If there’s one rule that holds true when dealing with today’s dynamic Financial Services risk environment, it is “today’s risks rarely (if ever) play by the rules.” While today’s risk management environment is miles ahead of pre-crisis practices, the reality is that the stakes are higher. Today’s risks are seemingly more complex, and the liabilities more severe than pre-crisis challenges. To mature their risk management capabilities and better meet today’s challenges, organizations must move away from a traditional siloed approach toward an integrated approach to learn, adapt, and evolve their risk management capacity.
It is generally believed risk management can trace its roots all the way back to gaming in ancient times, but the term (and practice of) “risk management” seems to have emerged after WWII. Internal controls were introduced in greater numbers from the 1950s through the 1970s as organizations soon realized that checks, balances, and controls were more realistic than broad insurance policies. A growth in internal audit capabilities soon followed as organizations looked for ways to verify that their controls were being followed as designed. The first international risk regulations and COSO standards made their debuts in the 1980s and financial firms soon began to create separate risk management organizations to provide a level of “independent” reporting to boards and management teams. By the early 2000s, risk management reporting had evolved to include risk scorecards that looked across an organization to assess risk levels and levels of risk-readiness. Assess, yes; proactively addressing risks was soon shown to be very much still be a “work-in-progress.”
The financial crisis in 2008 was a turning point in risk management’s history. It demonstrated the need for continued evolution in risk management practices, and soon enterprise risk management (ERM) teams were deploying new technologies, new reporting, and new standards:
ERM teams today work hard to categorize, document, and report against myriad risks. Regulatory, reputational, financial, and cyber risks are but a few of those that can be found in recent news headlines, and you can bet that every one of the organizations impacted wishes that its risk management team had somehow been better able to help mitigate the risk before it became a headline problem. Recent headlines also highlight that while many organizations have invested heavily in risk management, overall risk management maturity is still not sufficient to adequately protect complex organizations operating in a dynamic environment.
An organization may not need a “village” to best manage risks, but it likely does need a solution beyond a traditional siloed ERM team.
An organization that integrates its ERM capabilities with its internal audit and operational control capabilities can significantly improve its overall risk position. Integration between ERM, audit, and control teams can create a risk management closed loop system that delivers a constant sharing of information between the three risk management entities.
In a traditional risk model, the ERM team captures risks from multiple sources across an organization and maintains these risks as “known risks” in a risk warehouse (or inventory). The ERM team then uses a variety of methods to assess the likelihood and the impact of each risk, ultimately identifying the residual risk level for each known risk. Residual risks are reported to organizational leadership for awareness, action, and strategic-decisioning. Internal Audit develops an annual audit plan and works to review control adherence/adequacy. Control teams work across an organization to develop working controls to mitigate related risks. In a traditional risk model, leadership acts as the intersection point for risks, audit reviews, and control designs.
What does an integrated risk management function look like?
In an integrated risk assurance model, the ERM team still warehouses and assesses risks, but ERM has the added responsibility to provide internal audit with updates to the changing risk environment. Audit still verifies control adherence/adequacy, but it also has the added responsibility to update the ERM team on mitigation readiness and any newly uncovered risks that need to be added to the ERM risk warehouse. Audit uses ERM team feedback to adjust its audit plan as needed to exercise the most important Control Audits. Control teams still develop working controls, but they also work with the ERM team to prioritize control (mitigation) designs for emerging and higher risk known risks. An integrated risk model essentially creates a closed loop system that provides each system component with ongoing feedback, allowing each to work more efficiently and more effectively.
In today’s risk environment, organizations face hundreds of known risks, and one thing is clear: the risk management ecosystem needs to continue to evolve along with the dynamic risks it faces. An integrated risk assurance model is key to ensuring that organizations are positioned to evolve. While no risk management program can guarantee that an organization won’t be impacted by a risk, a risk assurance model that is continuously informed by integrated feedback, can help organizations learn and adapt risk management that’s continuously evolving towards greater effectiveness.
Risk Management: History, Definition, and Critique, by George Dionne
A Brief Summary of the Long History of Risk Management, by Angus Rhodes