The famous saying “practice is the best teacher” is once again proving true in this current situation. The COVID-19 pandemic has put risk management in a spotlight like never before and turned even politicians, institute directors, and physicians into actual risk managers. Looking at leading risk indicators, incidences and reproduction figures have become commonplace among the general population. Especially, those individuals who are put in charge of their organization’s business continuity quickly became sought-after experts. However, what do we really need to protect a business from risk?
The Purpose of Holistic Risk Management
With the emergence of the COVID-19 pandemic and the disruption that has followed, a wide variety of protective measures has emerged, and it has become clear that managing risk at a large scale is complex and multifaceted. Risks are not only interrelated with measures, but they also impact one another. For instance, the management of COVID-19 to protect health is closely linked to the economic future of entire industries, personal livelihoods, and even the education of tomorrow’s generation. We find that effective risk management in one area leads to massive difficulties and even threats to livelihoods in other areas.
“A holistic approach requires risk management aligned with the objectives and interests of numerous entities.”
To select the correct risk strategy, interests must be prioritized, opportunities and risks analyzed, and, ultimately, decisions made that keep the “enterprise” Germany (or any other country) on track. Even though the success of the selected risk strategies can only be assessed in a few years, it has already become clear that risk management must take a holistic approach. A holistic approach requires risk management aligned with the objectives and interests of numerous entities. Furthermore, the approach must protect society’s best interest and favor neither “protecting life at all costs” nor the “freedom and self-responsibility” of each individual.
Looking at the big picture is crucial
The current situation seems to be, once again, proving true what risk experts, auditors, and consultants have been proclaiming for a long time: A holistic view of risk is needed to support the organization and strengthen the company’s resilience. Risk management and knowledge carriers from a wide range of management disciplines must work together to help maintain performance and keep the organization successful. Flexible solutions that can be systematically integrated into a wide variety of areas and processes are needed to enable a systematic and integrated view. Simple “Excel-based” risk management solutions and backward-looking “reporting islands” in controlling, auditing, but also in risk management or compliance rarely serve the purpose.
“A risk culture that is appropriate and accepted company-wide is a prerequisite for an effective risk management.”
Too many white or at least grey swans are wrongly labeled as black and are often used as an excuse for lack of risk management. Human errors, distortions, and isolated considerations are the reason for numerous strategic errors at all levels. It is often during a crisis when it becomes clear how well or ill-prepared the company, the entrepreneur, the organizational unit and even the state is for managing uncertainty in a complex environment.
- Are goals and strategic objectives defined and known?
- Are responsibilities, competencies and authorities clearly communicated?
- Are processes and procedures defined?
- Are reliable figures available for making decisions?
- Have measures been prepared to deal with risks or does panic break out when it is already too late?
- Are there systems in place that enable cross-location and cross-departmental collaboration to prevent cumbersome, manual and cost-intensive processes?
Avoiding risks, as well as seizing opportunities, must be firmly embedded in the daily routines of every office and its employees. Misconduct and lack of risk awareness can have a massive impact on the entire community – this fact, observed in numerous companies, is clearly visible in the current social reality. Practice is the best teacher. A risk culture that is appropriate and accepted company-wide is a prerequisite for effective risk management. Only based on trust in management can the strategy, goals, performance, and continued existence of the company be effectively supported.
Integrated Risk Management – Complexity becomes controllable
In complex systems, decisions tend to be risky because they often must be made quickly. The indirect, as well as direct effects of entrepreneurial actions, cannot always be estimated with sufficient accuracy and modeled promptly. As a result, errors are inevitable and will happen. It is just as certain as the critics that will arise and who, in hindsight, knew everything better and would have done it better.
Nevertheless, the entrepreneur’s duty of care and the often-cited requirements of §§ 91 and §§ 93 of the German Stock Corporation Act (AktG) remain. The new version of IDW Auditing Standard 340 is also a further specification of how to deal with risks and how to set up a corresponding system.
