Creating a Risk Intelligent Organization

Many organizations spend time and effort building and developing robust risk mitigation frameworks and strategies to handle business-specific risks. In spite of constant monitoring through dashboards and reports, many companies still face major and unexpected issues. One of the main reasons for shortfalls in risk management is the general attitude towards risk mitigation. Although companies are well-prepared with an infrastructure in place, they often struggle when cultivating a sense of risk awareness, responsibility and intelligence into and across the fabric of an organization, which results in gaps and deficiencies.

Every organization realizes the significance of risk intelligence, but they frequently face issues in the initial stage of their transition. Developing a risk culture is frequently viewed as just a requirement to be fulfilled rather than something that adds value to an enterprise. Without a clear agenda, many companies find it impossible to cultivate risk-taking capabilities into its employee base.

Risk intelligence demands that every individual in an organization take responsibility for managing risks in the day-to-day operations. Senior management should assess the existing risk management strategy and gauge its effectiveness in alleviating risks as well as developing awareness throughout the organizational structure.

Factors Influencing Risk Culture

For a smooth journey in risk intelligence, the senior management has to be completely aware of the levers influencing risk-taking behavior of their employees. Some of the major factors that impact smart risk-taking decisions include talent management, training and education, qualification of staffs, incentives, leadership at the top of the organizational hierarchy, and the ability of an organization to take risk-based decisions.

To develop a risk-intelligent structure in business enterprises, organizations should perform a thorough assessment. This can be achieved by setting up objectives, conducting surveys and interviews, analyzing gaps, prioritizing actions, incorporating recommendations and keeping track of the effectiveness of the strategy. Comparing the existing culture against other influential factors such as governance, policies and procedures, competence, relationships, performance, and accountability will help the top management understand the current state of culture and the level of contribution of existing risk initiatives to create a positive impact on the business’s risk culture.

Conducting gap analysis around the influential factors will offer a better understanding of what needs improvement. To create an effective risk culture and make it work successfully to the benefit of an organization, management should continuously improve it to fit the changing business objectives and requirements.

Strengthening Risk Culture through Technology

Leveraging technology to create a centralized framework for capturing risks and organizing data elements will strengthen the risk culture to a greater extent. A risk management framework should speak a common language that is well understood throughout the organization, including stakeholders. Developing a technically assisted risk management strategy will eliminate the most common challenges faced by an organization.

A centralized data model will aid in managing risks that may arise due to external and internal events. It will also give the organization a top-down view of the business goals, global risks and controls associated with it.  A common risk environment enables effective monitoring and reporting of the gaps and risks using heat maps, dashboards, and charts. This will enhance the organization’s risk intelligence by providing real-time visibility into scores, its risk appetite, as well as limitations towards risks.

Risk and security officers will be able to get a better picture through trend analysis and obtain useful insights. A flexible framework that is developed on the basis of industry standards will provide a strong foundation for risk intelligence and aid in timely capture and categorizing of risks and initiate appropriate corrective actions.

Key Elements of a Risk Intelligent Organization

  • A risk intelligent organization follows a unified and standardized risk framework that speaks the same language across the entire organization. A framework that follows a common language is easy to understand and helps mitigate risks in a timely manner, thereby driving value.
  • Successful creation of risk intelligence defines roles, responsibilities, and the hierarchy structure in an enterprise.
  • A centralized framework will also bolster support to business operations and a wide array of functions.
  • Creating risk intelligence will enhance performance and accountability.
  • A risk intelligent organization will be able to strike a perfect balance between risk and reward.
  • Risk intelligent architecture offers the executive management, board members, stakeholders, and audit committees the ability to effectively perform their duties by promoting a greater level of transparency. Executive management is assigned with the task of developing, incorporating, and maintaining a robust and efficient risk management strategy and improvise it on a regular basis it to fit the changing requirements.
  • Business units are obligated to monitor the performance of their respective units and their approaches to managing risks as specified by the risk management and independent assurance functions, as well as oversight from executive management.
  • In a risk intelligent organization, finance, legal, HR, and IT units offer support to the individual departments in the organization in their efforts to mitigate risks.

The role of the internal audit is assigned with providing independent and unbiased assurance to the senior management by assessing the efficiency of the risk management practices and finding ways to enhance those strategies.

Trends and Predictions for Retailers

Last year, retail and consumer packaged goods (CPG) companies faced challenges stemming from evolving regulatory compliance, brand exposure, reputational risk and increasingly complex global supply chains. No doubt 2014 will prove to be a pivotal year for organizations to demonstrate their focus and commitment to strong governance, risk management, and compliance in order to truly emerge as leaders. Here is a look at some top trends that have influenced the industry, and a few predictions that will shape the year ahead.

