During our live webinar session on How COVID-19 learnings will shape the New Normal of Risk Management, our participants asked questions covering several topics including risk assessments, risk mapping, and predictive risk analytics. Here are the responses from webinar hosts Michael Rasmussen and David Tattam, as well as Nick Broome, Director Risk Advisory and Analytics at Protecht.
Thank you to all our viewers for participating in our webinars. If you missed the live session of this webinar, visit this page to watch the recording on-demand.
Part 1 - Governance, Risk and Compliance
Answers from Michael Rasmussen, the GRC Economist and Pundit from GRC 20/20
1. Are we seeing a greater focus on risk assessment for a potential second wave in COVID-19?
It is hard to provide a blanket answer as I see organisations going in a lot of different directions. Some are so consumed with the current crisis they have not begun planning for a second wave of COVID-19. Others may have someone in risk management screaming they need to, but the business is not listening - the voice crying in the wilderness. Then there are many who are preparing for not only a second wave of COVID-19 but also doing more proactive risk planning for future pandemics and crisis. I would state that the overall trajectory across organisations show a greater focus on risk assessment for a second wave and beyond, but I also find that there are many still unprepared.
2. In my experience it is clear that operational risk does not enjoy the same prominence and focus in the US as it does in countries such as the UK, Canada, Australia etc. Does Michael think this is likely to change in the near future and does he think the UK's regulatory initiative on operational resilience has a good chance of spurring something similar in the US at both the federal and state levels?
Great question. I find both enterprise and operational risk management to be more mature in the UK, Europe, Australia, and South Africa than it is in the United States. I would put Canada sort of in the middle between the USA and the rest I referenced. The issue is that risk management in the USA historically has been more of a compliance exercise instead of true risk management integrated from a business perspective.
Too many enterprise and operational risk management programs in the USA have been nothing more than a slightly expanded view of risk for Sarbanes Oxley (SOX) compliance and financial reporting. But that is a generalisation as there are some great risk management programs in the USA, it is just not the norm. I do see that coming out of this pandemic that there will be a greater focus on risk management and operational resilience. I fully expect we will see a broader focus on operational resilience across industries as well as geographies post-COVID.
3. Michael, what's the most important thing risk managers should do to influence the C suite?
The most important thing risk managers can to do influence the C suite is to communicate risk management in terms the business understands. Risk has to be understood in context of objectives of the organisation - entity, division, department, process, project, or even asset level objectives. Risk management needs to work with the business and measure and model risk in context of objectives, strategy, and performance of the organisation. Risk management also needs to be a facilitator and coordinator of risk management and ensure the business understands that they own and are exposed to the risk.
Communicating risk management in terms the business understands
is the most important thing risk managers can do to influence executive-level managers.
Part 2 - Risk Mapping and Reporting
Answers from David Tattam, Director, Research and Training from Protecht
4. How do you change a culture of "Static" (monthly/quarterly) risk reporting and review to a dynamic culture where risk is embedded in operations?
The key components required to move from static to dynamic risk reporting are:
- The ability to collect the full range of risk information as soon as it is available covering Risk Assessment, Risk Metrics (KRIs and KPIs), Controls Assurance, Incidents, Issues and Actions, Internal Audit Findings and so on. Wherever possible, automation is the key using APIs and the like to seamlessly link business systems to the risk system.
- The ability to link all of the collected data to the same risk. This requires a strong risk taxonomy / library and a system that can facilitate the linkage of data to risks.
- The ability to deliver meaningful dynamic reports that speak to Assurance, Redflags, Decision Making and Risk Based Performance Measurement so that the business see the value of becoming more dynamic.
Once you move to a more dynamic approach, the business will naturally become more engaged as the risk information is forward looking, up to date and relevant, giving the business valuable information by which to manage the business.
5. You suggest a full risk mapping. But for small companies it is more common to focus on the major risks. How do you rank the risks based on what is most important for your business at the moment, for a tactical response?
Ranking of risks does require some kind of “measurement” as a basis for prioritising the most important risks first. For smaller companies, it makes sense to do a more qualitative “measurement” based on management’s view of the relative importance of each risk. We traditionally assess using the likelihood and potential consequence of the risk, even if this is a guesstimate. We should also consider risk velocity, refer to one of our blogs "Risk Velocity - The Third Dimension of Risk?".
How quickly could the risk materialise? We should rank the risks according to these three factors, ensuring that balanced weighting is given across the three factors.
We can then tactically address the bigger risks with high velocities and then work down the list as you manage the bigger ones and become more mature.
As you mature with the ability to collect a wider range of data for each risk, you can more to a more quantitative approach backed up by data which then provide a more objective view of what the major risks are.
6. 5 by 5 heatmaps have got a bit of a negative feedback recently - have you seen any great alternatives?
The Likelihood / Consequence heatmap has been around for many years now and is still favoured by many organisations as a way of reporting the relative importance of each risk. However, much of the negative feedback is valid as there are many shortcomings and flaws with the classic heatmap which need to be understood when they are used. These include:
What assumed risk are we assessing? Are we assessing a “typical” example of the risk of an “atypical” – towards worse case? They will give very different answers on the heatmap.
- How is the assessment of likelihood and consequence determined? Most of the time it is the subjective judgement and opinion of the assessor(s) with all of their human biases and heuristics.
- What scales are used for likelihood and consequence in terms of type of scale and levels?
- How do you assess the consequence when there are multiple consequence types?
And the list goes on …
A few years ago, we wrote an eBook on “Five alternatives to the Risk Assessment Matrix”. Since then, however, we have been moving towards integrated dynamic risk reporting which we call “RiskInMotion”. This does not eliminate the heatmap as we recognise that it is still commonly used. Instead, it amalgamates the heatmap with other available risk data such as key risk indicators, incidents, controls assurance and so on, such that the importance of the heatmap is downplayed and it is just one part of a bigger picture of risk.
The RiskInMotion dashboard combines the risk heatmap with other available risk data.
Part 3 - Measuring Risks in Protecht.ERM
Answers from Nick Broome, Director, Risk Advisory and Analytics from Protecht
7. How do you or your product predict risks based on the factors you put into the software?
Predictive analytics for risks is challenging and there is no generic solution for all companies. Protecht.ERM focusses on capturing metrics that are drivers of risks and bringing these together with other relevant information from across the risk framework to present a holistic picture of the risk to inform decision making.
8. How do you measure risks? Based on actual data input or predictive data?
Protecht.ERM supports assessing risks by both qualitative and quantitative approaches. Quantitative approaches can include measuring by simple data input metrics but also combining these using algorithms and mathematical formulae.
9. How do you measure risk response impact? Simple tool?
Protecht.ERM supports assessing the impact of controls and other responses to risk by both qualitative or quantitative approaches.
To learn more about how Protecht.ERM assists you in measuring and analysing your risk data, simply book an online or a face to face meeting with our friendly team.
