Organizations today can be highly complicated, and it’s the unenviable task for a risk professional to gain a solid grasp of just about the entirety of the organization in order to identify the various risks and exposures it faces, both in the present and future.
In a presentation at the RIMS Live 2021 virtual conference, Andrew Bent, director of business continuity & insurance of Sage Group, stressed the importance of analyzing the business model as one of the most fundamental components of developing a successful risk strategy.
This, according to Bent, requires a deep and honest understanding of how well the organization does what it does.
“If we don’t know what it is that we do as [an organization], it’s going to be pretty hard for us to make good decisions about how we manage our risks, how we choose to put controls in place and how we take controls away,” Bent said. “It’s also going to make it more difficult for us to understand what level of organizational risk confidence our fellow employees and colleagues need. And ultimately, we won’t be able to effectively support decision-making if we don’t know what it is that our organization does, how it does it, and how it creates value.”
What must be considered?
Bent outlined four important areas that must be analyzed in order to grasp the business model. These are: operations, financials, legal and compliance requirements, and people.
For operations, one of the most important aspects is to understand what an organization does that creates value, which varies depending on the type of organization – whether a business, a non-profit, or a government agency. Knowing key metrics and indicators is also very important, as these will help determine how well the organization is delivering on its value creation chain.
On the financials side, Bent says it involves understanding how well the organization maximizes its return on its financial resources. This is also were insurance matters come in, which requires going back to fully understanding operations to determine the organization’s exposures and existing methods to address these risks.
“Meeting the legal and regulatory compliance obligations is the minimum standard for effective business operations,” Bent said. “But we also know that every organization is faced with a range of competing – and sometimes directly contradictory – obligations, which can make it really hard to see if we are actually meeting them.”
Risk professionals should assess the organization’s litigation profile, as well as how it manages its liabilities, protects its assets, and meet its obligations to stakeholders.
People, according to Bent, are the resources that are most important in delivering operational activities. Therefore, it is important to understand how the organization recruits, rewards, and retains its people. It is also key to determine who really creates value for the organization.
The importance of data
Having the right data is important to be able to properly evaluate all four areas and understand the business model completely. In his talk, Bent emphasized the importance of conducting a periodic review of data to compare with previous assumptions that may have been made before the data was available.
Some examples of important data sources he gave are detailed financials such as the 10K or annual report. Operational and financial data are also available from open sources as well as industry associations.
Risk professionals can also benefit from working closely with people in the marketing, sales and strategy departments, as they have practical knowledge about the organization, its clients, and competitors. Detailed information on operational processes can be obtained from those directly involved in delivering and monitoring them.
This, Bent said, requires risk professionals to get out from behind their desks an onto the shop floor.
“By bringing all these pieces together, what it allows us to do is fundamentally understand the inside and outside of our organization,” he said. “As a risk management professional, you will often understand the business better than almost anyone else outside of the chief executive. The reason for that is very simple – to be able to develop an effective risk strategy, we have to understand our business and our business strategy. If we don’t do that, what we’re going to end up doing is designing something that really doesn’t meet the needs of the organization.
“Risk management is not something that we do for the sake of risk management. We always do it to add value to our organization.”