The sheer scale, velocity and pervasiveness of risk in the transformative age means it isn’t just the dedicated risk functions that need to take responsibility for risk. It’s a shared responsibility that falls on every part of the organization. The risk-ready organization of the future cannot afford for risk to be siloed.
Here are four key considerations for a successful risk function:
1. Build effective reporting lines
Creating an organization that has risk readiness in its DNA will mean the creation of efficient reporting lines between risk-facing business units and the centralized risk function. This enables a more nuanced understanding of the risks that different business units face on the ground.
For example, a manufacturing team on the factory floor will have a better idea of what can go wrong with industrial machinery than a risk team located hundreds of miles away in a central office. Similarly, that manufacturing team will have a better view of potential upside risks – like emerging operational technologies that can improve work processes – than corporate-level decision-makers. Communicating this information clearly is critical if risk functions are to effectively coordinate organization-wide strategic responses.
2. An organization of individuals
Building a risk-ready organization also means making sure every employee understands both the scale of the risks and what their individual responsibilities are in mitigating them. And this will involve lots of learning: how to spot phishing and social engineering techniques, what to do in the event of a cyber breach, how to engage with third-party providers and customers. For boards, it could also mean simulation exercises such as red-teaming – where outside teams perform real-time, multi-level attack simulations on an organization to gauge management’s preparedness and response times.
An organization that successfully incubates a culture of risk awareness needs to make sure every employee understands this and takes responsibility for risk triggers. It means promoting an environment of continuous learning. Once again, risks move fast, and companies will need to promote fast learning if they are to stay on top of that risk, whether it’s upside, downside or outside risk.
3. The future of work needs workers of the future
A risk-conscious talent strategy will also increasingly need to consider the transforming nature of the modern workforce. This is characterized by the rising number of contingent workers, an emerging millennial workforce and the increasing automation of workplace activities. All of these will have an impact on how risk is addressed.
It’s estimated that by 2020, as much as 40% of the US workforce (pdf) will be contingent workers. Think about what this means for aligning people around a singular culture of risk. How will a coherent set of values be communicated and instilled if your workforce is continuing to rotate in and out of your company?
Of course, addressing risk itself may mean on-boarding new kinds of digital talent to help drive the right cultural change and knowledge acquisition in the organization as a whole. But then, what risks do these hires themselves bring?
Risk and talent are increasingly intimately linked. To understand how means asking the right questions again and again. In a time of change, this continual dialogue is essential to understanding the risks and building and maintaining the trust that will enable your business to flourish.
4. Your risk is no longer just your risk
Similarly, just as the organization itself will have to contend with a more fluid and dynamic workforce, so too will entire industries. The age of walled gardens is over, and traditional inter-organizational boundaries no longer hold. One organization’s risk is every organization’s risk.
And in the digital world, with the connectivity it brings, risks can travel at alarming speed. This can be within individual organizations, but also up and down value chains, between industries and across national boundaries. Valuable information can jump from capital equipment to IT systems to personal computers and back again. For example, the 2017 Wannacry hack ended up hitting sectors as diverse as railway lines, hospitals and government ministries, across more than 150 countries.
This means there will be a growing obligation on all stakeholders to work together to mitigate or control risks not just for themselves, but on behalf of all other stakeholders in the ecosystem.
This could involve the promotion of agreed-upon standards of risk best practices, or the creation of threat intelligence sharing networks. When risks come at the speed and scale as they do in the transformative age, teamwork within industries will be needed to mount a rapid defense at scale.
It could also mean disparate parties pulling together for industry-wide solutions. We’re already seeing this in action – EY recently worked with Maersk and blockchain company Guardtime to help implement blockchain insurance solutions for the shipping industry.
However, that same connectivity that can amplify (or control) downside risks can also help industry players leverage upside risks, through exploring collaborative partnerships and knowledge-sharing.
A new type of talent for the transformative age
For anyone looking to convert digital disruption into meaningful, long-term business value, building a bedrock of trust is key. And a better understanding of risk, and the risk professional’s role, is key to building that trust.
This requires trust by design, trust that is built into the functioning of multiple business units and underpinned by a dynamic and skilled risk function that intertwines with business culture and activities at every level of the organization.
Only by making risk-thinking integral to organizational culture and behavior will these transformative opportunities be fully realized.