In a time fraught with world-changing risks, many businesses are naturally looking to upgrade their risk management capabilities. Increasing the budget allocated to risk management is just one step, but business leaders often think this is enough and stop there.
Jim Wetekamp (pictured), CEO of Riskonnect, caught up with Corporate Risk and Insurance and shared three common mistakes organizations make in their risk management program.
1. They don’t address culture
According to Wetekamp, throwing money at a problem rarely works. To make a real impact, an increased risk budget must be accompanied by a re-evaluation of approach, while focusing on driving change through a risk-aware culture.
“The pandemic revealed glaring weaknesses in the way many organizations managed risk,” he said. “Companies that could not get their hands on complete, timely, and accurate data were at an immediate disadvantage. Even outside of crisis, today’s risk landscape is more crowded and uncertain than ever – and virtually every risk is gaining in size and potential impact. It’s almost impossible to keep up with what’s happening given the fragmented view provided by old-school risk management techniques. Simply investing more resources into an established siloed approach will not deliver the value most organizations are looking for. They need to break down organizational silos to address risk holistically.”
Wetekamp argued that new resources are better allocated towards building a holistic risk management strategy. An integrated approach to managing risk brings everything that could potentially harm a company into focus, allowing organizations to understand what they’re facing, how everything interrelates, and the cumulative impact on the organization.
2. They stop at the risk register
“Instead of focusing on each risk individually, integrated risk management connects the dots between risks – insurable and non-insurable, strategic and operational – which enables key stakeholders to freely exchange data and ideas that proactively address risks rather than perpetually reacting to conditions and chasing solutions to the outcomes,” Wetekamp said. “Decision-makers can confidently and swiftly act and ensure organizational success.”
3. They only look backwards
According to Wetekamp, when risk managers are making the case to leadership for a holistic approach, they should frame past weaknesses as opportunities for improvement and provide specific examples of how an integrated approach will make the business more resilient going forward.
“Also, explain the value of a new approach in a way that aligns with senior leaders’ objectives,” he said. “When speaking to the chief compliance officer, for example, address how integrated risk management will help avoid penalties and litigation for noncompliance. The CFO, on the other hand, might be most interested in the ROI, whether that’s potential savings from avoiding fines and litigation expenses, or the dollar value of staff resources that would be saved with a new integrated approach to risk management. Mapping historic risks to existing operations based upon past causality will only protect the rear-view mirror. Risk organizations need to map the business progression looking forward to cultivate the ground ahead of the business in terms of understanding and mitigating risk.”
What is the importance of having a competent chief risk officer?
As the name implies, the role of the chief risk officer (CRO) is to oversee risk across the enterprise. This puts them in the best position to champion the organization’s integrated risk management strategy.
“The CRO can help break down silos and broaden the organization’s view of risk, revealing the correlations between risks as well as upstream and downstream impacts,” said Wetekamp. “He or she is also optimally positioned to understand the technology, processes, and people that the organization needs to address its top risks and build out that risk management infrastructure. The CRO brings strategic considerations to the table that help the organization grow in its risk management maturity.”
However, many organizations today lack this crucial CRO role. Wetekamp revealed that a quick search on LinkedIn returned over 78,000 results for ‘Chief Technology Officer’, compared to roughly 9,000 for ‘Chief Risk Officer’.
“Placing a CRO at the helm of the organization’s risk strategy will be a priority in 2021 for forward-thinking organizations, especially as uncertainty around the ongoing health and economic crisis continues,” he said.
He argued that without specifically elevating leadership in this area, it can be challenging for many businesses to plan and execute a holistic risk management strategy.
Wetekamp believes that a good CRO should do the following:
- Apply consistent and proven risk management frameworks across the entire business
- Drive adoption, automation, governance and administration of risk activities end-to-end
- Provide direction for specific crises/risk events that cross departmental lines
- Lead long-term culture change to shape the business’ risk appetite to match its opportunities
- Create checks and balances for the board between risk management and operations
Jim Wetekamp is the CEO of Riskonnect, a leading provider of integrated risk management software. He is a recognized expert on enterprise risk, supply chain, and third-party risk management.