Building your risk management strategy framework
4 critical questions you should consider
INSIGHT ARTICLE |
Stress-testing your risk management strategy can address business vulnerabilities that could lead to unacceptable levels of risk.
Board members, C-suite executives and other organizational leaders have a responsibility to develop a vivid picture of the future and define a strategy to get there. Stress-testing that high-level strategy should be part of your risk management process. Everything a business or other organization does comes with some amount of risk, and understanding that risk on multiple levels is part of the responsibility.
Although companies haven’t traditionally stress-tested risk management strategy, that is changing — especially after the experiences of a global pandemic, multiple disastrous weather events and continuing shortages in vital supply chains during the past two years.
As your organization begins to evaluate its strategy and risk management framework, ask these four questions to discover and address vulnerabilities that could escalate into unacceptable levels of risk.
Risk management strategy question No. 1:
Have the strategic plan and its underlying assumptions been stress-tested with respect to severe market, customer, supply chain and technology events?
Strategic planning often begins with collecting large volumes of data to use in modeling potential future scenarios, and then analyzing a second wave of data for determining which scenario is best.
As enterprise risk management frameworks catch up to the new reality of proactively planning for so many disruptive outside forces, one emerging practice is stress-testing strategic plans. By incorporating black swan events into the planning process, leadership is able to estimate the possible impact to operations and also identify mitigating strategies to limit overall risk exposure to the business.
Business conditions can shift quickly and impact key areas such as availability of raw materials or an unexpected upward swing of demand — sometimes within months. Having the flexibility to pivot overall strategy if needed is a big competitive differentiator now, and it will be even more important in the future.
Risk management strategy question No. 2:
What short- and long-term changes to our risk management framework may be needed for our strategy to be successful?
Regularly reviewing and updating your risk management framework is essential to identifying and monitoring new or critical risks. When considering changes to your framework, evaluate these potential risk areas.
- Remote workforce technology risks. The work environment is being stretched through access points that are now potentially vulnerable. Is your organization doing everything for home computers that it was doing for workplace computers? Do employees need to use different applications to ensure security and reliability?
- Data risks. The amount of data used in organization systems is continuously growing. While there’s a potential for creating high value from data, it comes with risk. As the amount and potential of data rises — including upstream and downstream data from vendors and third parties — are your organization’s skillsets and governance policies keeping up?
- Talent risks. An organization is only as strong as its people. Does your organization need to evolve its recruiting strategy or its compensation model to maintain a leadership pipeline? What key roles could be co-sourced or outsourced?
- Cloud risks..Organizations are using more and more cloud technology and services for digital transformation. Have all of the potential risks of moving to the cloud been identified and addressed?
Risk management strategy question No. 3:
How are you monitoring evolving and emerging risks and assessing their impact on your risk management framework?
Organizations should revisit their risk framework routinely to ensure that top risks are aligned with current market conditions. You can leverage governance, risk management and compliance (GRC) software, automation and analytics to help your organization monitor its risk framework in real-time and assess whether modifications are needed in your strategic plan or related activities.
For example, how could shortages of a particular skill set, growing cybercrime threats, or climate changes affect the overall risk framework and company strategy? Failure to monitor current business conditions and their impact to your risk framework, operations and strategy could have significant consequences to the growth and viability of your operations.
Risk management strategy question No. 4:
How is the organization building resiliency and considering lessons learned for any future crises?
One lens to use when updating your risk management framework is lessons learned from recent events. For example, many companies are reviewing and changing their supplier relationships and supply chain management because of the COVID-19 pandemic. When lean inventory practices and exclusively sourcing by low-cost led to a lack of materials and parts—and lost business when manufacturers couldn’t fulfill product demand — companies realized supply chain resiliency was a top risk that needed to be addressed.
Another common area to review is cybersecurity. According to first quarter 2021 RSM Middle Market Business Index data, 28% of middle market executives said that their company experienced a data breach in the last year — the highest level since RSM began tracking data in 2015 and a sharp rise from 18% just last year.
In 2020, 33% of respondents reported a ransomware attack and 51% suffered a social engineering attack. If your risk management strategy doesn’t include a strong resiliency component for cybersecurity and other lessons learned, consider how to close that gap.
Update your risk management strategy
By asking these four questions, you can begin to identify and assess the vulnerabilities that could develop into major risks to your business. While results from these assessments can be overwhelming, your organization does not have to address vulnerabilities alone. You can leverage the experience of a trusted advisor to ensure your organization remains healthy and aware of evolving, emerging risks to your business.
Take control of your organization with these seven tips for strengthening controls.
CFO Playbook Series, part 6: How to strengthen your financial controls, master governance, with 7 methods from RSM
Cybersecurity threats have continued to increase in the middle market, with record levels seen for several types of attacks.
Here are the four most common reasons it makes sense for an organization to consider internal audit outsourcing.