A popular topic among modern risk practitioners is proactive risk management which drives business decisions at the highest level. As risks continue to materialize and develop at a rapid pace in 2024, businesses are contending with risks that are increasing not only in volume but also in their complexity and interconnectedness. Recent history has shown that risks can materialize overnight and have significant impacts on businesses and industries. For example, the global pandemic of 2020, the Silicon Bank failure and ensuing bank collapses of 2023, and periodic, costly cyberattacks like the MGM data breach.
Evidence has shown that organizations that can proactively address risks hold a strategic advantage over those with a reactive risk posture. That said, most organizations still have ground to cover before achieving a proactive state of risk management. For businesses to gain a true picture of their risk environment, risk teams need to better engage all levels of the business, from the front lines to the boardroom, as well as utilize solutions that can automate and streamline their risk processes, freeing up time for more strategic risk analysis.
AuditBoard explored these risk management challenges — and their solutions — in our RiskOversight product keynote at the 2023 Audit & Beyond User Conference. Continue reading for our biggest takeaways from this session.
Risk Management Trends in 2024
- Widening risk landscape. Risk teams today are dealing with higher volumes of increasingly complex risks. This is true across all risk domains, including strategic, operational, third-party, IT, and regulatory compliance. The 2023 State of Risk Oversight Report, issued annually by North Carolina State’s ERM Initiative, offers a vivid quantification of this prevalent challenge. In 2021, 2022, and 2023, at least 65% of respondents say the complexity and volume have increased mostly or extensively. These are record-high numbers in the 14 years that the report has been published.
- Expanding risk interdependencies. Risk events are no longer isolated incidents that impact just one facet of the business — they often have ripple effects across the organization and can even trigger domino effects across industries. The Silicon Valley Bank failure was an example of multiple risk interdependencies — including interest rate and liquidity risk, governance risk, regulatory risk, and operational risk — that interacted following the initial bank failure and even went on to have contagion effects on other banks.
- Risk management as a strategic asset. The sentiment that proactive risk management can offer a competitive advantage is growing. This is especially relevant in light of the projected negative economic and risk outlook for the next decade. As businesses navigate this rocky economic terrain and dynamic risk landscape, risk programs are no longer being perceived as a mere defensive strategy. More organizations recognize risk management’s ability to help drive business growth and resilience. Some examples of import include:
- Patagonia’s focus on ESG Risk: An example of a business that prioritizes data, security, ethical practices, and sustainability is Patagonia. By developing a risk management program that focuses on mitigating these risk areas that are not always prioritized, their business experienced a huge increase in positive brand reputation in recent years, driving customer loyalty and continued growth.
- Business resilience during the 2008-2009 financial crisis: While compliance with evolving regulations is essential to avoid legal and financial risks, financial institutions that embraced robust compliance practices, typically involving more robust risk management frameworks, navigated the aftermath of the 2008-2009 financial crisis much better than those that did not. These organizations were better able to identify and assess the risks associated with mortgage-backed securities and collateralized debt obligations at the center of the crisis.
Related Challenges and Opportunities
For a business to mature its risk program, risk practitioners must find ways to work more efficiently and effectively with the resources they have. As such, any solution that can remove steps that don’t add value, or streamline the risk life cycle timeline returns valuable time to practitioners. One such solution is RiskOversight, a part of AuditBoard’s connected risk platform that provides a holistic, data-driven, and collaborative approach to risk management that enables users to make informed decisions, enhance resilience, and seize opportunities. Below, we explore the challenges related to the risk management trends described above, as well as how AuditBoard’s latest innovations in RiskOversight can help your team meet these challenges.
Trend 1: Widening risk landscape.
Challenge: Risk practitioners must become better at anticipating and managing risks so they are not outpaced by their higher volume or overwhelmed by their increasing complexity.
- More scope with a growing risk universe. Among AuditBoard’s customers, we have seen a steady rise in the size of risk libraries across our customer base. 74% of our customers had more risks inside of their risk library in Q4 2023 than they did at the beginning of 2023 – about 40 more risks on average by Q4 than in Q1.
- Consequently, risk teams need to better engage all levels of business. The days of performing risk assessments with only executives are gone; to gain an accurate pulse on the business, risk teams must engage with more levels of the business – from the front lines all the way to the boardroom. Yet, engaging with more levels of the business requires more work for risk teams who are also contending with talent and skills shortages.
