5 Strategies to Maximize Your Risk Assessments

While risk assessments enable organizations to understand their business issues and identify uncertainties, the best assessments go further. They prioritize top risks, assign risk ownership, and most critically, integrate risk management and accountability into front line business decision-making. Simply put, “checking the boxes” just isn’t enough to achieve an organization’s real objectives.

Effective risk assessments can also give organizations a true advantage. Our sixth annual Risk in Review study–comprising viewpoints from more than 1,500 corporate officers in 80 countries—finds that companies shifting risk management leadership and collaboration to the first line of defense are measurably better equipped to succeed. We call these companies “front liners.” While a majority of companies agree that front line decision-making is ideal, somewhat surprisingly, front liners represent only 13% of survey respondents.

Front liners use effective risk assessment strategies to enable revenue and profit growth, while also creating agility to bounce back from adverse events more quickly than their peers. They also outpace the pack when it comes to using risk management tools and techniques (such as a risk rating system or scenario planning).

Based on the study results, here are five strategies you can adopt to gain a front liner advantage:

  1. Put your risk assessments to use in real-time

For true impact, organizations incorporate risk assessment findings into their business decisions. Assessments should be efficient, and actions should be implemented quickly to address immediate challenges. Annual assessments are a best practice, but our study shows front liners have a robust risk culture, conducting regular assessments. Ongoing collaboration across all three lines of defense, reinforced by continuous monitoring, enables the organization to more effectively align business strategies with risk appetite.

  1. Develop actionable guidance and insights for leadership

Effective risk assessments are relevant and actionable. Be sure to interpret risk information and recommend next steps to help management incorporate the findings into their strategic decisions. Make it easy for boards and senior management to understand the key findings by providing thorough insights. Data will mean a lot more if you identify the recommendations, target outcomes and next steps. Gaining the front liner advantage is best achieved by integrating risk guidance holistically into the organization, including planning, growth strategy and investments to M&A, staffing, disaster recovery and crisis management.

  1. Speak in lay terms

Leaders outside the risk management function may perceive risk assessments as an onerous process loaded with abstract language and a heavy focus on negative outcomes. To help leaders see value in these assessments, define the risks, drivers and consequences in familiar terms using meaningful scenarios that are specific to the organization.

  1. Balance automation with the human touch

While automation enables mass data collection, organizations benefit most when risk assessment surveys are combined with facilitated discussions. Gathering important qualitative information, facilitators can bring together multiple viewpoints and encourage productive debate. Pre-reads may also be a helpful tool to level-set on the organization’s strategic objectives and overall risk landscape.

  1. Adopt a realistic view of risk management

It can sometimes be difficult for management to accept the findings of a risk assessment, especially if they believe there is a low probability such events will occur. To support strategic, risk-based decision-making, risk scenario analyses can spur productive discussions about the organization’s overall risk landscape, while dynamic, engaging tools like a risk scenario dashboard can help to draw in even the most reluctant participants.

Following these strategies can help your risk assessments to not only be relevant, but also essential to your organization’s business strategy and growth objectives.

Fewer Sleepless Nights for Compliance Executives

Improved compliance programs, sufficient resources and board access have meant fewer concerns about personal liability for compliance executives, according to a study by DLA Piper.

In its 2017 Global Compliance & Risk Report, DLA Piper found that 67% of chief compliance officers surveyed said they were at least somewhat concerned about their personal liability and that of their CEOs, which was down from 81% in 2016. And 71% said they made changes to their compliance programs based on recent regulatory events, up from just 21% a year earlier. The study found that globally the compliance function is becoming more independent and prominent in large organizations.

There still remains room for improvement, however, most notably in compliance’s relationship with boards of directors. Directors, surveyed for the first time, were more uneasy, with 82% expressing at least some concern about personal liability. “This is likely related to other findings that show lingering kinks in communications channels and a persistent lack of training for directors. Together, these findings indicate that the relationship between the compliance function and boards needs work—despite efforts taken by organizations to upgrade their compliance program,” DLA Piper said.

In 2016, 77% of compliance executives said they had sufficient resources, clout and board access to support their ability to effectively perform their jobs. This year the number rose to 84% who said they felt that way. The improvement is possibly a reflection of the increased percentage of respondents who had the resources to make changes to their compliance program, compared to 2016, according to the survey.

While more respondents said they are increasingly able to affect change, obtain the resources they need and access senior leadership, however, a larger number said their budget was not high enough to accomplish their goals, from 28% in 2016 to 38%.

Boards had a different view, with 53% of directors agreeing strongly that their compliance group had sufficient resources, clout and board access. This was compared to just 29% of CCOs, which could indicate that CCOs are not effectively communicating their needs, the company said.

Of concern was that many directors appear to be receiving inadequate reporting and training on compliance matters. About a quarter of both CCOs and board members said the compliance function at their organization reports to the board less than once per quarter.

Of training, the report said that in light of a perceived heightened liability exposure for directors, it is puzzling that 44% of director respondents said they hadn’t received any training on compliance issues. Given evolving compliance standards and regulations—such as new Securities and Exchange Commission guidance on conflict minerals and updated DOJ guidance on corporate fraud—it’s arguable that training is more important than ever. Failure to engage in training could amount to a breach of fiduciary duty.

Almost half of respondents, 46%, identified monitoring as the weakest part of their compliance program. Monitoring, however, is particularly important in managing third-party risk, as regulators remain focused on violations related to third parties and as companies struggle to manage sprawling global organizations, DLA Piper said.

Top tools companies use to rate their compliance program:

In a Changing World, Questions For the CRO

Before the financial crisis in 2008-2009, many businesses didn’t think of risk as something to be proactively managed. After the crisis, however, that paradigm shifted. Companies began perceiving risk management as a way to protect both their reputations and their stakeholders.

