If your organisation takes an enterprise risk approach to managing risk, then the management information that the Board receives across all risk types, spread across the organisation, will tell a story.
Risks are related, correlated and consequential. They tell a story of what is happening within the organisation and join the dots. If the organisation’s Board reporting is siloed with no risk reporting overlay, then the stories, root causes and risk implications may be missed.
Individual Board reports from departmental Heads will provide operational and financial information covering attrition rates, complaints, fines, cyber incidents and service delivery times. However, by taking an enterprise risk view, the risk reporting can join the dots and tell the story.
Take the following two examples:
Example 1
A company is increasingly paying compensation because of customer complaints in relation to service delivery. This has also resulted in a regulatory censure.
With an enterprise risk overlay, the risk manager will have met with risk owners over various reporting periods and gathered enough information to join the dots, tell the story and tie back to the underlying issue.
Disenfranchised employees (people risk and culture) have provided poor customer/client service (service delivery risk), causing customer complaints (conduct risk), resulting in financial compensation and regulatory censure (financial and regulatory risk).
Action can then be taken to mitigate the risks or drive out an opportunity to fundamentally change the culture of the firm.
Example 2
Organisations are targeted daily with phishing attempts. In this example, the phishing attempt has been successful, and it has resulted in a ransomware event.
Again, adopting a risk overlay, the risk manager will be able to get to the root of the issue, tell the story and join the dots.
An overly busy employee, in an under-resourced team (people risk), has a lapse in concentration and clicks on an e-mail that turns out to be phishing (cyber security risk). This causes a ransomware event with systems locked (technology and business continuity risk), manufacturing or client service is impacted (service delivery risk) and there is significant time and cost to rectify (financial and technology risk).
The relationship that the risk manager builds with risk owners allows for an organisational view of risk to be understood, the story to be told, and appropriate action to be taken.
It is clear from these examples that risks are related and have a knock-on impact on each other.
They tell a story.
What story does your organisation tell? As a Board, do you know?
To discuss any aspect of risk management with our expert team, contact us today.