The Power of Operating Strategically in the Risk Space
Those who operate in the risk space are almost always dealing with limited time and resources. Having a platform to make smart decisions in midst of the overwhelming is essential and basic. Operating strategically is not an activity reserved to those sitting in the C-Suites of organizations. Those who oversee process areas that hold value and connect to the success of an organization have a duty and obligation to tap into the power of strategic thinking.
When faced with the overwhelming, many risk leaders resort to what they may know best – the tactical. Unfortunately, operating tactically prior to having your strategic foundation in place has a tendency to keep risk leaders in a cycle of activity that prevents them from seeing the forest through the trees to get to what is most important.
As organizations deal with risk, the “win” is not what you do [the amount of controls and processes] but the results you get. Results in the risk space [complex environments] are born from being strategically prepared to make timely decisions to get the best return on your time and resources. The basics for risk leaders to operate strategically are establishing a risk register, your 3 Lines of Defense, your risk baseline and an effective rating process.
Establish a Risk Register
Whether you are focusing on the enterprise of risk an organization faces or dedicated to Hazard Risk Mgmt., it is important to have structure to capturing, organizing and prioritizing risk. Without having structure and being strategic about this you will be making decisions without knowing the complete story. You want time and resources to get to what is most important. If you do not have a process to collect and consider all risk, risks that are in the forefront will potentially take precedence over more serious risks that quietly awaits for its opportunity to make a much bigger impact on the organization.
Being strategic means that you first have a process to capture risk and, secondly, structure to manage it. It makes the statement that risk is important, you want to hear what stakeholders have to say and you have a process to efficiently deal with and strategically manage all risks/concerns.
Define Your 3 Lines of Defense
The 3 Lines of Defense are foundational to operating strategically. It recognizes that your role as a risk leader is to move people to action. By embracing the 3 Lines of Defense you are creating a platform for stakeholders (large #’s of people) to be on the same page and efficiently move in the same direction.
The 3rd Line is the executive point person, often times the CFO. The 2nd Line is the Risk Leader and their team and the 1st Line is your first line process owners [supervisors].
The 3 Lines of Defense is an Enterprise Risk Management term. The 3rd Line [executive point] is responsible for all risks an organization faces. Their role is strategic direction and to ensure activities are aligned with the organization’s goals. The 2nd Line’s [Risk Leader & Team] role is to close the gap between strategic level risks and operational risks happening at the front of the organization. This includes consulting, mentoring and supporting process owners as well as providing the risk framework. The 1st Line’s [process owners/supervisors] role is to identify, assess and mitigate risk on a day to day basis.
Use a larger construction company as an example [500 employees with 70 supervisors]. The process states that supervisors will be the biggest return on your investment. By focusing on the supervisors, it is a more strategic approach. First, it is a numbers thing; it is easier to focus on 70 than 500. It breaks larger numbers into manageable parts. Secondly, it is a management thing. The chain of command requires supervisors to be involved. The flip side is to put all your resources directly to employees and not have supervisor buy-in. Thirdly, it is about tapping into the 3rd Drive of Human Motivation of your supervisors by making them part of the process.
Risk is a team sport. You are only as strong as your weakest player and this starts with supervisors. For the 3 Lines of Defense to work, the 2nd Line [Risk Leaders] needs to focus on consulting, mentoring and most importantly supporting supervisors. Practical ways to do this is to identify best performers and focus on providing support to those struggling and leverage peer to peer opportunities. This plays out by establishing transparency to understanding the risks/obstacles supervisors face on a day-to-day basis, asking about where they need support and what ideas they have.
Establish and Maintain Your Baseline
Your baseline is like a road map. You need to know where you are and where you are going before you go. This applies whether you are focusing on an Enterprise Risk Initiative or a Hazard Risk Initiative.
Every Risk Leader should have a passion that translates into a “Strategic Objective”. Your objective is to determine where you are going. Having a baseline is essential to this process. The baseline is where you are at and your selected activities and controls to get to your objective. You need to be able to look at what you are doing at any point in time and say – “Is it going to get me there and is it a realistic path?”
Memorializing your baseline is important because, in the risk space, you will always have limited time & resources. The focus is not how much you are doing but the right combination of activity to get to your objective. Because there is limited time and resources, all activities in the baseline should be reviewed at least annually. Are all your current controls and processes relevant? Should some be discontinued and for others that appear to be effective, can adjustments be made that will provide a bigger return on your investment of time and resources.
Your baseline should be an on-going living document. It is valuable because it provides structure, continuity, continuous improvement and a basis to operate strategically.
Establish a Rating Process
To be able to make objective decisions within business process areas and across silos, there must be a process in place that allows for all risks to be evaluated the same way. A best practice is to assess risk by impact, likelihood, and assurance. Impact and likelihood would first score the risk assuming there were no controls in place. Assurance then looks at the risk based on controls that are actually in place. Assurance is about rating how effective your controls are.
A best-practice rating scale rates the impact, likelihood, and assurance and will take into consideration both quantitative and comparative factors. The quantitative part speaks to a numerical score. This can be as simple as a 1 (low), 2 (medium), or 3 (high). A better approach, however, should include a 1-5 or 1-10 scale. The reason is that 1-3 scales have a tendency to score toward the middle. The comparative part speaks to getting everyone on one sheet of music so to speak. You are actually picking the numbers based on a pre-established document that defines a number in terms of financial, legal, operational, regulatory and strategic factors.
Regardless of what business process area or business silo is rating a risk, it is using the same comparative document/wording that points to a quantitative score. The process cuts through any biases that may exist and allows for apples to apples comparisons.
Risk Managers have an opportunity to take on a broader role in an organization that supports building a framework that deals with all risks a company faces. Because Traditional Risk Managers have backgrounds in foundational risk principles, they are a natural choice to support the CFO and executive team in developing a more global risk-based approach to business. Earning the right to support the organization in broader capacities will demonstrate your ability to operate strategically.