GCC Sutra #2 - Integrated Risk Management Framework (Part 2)

Having spent nearly 3 decades in setting – growing – maturing – and excelling global captives which are called GICs/GCCs/CoEs and are essentially distributed global teams for large organizations to take advantage of talent, technology & trends as part of their strategic growth imperatives.

My attempt here through this series of articles is to bring some of the best practices tried and tested with impact in real-world scenarios for global centers of large organizations based in India. The study and practices, however, can be reviewed for applicability and implementation for any organizations located globally and are agnostic to the domain in which they operate.

We will get into detail on the structure, process, and impact of an integrated risk management framework in this sutra.

Recap - ?types of organizational risks from Part 1:

- Strategic Risk.

- Compliance Risk.

- Operational Risk.

- Financial Risk.

- Reputational Risk.

What is risk control?

Risk controls are measures taken to identify, manage, and eliminate threats. Companies can create these controls through a range of risk management strategies and exercises. Once a risk is identified and analyzed, risk controls can be designed to reduce the potential consequences. Eliminating a risk—always the preferable solution—is one method of risk control. Loss prevention and reduction are other risk controls that accept the risk but seek to minimize the potential loss (insurance is one method of loss prevention). A final method of risk control is duplication (also called redundancy). Backup servers or generators are a common example of duplication, ensuring that if a power outage occurs no data or productivity is lost. However, to develop appropriate risk controls, an organization should first understand the potential threats.

?A dynamic risk management plan can be broken down into three components:

·???????? Detecting potential new risks and weaknesses in existing risk controls,

·???????? Determining the organization’s appetite for risk-taking, and

·???????? Deciding on the appropriate risk management approach.

Here’s more information about each step and how to undertake them.

1.??? Detecting risks and controlling weaknesses: A static approach to risk is not an option, since an organization can be caught unprepared when an unlikely event, like a pandemic, strikes. So, it pays to always be proactive. To keep pace with changing environments, companies should answer the following three questions for each of the risks that are relevant to their business.

a.????? How will a risk play out over time? Risks can be slow-moving or fast-moving. They can be cyclical or permanent. Companies should analyze how known risks are likely to play out and reevaluate them regularly.

b.????? Are we prepared to respond to systemic risks? Increasingly, risks have longer-term reputational or regulatory consequences, with broad implications for industry, the economy, or society at large. A risk management strategy should incorporate all risks, including systemic ones.

c.????? What new risks lurk in the future? Organizations should develop new methods of identifying future risks. Traditional approaches that rely on reviews and assessments of historical realities are no longer sufficient.

2.??? Assessing risk appetite:

How can companies develop a systematic way of deciding which risks to accept and which to avoid? Companies should set appetites for risk that align with their values, strategies, capabilities, and competitive environments—as well as those of society. To that end, here are three questions companies should consider.

a.?? How much risk should we take on? Companies should reevaluate their risk profiles frequently according to shifting customer behaviors, digital capabilities, competitive landscapes, and global trends.

b.?? Are there any risks we should avoid entirely? Some risks are clear: companies should not tolerate criminal activity or sexual harassment. Others are murkier. How companies respond to risks like economic turmoil and climate change depends on their business, industry, and levels of risk tolerance.

c.?? Does our risk appetite adequately reflect the effectiveness of our controls? Companies are typically more comfortable taking risks for which they have strong controls in place. However, the increased threat of severe risks challenges traditional assumptions about risk control effectiveness. For instance, many businesses have relied on automation to increase speed and reduce manual error. However, increased data breaches and privacy concerns can increase the risk of large-scale failures. Organizations, therefore, should evolve their risk profiles accordingly.

?3.??? Deciding on a risk management approach:

Finally, organizations should decide how they will respond when a new risk is identified. This decision-making process should be flexible and fast, actively engaging leaders from across the organization and honestly assessing what has and hasn’t worked in past scenarios. Here are three questions organizations should be able to answer.

a.?? How should we mitigate the risks we are taking? Ultimately, people need to make these decisions and assess how their controls are working. However, automated control systems should buttress human efforts. Controls guided, for example, by advanced analytics can help guard against quantifiable risks and minimize false positives.

b. How would we respond if a risk event or control breakdown happens? If (or more likely, when) a threat occurs, companies should be able to switch to crisis management mode quickly, guided by an established playbook. Companies with well-rehearsed crisis management capabilities weather shocks better, as we saw with the COVID-19 pandemic.

c. How can we build true resilience? Resilient companies not only better withstand threats—they emerge stronger. The most resilient firms can turn fallout from crises into a competitive advantage. True resilience stems from a diversity of skills and experience, innovation, creative problem-solving, and the basic psychological safety that enables peak performance.