The high importance of risk management has long been reflected in numerous management standards, which call for a risk-oriented approach:
- Quality management acc. to ISO 9001:2015, which requires a risk-oriented approach to generating and maintaining product quality
- Occupational health and safety acc. to ISO 45001, which requires the prevention of risks and hazards to employees
- Information security according to ISO 27001, which requires a sound analysis of threats to the integrity, availability and confidentiality of information
- Emergency management in accordance with ISO 22301 and BSI Standard 100-4 for business continuity in the event of an emergency or crisis.
- Compliance in accordance with ISO 19600 or IDW PS 980, which is also designed to be risk-oriented
Too many companies regard the various management systems as “silos” and use various separate risk management procedures, processes, and tools.
As a result, risk management methods become redundant, and reports on the probability of occurrence and amount of damage are often contradictory. Even modern tools and further developments of risk management often do not help. Even “Artificial Risk Management” (AI Risk) or special “early warning indicators” do not deliver added value if the process ends after identifying the risk and entering it in an Excel list.
To effectively manage risk, companies need to be able to not only monitor risks but also respond. Staying prepared for the unexpected and being able to take action has never been more important.
It is good to remember that complexity does not mean complicated. Rather, it is a matter of linking the essential elements in a meaningful way and managing them across processes in a standardized and system-supported manner. The risk-oriented approach allows concentration on the “essentials” and helps to reduce complexity. Good solutions do not have to be complicated.
How does integrated risk management work?
Integrated risk management considers the impact of risks on the entire organization and across different management functions. It lays the foundations for dealing with hazards and their causes in a structured and systematic way. Risks are not abstract. They have concrete causes and occur in various places inside and outside the company. Linking the cause of risks and their impact on processes, systems, workflows, products, suppliers, supply chains, projects, infrastructure, and finances is therefore essential when managing risks. Only by taking a holistic view and linking measures across organizational units such as purchasing, logistics, sales and administration will the company be strengthened. Loss occurrences will be prevented, and damage effects will be reduced.
“To effectively manage risk, companies need to be able to not only monitor risks, but also respond.”
Just as the pandemic shows us the importance of connecting different disciplines this also proves to be true for the software landscape within companies. Traditional and old-fashioned “island-solutions” come to an end and drive the need for integrated risk management (IRM) solutions across all business units and risk compliance functions.
With a modern software tool, such as an integrated platform, the complexity of GRC and management functions can be controlled, and an evaluation based on uniform data becomes possible:
- High expenses due to redundant work are avoided
- Clear roles and responsibilities help analyze risks and to execute strategy across the organization
- Risk responses (mitigations) are standardized and demonstrably implemented throughout the organization
- Acceptance by employees and departments increases through meaningful and cross-disciplinary communication and reporting
- Risk management is perceived as a support by helping to monitor risks, measures and controls
- Management, Executive Board and Supervisory Board have an overview of the various GRC initiatives in cockpits
- Effect of GRC initiatives on the organization’s performance metrics become quantifiable and visible
- The implementation status of measures is documented
- Duties of good governance and the diligence of a prudent businessman are met
- Organizational failure is avoided
A wide range of tools and procedures are used to map the requirements of different departments. As in the “Lego construction kit” of our children, numerous flexible combinations are available in risk management, which can be suitably assembled depending on the organization’s requirements.
“Simple” simulations, modern questionnaire-based approaches, but also advanced Monte Carlo methods – risk aggregation and risk linkage – are possible. External and internal data streams, as well as “third-party” information feeds, can also be easily integrated. All this helps to get a grip on complexity.
In addition, standardized models and procedures support the rapid mapping of “best-practice” approaches and smooth integration of existing standards and guidelines.
With the help of modern software tools, the implementation of an integrated risk management system that provides a holistic view of risk can be quite simple. One view, one platform.
Steffen Schürg is director of integrated risk management at Corporater. This article was first published on Corporater.