantitative data showing both successes and challenges. Combining the quantitative and the qualitative: That’s where integrated reporting, integrated thinking, and IRM generate value.
Companies can begin by undertaking a current-state assessment, learning about integrated reporting best practices, rallying support, establishing governance, and starting to gather qualitative and quantitative data. “Integrated ESG Reporting: Three Reasons Why Integrated Thinking, Risk Management, and Reporting Adds Value to ESG” offers a primer on these topics and more. While the article has an ESG focus, the same principles apply for other ORM areas.
How IRM Supports Performance
Again, integrated reporting is based on integrated thinking, which helps companies consider how their operations, functional units, and capital types relate to and impact one another — enabling IRM, which looks at how financial and nonfinancial risks interconnect and interact. IRM is designed to synthesize existing risk management programs to provide a more comprehensive and integrated view of operational risk, with visibility both across the organization and from the bottom up, and to tie all of the information together in an orchestrated fashion.
Resilience: Are You Prepared to Respond to and Recover From Risk Events?
Why It Matters
Now more than ever, businesses must be able to quickly identify, respond to, and recover from risk events (e.g., supply chain failure, cyberattack, natural disaster). Historically, businesses have thought of resilience as being focused in IT risk management (ITRM). While much of it is — for example, the disaster recovery procedures companies use to get their systems up and running again after a risk event — it also ties into supply chain risk, since supply chains generally run on the back of some form of IT.
IT is now the backbone of business. If it breaks, the entire organization can become paralyzed. That’s why ITRM is the technology category of focus for resilience. Organizations need to understand and build awareness around the IT that’s most important to conducting business, building ITRM programs to support effective incident response, recovery, detection, and prevention both within the organization and its third parties.
Resilience: How It’s Measured
“Must have” resilience activities include regular risk assessments (such as a business impact analysis to determine where to focus attention) and scenario analysis to practice how to respond and recover. Companies should also develop and measure key risk indicators (KRIs) tied to specific risks and strategic objectives. KRIs must be measurable, predictive, comparable, and informative, tracking quantifiable metrics and trends over time to detect early warning signals and measure the status of risks and controls. To that end, KRIs should also have set tolerances and thresholds (e.g., red, amber, green). It’s also important to stress-test key performance indicators (KPIs), failing now — and fast — instead of failing later, when facing real-world risk events. Companies can quantify and track KPIs that measure effectiveness in responding to potential incidents (e.g., time to detection of cyber breach, efficiency of response).
How IRM Supports Resilience
IRM enables businesses to orchestrate these activities and strengthen overall business resilience by setting them up to bounce back quickly and maintain critical functions. In addition, establishing IRM processes with third parties can help to bolster trust, both from the third parties and all of an organization’s key stakeholders. Effectively using KRIs and KPIs relies on having the right IRM technologies in place, supporting effective identification, assessment, response, mitigation, and continuous monitoring of risks.
Understand Performance and Resilience to Create Advantage
The risk spectrum has expanded in countless ways. Supply chains have grown in complexity and fragility, with many organizations relying on third parties for critical business functions, making it more important than ever to have a business continuity perspective on risk. Momentum is building for using integrated reporting to understand and measure business success across both financial and non-financial areas. As regulatory activity coalesces and a widening pool of stakeholders seeks to use non-financial information in their decision-making, businesses need to build better understanding of operational risk that can help them improve performance in all areas — potentially creating a competitive advantage.
The new era of risk requires a forward-thinking, comprehensive view on risk that balances the complementary risk objectives of performance, resilience, assurance, and compliance. Learn how IRM and PRAC can help your business improve how it measures and manages risk across the business. Download The Integration Imperative: Connecting People, Technology, and Business in a New Era of Risk.