Part 11 in the “Controls and Risk Management” series
Predicting risks is sometimes more of an art than a science. And this blog isn’t about our current state of preparedness for a pandemic scenario like we are facing with the coronavirus. Also, not being a doctor, I am most certainly not qualified to comment.
This blog instead will focus on reports that consolidate views on the top risks for the year ahead but with a new twist, I hope.
In governance, risk, and compliance, we usually focus exclusively on the business risks – hence, those provided by executives. Here, I want to compare these inputs with the concerns of the wider community with regard to the top risks that they feel are the most pressing.
In my experience, stakeholders in the risk-management process, be they employees, contractors, and so on, will be much more involved if they can relate – personally, that is – to the risk events they are asked to manage. Presenting these risks only from the perspective of the organization cuts them from this connection. I’d like to offer a few thoughts on how to reconcile both views, business and community, to ensure a successful outcome for both parties. For this purpose, I selected two reports:
- North Carolina State University’s Enterprise Risk Management (ERM) Initiative – Executive Perspective On Top Risks 2020: NC State has been working with Protiviti in surveying board members and C-suite executives worldwide about risks that are likely to affect their organizations for the past eight years.
- World Economic Forum (WEF) – Global Risk Report 2020: WEF’s findings are based on a survey of members of diverse communities. WEF has also been working with academics (National University of Singapore, University of Oxford, and University of Pennsylvania) for this 15th edition of the report.
NCSU Enterprise Risk Management Initiative’s top risks
Of the top 10 risks identified, three are usually included in the internal control framework: impact of regulatory changes (#1), cyber threats (#6), and privacy and information security (#7).
These three risks are not only operational in nature, but also carry inherently non-compliance aspects, which explains why they are also monitored by the control and compliance teams.
Unfortunately, control owners sometimes feel that they are simply “checking the box” when performing the control activities in relation to these risks. As a result, the effectiveness of the risk-response program around them is often questioned.
So the question becomes: How can we change this perception of a simple “bureaucratic risk-management approach” and increase engagement so that risks are adequately taken care of? This is where the second report comes into the picture.
WEF’s top risks
From the WEF, and therefore from the perspective of the wider community, the top risks relate mostly to four categories:
- Environmental: climate action, extreme weather, etc.
- Technological: cyberattacks, information infrastructure breakdown, etc.
- Societal: water and food crises, infectious diseases, etc.
- Geopolitical: interstate conflicts, global governance failure, etc.
Of course, most organizations can’t mitigate these risks alone. But some of the risks keeping executives awake at night are listed here as well.
Making the two views meet
Governments usually push new regulations to better protect consumers or investors, but also to respond to some of the environmental and societal risks. For instance, recent environmental, health, and safety (EH&S) regulations have been issued to decrease pollution to try to tackle climate change. Furthermore, countries where water is already a scarce resource have introduced Water Acts. These are regulations that companies have to abide by and as such, are a component of the “Impact of regulatory changes and scrutiny on operational resilience, products, and services,” ranked as a top risk in 2020 by executives.
Foster more involvement from employees and other stakeholders
Risks #6 (cyber threats) and #7 (privacy/identity management and information security) align perfectly with the technological risks in WEF’s report. As a result, instead of just aiming for compliance with a “tick the box” approach, why not present the regulation in a way that the employees – or any other stakeholder – can relate to?
- Environmental regulations across the world are not only designed to save cost by reducing the use of energy consumption or reducing waste with recycling methods but, more importantly, about safeguarding water and other resources.
- Data privacy regulations such as the EU General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) in the U.S. are really focused on protecting our personal data – as consumers and citizens.
- And legislation that is often perceived as having little added value, the Sarbanes Oxley Act, is not about creating more work for consulting organizations and software vendors. It’s to protect the investment of the public by ensuring the veracity of corporate financial statements.
By presenting business risks with a “citizen lens,” I firmly believe risk-management programs would be more effective. Stakeholders in the process will be more engaged in both adequately representing the risk and mitigating the effect of the threat or trying to reduce its likelihood.
Do you think I am being too naïve? I look forward to reading your thoughts and comments on Twitter @TFrenehard
If you are interested in hearing more about this topic and discussing it, take a look at the SAP Conference on Application and Information Security – Building Digital Trust, taking place October 20 and 21, 2020, in Dublin, Ireland.