2013 Key Trends:

Increased Volume and Complexity of Regulations. In 2013, the retail/CPG industry faced a flurry of new and amended regulations spanning environmental compliance, conflict minerals reporting, product safety, data privacy, anti-corruption, product packaging and labeling to name a few. Ensuring compliance and staying one step ahead of regulators requires that retail and CPG organizations establish more centralized and collaborative compliance programs.

Managing the Supplier Ecosystem. We saw that environmental, man-made, and human rights issues can threaten the financial stability and reputation of retail and CPG organizations. Establishing a unified view of the organization and its entire supplier ecosystem requires consistency and transparency, which can be achieved only through stronger due diligence, monitoring, and reporting processes.

Focus on Collaboration. In response to increased compliance mandates, and added complexity throughout the supply chain, internal business functions have begun converging and collaborating in new ways. A strong, compliant, and risk-aware organization brings together the right people, the right skill sets, and necessary resources against a shared vision, mission, and purpose.

2014 Predictions:

Rising Importance of Reputation. Non-compliance, fines, product recalls, bribery and corruption allegations, customer activism, factory fires, and health and safety issues have put many retail and CPG companies in the hot seat. These incidents not only play out over front-page headlines, but can spread virally across social media sites in a matter of minutes. In 2014, building and maintaining an organization’s reputation will become a matter of survival.

Complying with the Affordable Care Act (ACA). The ACA impacts retail companies that employ a significant number of temporary workers. According to the ACA, health insurance must be provided to full time employees who work at least 30 hours per week. In the retail industry, however, employees who work at least 40 hours per week have traditionally been considered full-time. Overcoming this discrepancy will require new policies and processes that will impact employees, human resources teams, and compliance executives alike.

Investments in Technology. As operations expand and supplier ecosystems become more diverse, organizations will be faced with new opportunities and new challenges. We will see organizations continue to focus on integrating the activities of multiple functions. Investing in new technologies and tools to help integrate quality customer service, regulatory compliance, supply chain governance and security can help organizations realize greater efficiencies, enhanced agility and improved business performance.

Tech Trends in 2013 and New Year Predictions

With the New Year comes added awareness of the hazards social media can present to corporations, the risks of data exchange between business systems and other challenges inherent with technology. Here is a look at the top trends of last year and predictions for the year ahead.

2013 Key Trends

1.      Growing Convergence between IT, Security and the Business

Evolving risk challenges require that internal and external stakeholders are on the same risk page. For many organizations, however, internal audit, security, compliance and the business have different views of risk and what it takes to build a risk-aware and resilient business. Effective risk management starts with good communications. This includes a common taxonomy for dealing with risk, and a collaborative discussion framework to facilitate the cross-functional sharing of ideas and best practices.

2.      Focus on Managing Third Party IT and Security Risks

Organizations are increasingly global and hyper-extended, with a heavy reliance on third parties such as partners, vendors, and cloud-based service providers. Data flowing within and throughout this modern business ecosystem supports critical business processes, and also contains sensitive and regulated information. Therefore, strong oversight and management of the various IT and security risks is critical to protect the business and its reputation.

3.      Movement Towards Risk-Based Security Operations Management

In 2013, IT & Security Operations adopted a more formal, structured approach that is more closely aligned with the business and its priorities. Using a risk-based approach to prioritize security initiatives drives efficacy and efficiency—which can help secure greater buy-in and support from senior management. Risk-based security management allows security teams to promote an understanding of risk by communicating in the terms and context needed to support decision-making.

4.      Bring Your Own Device (BYOD) and Mobile Device Risk Management

Mobile, e-commerce, online, wireless—this is how business is done today. Furthermore, employees are increasingly mobile and rely heavily on their devices, such as smartphones and tablets, for a variety of business activities. The threats that come with this trend are many, including data leaks, theft, and misuse. Corporate IT departments have to create stronger policies and tighter controls to manage corporate data, applications, and user behavior.

2014 Predictions

1.      Leveraging social media to drive situational awareness

Security and business continuity management teams have begun to realize the power of both social media and technology solutions that can mine and analyze data from sources such as Google Crisis Maps, Twitter, Facebook, and more, to provide real time crisis updates. Further extending this intelligence can help governments and businesses gain a complete understanding of a crisis and all of its associated financial, operational, and reputational risks.

2.      Focus on Continuous Monitoring in Risk Management

Effective risk management requires the real-time monitoring of threats, vulnerabilities, and potential exposures. In 2014, IT, Security, Risk and Compliance teams will need to work more closely together to create mature monitoring processes, supported by technology, and guided by regulations and standards such as PCI DSS 3.0, ISO 27001, and NERC CIP 5.

3.      Security and Risk Analytics Based on IT and Security “Big Data”

Incorporating security analytics and metrics alongside more traditional performance metrics such as liquidity and revenue will be critical for management to gain a much-needed holistic view of the operational risk portfolio. Leveraging IT and Security “big data” can provide the risk intelligence needed to create a truly data-driven business, guide continuous improvement processes, and lay the foundation for organizational transformation.