Enterprise governance, risk, and compliance programs are designed, in important part, to ensure that companies stay on track and manage risk and uncertainty. Many organizations, due to the COVID-19 pandemic, are now finding whether their risk management and cybersecurity plans will work as intended.
In many ways, the move to cloud over the past decade and the rush to digitally transform their organizations, prepared businesses for this rapid shift to remote work more than they had ever been. Of course, it won’t have been enough to be ready for the economic shutdown, shelter-in-place orders, and social distancing. That’s were risk management comes in, or should come in, and help guide organizations forward.
Organizations’ current approach to risk governance is not sufficient to tackle the complex risk environment organizations are facing today, according to Gartner, Inc. The COVID-19 pandemic is just the latest in a line of recent risk events showing how organizations are not properly set up to manage risk, especially fast-moving ones
Gartner research showed that 87% of audit departments say their organization uses a ”three lines of defense” (3LOD) model for risk governance. This model states that line management should act as the first line of defense, identifying risks and implementing controls. Risk and assurance functions such as legal, compliance and enterprise risk management (ERM) should act as a second line, overseeing and monitoring risk management processes. Finally, internal audit should act as a third line, taking a birds’ eye view of the effectiveness of controls and risk management.
“Traditional approaches fail because they can’t effectively deal with fast-moving and interconnected risks. Pandemic is a rapidly developing type of risk that needs a dynamic risk governance (DRG) set-up,” said Malcolm Murray, an analyst for Gartner’s audit and risk practice.
Gartner recently surveyed 200 organizations and examined whether traditional or dynamic risk management proved better at governing risk. Their survey found that the presence of each of the three pillars of DRG increased high-quality risk management behaviors:
Risk-tailored governance (18% increase)
The governance model should depend on the risk’s speed, the organization’s risk tolerance and internal constraints rather than relying on a one-size-fits-all level of scrutiny, such as centralized oversight for all risks or models based on industry norms. Corporate leaders should have the final say here, because the governance model should be determined based on the company strategy. A benefit of placing this authority with senior management rather with than the board and the assurance functions is more rapid response. These top executives can take faster action.
Activity-based risk governance (22% increase)
This means dispensing with the idea that only the first line owns all risk activities, and assigns accountability for risk management tasks without regard for the borders between first/second/third line. Senior management – not assurance functions – should determine who will decide the task owners for a particular risk. For some risks, it will not matter which exact function is accountable for each activity – as long as there is specific accountability assigned.
Digital-first risk governance (18% increase)
This means considering digital solutions during creation of the governance framework for the risk, not as an afterthought. For instance, if large parts of the risk management can be automated, then fewer functions need to be involved.
I’m not surprised by these findings. Being familiar with the concept of dynamic risk management as it pertains to stock portfolio management, as risk changes – whether geopolitical, economic, or market volatility – risk assets are adjusted to mitigate potential losses.
With dynamic risk governance, enterprises can more proactively adjust their risk because the strategy is determined in advance, the executives and line of business managers can rapidly adjust. The more digitized these processes the more swiftly these managers can get information and the more informed their responses.
“This isn’t just about risk managers, this is about the board of directors and senior management making risk governance a key consideration so that organizations become more resilient against fast-emerging risks, such as coronavirus,” Murray said. “The DRG methodology applies equally to the many fast-emerging risks presented by digitalization.”
I agree, and in the weeks and months ahead expect to hear quite a bit about how different organization’s governance, risk, and compliance efforts served them well — or, unfortunately for some, not so well.
Gartner Press Release, Gartner Says Coronavirus Exposes Outdated Risk Management Practices, March 26, 2020, https://www.gartner.com/en/newsroom/press-releases/2020-03-26-gartner-says-coronavirus-exposes-outdated-risk-management-practices