AuditBoard Solution: Collaborate seamlessly with the front lines and engage better with stakeholders across the three lines.
- Risk Intake: A new RiskOversight functionality that enables the first line and other stakeholders to intuitively propose new risks, submit them to the risk team, preliminarily assess them, and propose mitigation plans if needed.
- Risk Archiving: A new feature that enables risk teams to archive their historical risks while still retaining the ability to review any historical information when needed.
- Risk and Control Self Assessment (RCSA) for risk stakeholders: This new feature enables first-line stakeholders to assess the risks that are most relevant to their business units or the processes they own, assess the controls related to those risks, and identify gaps to help risk teams better prioritize remediation efforts.
Trend 2: Expanded Risk Interdependencies.
Challenge: If risks are no longer independent and are all loosely connected and easily traversable, then risk teams must spend additional effort to understand this interdependence to gain an accurate picture of the full impact of a risk event on the business. This is challenging for a number of reasons:
- Difficulty assessing and sharing the impact of risk relationships. Performing accurate analysis of risk relationships is challenging. A recent Gartner survey found over 70% of respondents indicated their decisions were greatly impacted by risk interdependence. Yet, only 18% of heads of ERM surveyed were successful in conveying that risk interdependence.
- Coordinating with multiple risk owners. Because risk relationships span teams and stakeholders, in order to accurately identify and assess the impact of risks, risk managers must work with multiple risk owners. Within AuditBoard’s customer base, we are seeing a steady increase in the unique number of risk owners across assessments and mitigation plans. Managing communication with various teams and risk owners can be challenging in a manual environment.
AuditBoard Solution: Build a more dynamic, actionable, and holistic view of risk.
- Risk hierarchy and aggregation: The new risk hierarchy view in RiskOversight provides a way to easily filter through parent and child relationships and see how children aggregate and roll up to a parent risk and contribute to the overall risk score.
- More actionable risk pages: New functionalities within risk pages provide one-click access to the most important information around a risk, under which you can view any related mitigation plans and issues.
- Residual risk calculator: An exciting new feature that automatically calculates the residual risk score of risk based on activity that occurs in the platform.
Trend 3: Risk as a strategic advantage.
Challenge: Changing the approach to risk programs to focus more on proactivity than reactivity is a multifaceted effort that takes time and effort. It will require integrating risk teams into strategy planning, improving continuous risk monitoring, conducting comprehensive risk assessments, and developing agile response strategies for when risks materialize. In the NC State ERM Initiative’s 2023 State of Risk Oversight report, the majority of respondents outside of financial services reported their organization did not articulate a tolerance for risk-taking as part of their annual planning activities, indicating that the industry tide has still yet to turn.
- Shifting the approach to risk management will not happen overnight: Sparking a paradigm shift from reactive to proactive risk management requires adopting a different mindset, a process that takes time and requires buy-in and support from the top.
- Expectation of more ownership with fewer people: Another challenge for risk teams is layering in this strategic approach while still keeping pace with all the other practices and expectations of their risk program. Risk teams are seeking solutions for how to do more work, but without more experts, and in some cases, smaller teams due to macroeconomic forces. As such, any opportunity to cut out a manual process, remove non-value-added steps, or streamline the risk life cycle timeline returns valuable time to practitioners.
AuditBoard Solution: Drive real-time, risk-informed business decisions.
- Risk event tracking: A new RiskOversight functionality that enables front-line stakeholders to report any risk or loss events in real-time to the risk team, reducing any unnecessary risk or loss exposure to your organization
- Risk and control self-assessment for risk managers: This RCSA capability enables risk managers to review any risks and controls relevant to them, make any changes, and add them to the controls library.
- Risk assessment reporting enhancements: These new updates to RiskOversight allow teams to easily aggregate risk assessment results into a customizable report template that can be shared with key leaders and decision-makers across the organization, creating efficiencies in reporting.
As the forecasted risk outlook for 2024 unfolds, businesses that prioritize their risk programs will fare better than those that settle for the status quo. This evolving landscape demands that businesses not only recognize the increasing frequency and unpredictability of risk events, but also understand their interdependencies and harness the power of proactive risk management as a strategic advantage.
Integrating a proactive approach necessitates embracing the power of technology solutions like RiskOversight that can successfully return time and bandwidth back to practitioners, enabling them to better focus on strategic decisions and keep their objectives on track. To learn how RiskOversight can empower your risk teams to manage their risks more efficiently and effectively, contact us for a personalized walkthrough here.