Today, risk management is not just recommended, it is considered crucial to successful operations and is required by federal and state law. The SEC’s Proxy Disclosure Enhancements, enacted in 2010, mandate that organizations provide information regarding board leadership structure and the company’s risk management practices. Company leadership is required to have a direct role in risk oversight, and any risk management ineffectiveness must be disclosed.

The CRO’s role

Volatility in the current business environment—a confluence of factors including transfers of power, the world economy and individual markets—is nothing new. Political transitions have always been accompanied by new agendas and shifting regulations, economies have always experienced bull and bear markets, and the evolution of technology constantly changes our processes.

Even so, recent events like Brexit, the uncertainty of a new administration’s regulatory initiatives, and thousands of annual data breaches have contributed to an unprecedented atmosphere of fear and doubt. To navigate this environment, the chief risk officer needs to adopt a proactive risk management approach. Enterprise-wide risk assessments grant the visibility and insight needed to present an accurate picture of the company’s greatest risks. This visibility is what the board needs to safely recognize opportunity for innovation and expansion into new markets.

To grow a business safely—by innovating and adding to products/services and expanding into new markets—risk professionals should not focus on identifying risk by individual country. This approach naturally leads to a prioritization of “large-dollar” countries, which aren’t necessarily correlated with greater risk. Countries that contribute a small percentage of overall revenue can still cause major, systemic risk management failures and scandals.

A better approach is to look at risk across certain regions; how might expanding the business into Europe, for example, create new challenges for senior management? Are there sufficient controls in place to mitigate the risks that have been identified?

When regional risks are aggregated to create a holistic picture, it becomes possible for the board to make sure expansion efforts are aligned with strategic goals.

Three processes that require ERM

Risk management is an objective process, and best practices, such as pushing risk assessments down to front-line process owners who are closest to operational risk, should be adhered to regardless of the current state of the international business arena.

While today’s political climate has generated a significant amount of media strife, it’s important not to let emotion influence decision-making. By providing the host organization with a standardized framework and centralized data location, enterprise risk management enables managers to apply the same basic approach across departments and levels.

This is particularly important when an organization expands internationally, which involves compliance with new sets of regulations and staying competitive. Performing due diligence on an ad hoc basis is neither effective nor sustainable. Instead, the process should follow the same best-practice process as domestic risk management efforts:

  1. Identify and assess. Make risk assessments a standard part of every budget, project or initiative. This involves front-line risk assessments from subject matter experts, revealing key risks and processes/departments likely to be affected by those risks. For example, financial scrutiny is no longer a concern just for banks. Increased attempts to fight terrorism mean transactions of all kinds are becoming subject to more review. Anti-bribery and anti-corruption processes estimate and quantify both vulnerability and liability.
  2. Mitigate key risks. Connect mitigation activities to the resources they depend on and the processes they’re associated with. ERM creates transparency into this information, eliminating inefficiency associated with updating/tracking risks managed by another department. Control evaluation is the most expensive part of operations. Use risk management to prioritize this work and reduce expenses and liability.
  3. Monitor the effectiveness of controls with tests, metrics, and incident collection for risks and controls alike. This ensures performance standards are maintained as operations and the business environment evolve. Evidence of an effective control environment prevents penalties and lawsuits for negligence. The bar for negligence is getting lower; technology is pulling the curtain back not only internally but (through social media and news) to the public as well.

Lastly, the CRO role is increasingly accountable for failures in managing risk along with other senior leaders and boards—look no further than Wells Fargo.

Total Cost of Risk Drops for Third Straight Year, RIMS Finds

Despite the challenges of a slowed economy in an election year, a shifting risk landscape as a result of technological advances, and a slow to negative growth rate in some sectors, 2016 saw the total cost of risk (TCOR) decline for the third consecutive year, according to the 2017 RIMS Benchmark Survey.

Even in the face of such uncertainties, the TCOR per $1,000 of revenue continued to drop, ending at $10.07 in 2016. The main drivers were declines in all lines excluding fidelity, surety and crime costs, according to the report. TCOR is defined in the survey as the cost of insurance, plus the costs of the losses retained and the administrative costs of the risk management department.

The survey encompasses industry data from 759 organizations and contains policy-level information from 10 coverage groups, subdivided into 90 lines of business.

Uncertainty around policies in the new presidential administration will continue to dominate in 2017, as the nation’s trade policy, regulatory reform and tax system could see changes, RIMS reported. The new political regime is also expected to reduce regulatory oversight at the state, federal and international levels.

Key findings from this year’s RIMS Benchmark Survey include:

  • Technological advances have caused a seismic shift in the risk landscape, creating new types of claims and forcing insurers to consider new products and solutions for customers.
  • Insurers ended 2016 with average capital and surplus at the highest level in 10 years. However, excess capacity is undermining profitability, as seen by falling net income and return on average equity.
  • The personal insurance space is in the midst of a consumer-centric revolution, offering customers new transaction platforms, better metrics and more flexible pricing and coverage options. Commercial insurance is expected to adopt a similar focus, transforming the way business is transacted.
  • Predicted rate increases for cyber, E&O and workers compensation failed to materialize across the board. Projections for 2017 are more moderate, with property and most liability lines flat to down 10%.
  • Emerging trends in the 2017 risk landscape include the tech revolution, security issues, natural catastrophes and political upheaval.

“The RIMS Benchmark Survey chronicles the evolution of corporate risk management costs over time. This year’s edition highlights how risk managers have effectively managed costs in a time of evolving risks and demands, enabling them to do more with less,” said Jim Blinn, executive vice president of client solutions at Advisen.