Redistributing risk management: why risk management isn’t only for compliance teams

A strong compliance team is an essential first step towards effective risk management – but it is only one part of the puzzle. If your organization relies exclusively on compliance professionals to safeguard against emerging threats, you could be leaving yourself at risk, with potentially costly results. Here’s why risk management should be core business for everyone in your business.

By AnsaradaThu Dec 16 2021CEO-CFO, Audits and compliance, Security and risk management, Environmental Social and Governance

The events of the last few years have clearly shown that every business must be poised to identify and manage novel risks. So why do so many organizations still treat compliance and risk management as secondary to their core operations?

A recent PwC survey found that, even in the wake of the pandemic, only 1 in 4 organizations align risk and compliance targets with the strategic objectives of the business.  This suggests that for many organizations, risk and compliance remain siloed functions, rather than outward-looking activities designed to anticipate, detect and control key operational, financial and reputational risks.

Isolating compliance from broader risk considerations can also be very costly. In the US, the Office of the Comptroller of the Currency (OCC) has levied millions of dollars in fines from some of our largest financial institutions,  culminating in this year’s $250m fine for Wells Fargo, with the banks’ failure to implement broad risk management programs a key factor.  

Meanwhile, Fitch Ratings has put companies on notice that governance weaknesses are increasingly likely to lead to ratings downgrades, as investors’ scrutiny of Environmental, Social, and Governance (ESG) issues intensifies. 

Why compliance alone is not enough

While compliance and risk management have much in common, they remain separate activities that can complement but not replace one another. 

The focus of compliance is to ensure your business is fulfilling all of its obligations, especially those imposed by laws and regulations. In contrast, the focus of risk management is broader, aiming to identify, assess and control all potential threats to capital and earnings – including those not captured by legislation.

That’s important, because new risks are constantly appearing. Significant ‘threat multipliers’ like climate change, the COVID pandemic and novel cyber-threats have begun to manifest in unpredictable ways, compelling businesses to regularly reassess their risk exposure and continuously update their risk management processes.

The breadth and complexity of these emerging issues heightens the need to distribute risk management responsibilities across the business, rather than relying solely on a separate team of risk professionals. By creating a distributed risk model, you can harness the expertise of specialists across the organization – from supply chain managers to IT professionals – and actively engage everyone in the business of managing risk.

In fact, risk management firm Aon cautions that creating a large, specialized risk team can actually lead to worse outcomes, if that team is isolated from the rest of the business: “The existence of a larger, centralized risk team may create the impression that the central team is ‘responsible’ for risk management, rather than risk being the responsibility of all.” 

Aon says that’s why recognized international standards for risk management, such as COSO and ISO31000, stress the importance of embedding risk disciplines and behaviors into day-to-day operations, not isolating them in a compliance team.

3 red flags that show you may be suffering from siloed risk management

1. Poor governance

Effective governance and the right ‘tone at the top’ are essential in driving transparency, openness and a commitment to continuous improvement. 

2. Lack of transparency

A lack of transparency in decision-making in high-risk areas is a key warning sign, often driven by the divergence of commercial and risk-management objectives. This can involve the hiding of data, a lack of data, and siloed data, all of which can potentially contribute to excessive risk taking without the ability to see the full picture.

3. Ineffective risk analysis

A common reason for failures to identify key risks in a timely way, this can be caused by a lack of risk analysis expertise, poor data-gathering, the inadequate use of risk modelling or simulation, or an excessive focus on compliance ‘box-ticking’ over considered analysis.

5 steps towards distributed risk management

1. Risk identification, analysis and evaluation

Establish the organization’s unique risk appetite and risk tolerance. Define possible risk scenarios, analyze their potential impact, and determine how best to respond to the risks they represent.

2. Enterprise-wide risk governance 

Establish an enterprise risk framework that leverages the skills and capabilities of key staff across the business.

3. Communication and consultation

Develop and implement a clear communication plan to convey the organization’s risk policies and framework to all employees and relevant parties.

4. Monitoring and review

Ensure that the controls are working by measuring key performance indicators (KPIs) and monitoring key risk indicators (KRIs). Combine independent auditing and oversight with cross-functional teams to gather a diversity of views and expertise.

5. Data-gathering and automation

Invest in Governance, Risk and Compliance (GRC) software that helps you continuously adapt and improve risk practices. The right solution can help you make more informed decisions, carry out due diligence, test risk controls, and automate risk management activities using a single, unified platform. 

You may also be interested in