Organizations strive to utilize risk management frameworks to provide a structured approach to managing risk. These frameworks help teams manage various risk categories, including operational risk and the unique elements of risk management associated with each category.
In partnership with PRMIA, AuditBoard’s eBook Fragmented to Connected: Achieving Cohesion by Unifying Risk Management explores how organizations should implement risk management frameworks. It emphasizes the role of people as an essential component of these frameworks and the implementation challenges caused by scarce resources and siloed communication.
Chief Risk Officers, risk management consultants, and others often laud the benefits of such an approach, which include:
- Improved Risk Management: Risk management frameworks can help firms make informed decisions by understanding potential risks and their implications.
- Enhanced Organizational Resilience: By better managing risks, firms can better withstand adverse events.
- Regulatory Compliance: Including compliance in the overall framework can ensure that firms comply with relevant laws and regulations.
- Increased Stakeholder Confidence: Details of risk management frameworks are often included in shareholder/investment communication and can help show investors, customers, and other stakeholders for whom the firm is committed to managing risks effectively.
- Take Advantage of Opportunities: Risk frameworks help firms move beyond simple risk avoidance and actively pursue opportunities that align with their risk tolerance and strategic goals. By balancing risk and opportunity, these frameworks enable firms to grow and innovate.
Ideally, adopting such an approach should foster a common understanding of risk across the organization, reducing so-called ‘silos,’ particularly within the three lines of governance, risk, and compliance (GRC), and enable these three lines to connect more effectively. However, this ideal is not always realized. Some of the issues that have been seen with this approach include:
Complexity: Developing a risk management framework can be complex, particularly in large firms with diverse locations, goals, and obligations. In turn, maintaining a complex risk management framework can also be difficult, especially if documents for its underlying elements become outdated or inconsistent.
Resource Intensive: Implementing a risk management framework that is truly firm-wide can require significant resources, often including time, personnel, and technology. Large asks for resources dedicated to risk management might be seen to be wasteful to those not familiar with the approach and its benefits.
Cultural Resistance: Related to the above, sometimes, employees and management outside of risk management may resist changes associated with risk management frameworks, particularly if they see them as adding bureaucracy or limiting flexibility.
Misunderstanding of Roles: The risk management function in the second line of the GRC model sometimes plays a “challenge” role that people may misconstrue. Those responsible for oversight and ensuring effective risk management can appear detached or misallocate resources. This perception often leads to friction between risk management teams and business units, resulting in increased cultural resistance.
Taking action based on the following points is critical:
- Recognizing the link between each element of the risk management framework—from risk strategy and risk appetite to policies and controls—enables a more consistent and successful approach.
- Understanding the roles and responsibilities of individuals within the three lines helps implement risk management frameworks and allows others to see their benefits.
Some attempts to implement risk management frameworks have struggled due to lacking resources and understanding. While many accepted the lack of understanding of roles and responsibilities as a source of success, organizations do not always implement it effectively.
To address these challenges, we suggest the following:
- Ensure that training and collaboration occur for the risk management framework.
- Include all parties within the three lines in training and collaboration.
- Foster collaboration that explores ways to use resources productively or enhance their use through technology.
Finally, organizations should include emerging risks in risk assessment activities. However, they need to recognize the increase in cybersecurity threats and their potential to “kill a firm in one day.”
Download the eBook here to learn how to adopt new technology to optimize existing resources.