Change is constant. Just because a risk control plan made sense last year doesn’t mean it will next year. In addition to the above points, a good risk management strategy involves not only developing plans based on potential risk scenarios but also evaluating those plans regularly.

?What are five actions organizations can take to build dynamic risk management?

In the past, some organizations have viewed risk management as a dull, dreary topic, uninteresting for the executive looking to create a competitive advantage. But when the risk is particularly severe or sudden, a good risk strategy is about more than competitiveness—it can mean survival. Here are five actions leaders can take to establish risk management capabilities.

1. Reset the aspiration for risk management. This requires clear objectives and clarity on risk levels and appetite. Risk managers should establish dialogues with business leaders to understand how people across the business think about risk and share possible strategies to nurture informed risk-versus-return decision-making—as well as the capabilities available for implementation.

2. Establish agile risk management practices. ?As the risk environment becomes more unpredictable, the need for agile risk management grows. In practice, that means putting in place cross-functional teams empowered to make quick decisions about innovating and managing risk.

3. Harness the power of data and analytics. The tools of the digital revolution can help companies improve risk management. Data streams from traditional and nontraditional sources can broaden and deepen companies’ understandings of risk, and algorithm scans boost error detection and drive more accurate predictions.

4. Develop risk talent for the future. Risk managers who are equipped to meet the challenges of the future will need new capabilities and expanded domain knowledge in model risk management, data, analytics, and technology. This will help support a true understanding of the changing risk landscape, which risk leaders can use to effectively counsel their organizations.

5. Fortify risk culture. Risk culture includes the mindsets and behavioral norms that determine an organization’s relationship with risk. A good risk culture allows an organization to respond quickly when threats emerge.

How do scenarios help business leaders understand uncertainty?

Done properly, scenario planning prompts business leaders to convert abstract hypotheses about uncertainties into narratives about realistic visions of the future. Good scenario planning can help decision-makers experience new realities in ways that are intellectual and sensory, as well as rational and emotional. Scenarios have four main features that can help organizations navigate uncertain times.

1. Scenarios expand your thinking. By developing a range of possible outcomes, each backed with a sequence of events that could lead to them, it’s possible to broaden our thinking. This helps us become ready for the range of possibilities the future might hold—and accept that change might come more quickly than we expect.

2. Scenarios uncover inevitable or likely futures. Abroad scenario-building efforts can also point to powerful drivers of change, which can help to predict potential outcomes. In other words, by illuminating critical events from the past, scenario building can point to outcomes that are very likely to happen in the future.

3. Scenarios protect against groupthink. In some large corporations, employees can feel unsafe offering contrarian points of view for fear that they’ll be penalized by management. Scenarios can help companies break out of this trap by providing a “haven” for opinions that differ from those of senior leadership and that may run counter to established strategy.

4. Scenarios allow people to challenge conventional wisdom. In large corporations, there’s frequently a strong bias toward the status quo. Scenarios are a non-threatening way to lay out alternative futures in which assumptions underpinning today’s strategy can be challenged.

Integrated Risk Assessment Framework (Exhibit 1)

·???????? Mapping organizational-wide risks to this framework and periodically reassessing the risk profile helped an organization with 5 centers in India, 15000 employees, and 45 internal business and support functions to improve the risk posture by >85% over 3 years.??

·???????? External audit findings from statutory and accredited 3rd party auditors reduced by >90% with zero repeat non-conformities over 5 years.

·???????? The framework became the basis of an integrated Risk Management process deployed globally and the team was recognized twice within the organization.

Exhibit 1 - (Acknowledgements:? Enterprise Resilience Team at VMware India)

End of Part -2

Next Steps: I am available for mentoring/consulting/independent director engagements and you can reach me at [email protected]

Next Edition for GCC Sutra:? Best Practice - Risk Management Framework