Who, what, where: getting to know your risk ecosystem by name

Risk stewards bring order to risk management by breaking down silos, prioritizing key concerns and driving an informed mitigation strategy.

In brief

• Risk assessment is often a challenge in companies where there isn’t a formal approach to identifying and strategizing against high-priority risks.
• A formal risk leadership structure can put threats to the business in context, enabling a response that aligns with the needs of the business.

Are you tired of the question “what keeps you up at night?” Wouldn’t it be nice if you could ask 5 different people in your organization what your top risks are and not get 10 different answers?

Previously, we discussed why a proactive risk management strategy is critical to enhance your company’s capacity to manage risk and drive better business outcomes. Now, we’ll explore common elements of our connected risk approach that will help you operationalize your risk management strategy so you can quickly begin realizing transformational benefits.

Let’s start by examining the first quadrant — risk ecosystem and integrated risk taxonomy — and break down why it’s important to identify your risk steward, what an integrated risk taxonomy entails and how technology can help drive uniformity.

As a bonus, we’ll leave you with three pragmatic leading practices to drive immediate value.

Identifying your risk steward: qualifications of your risk driver

First, identify a risk steward who can prioritize risk management requirements across your organizational siloes and actualize a connected, proactive risk management approach. Successful risk stewards possess the following characteristics:

• Keen ability to break down organizational silos and work across first-, second- and third-line functions
• Knowledgeable about cultural risk appetite and what will motivate leaders to adopt a common definition of risk
• Experience prioritizing risk outcomes in the context of enterprise performance

Your risk steward should be a change agent, directing risk management with an understanding of what that organization’s top risks actually are. We often see success when the leader is in an empowered role within the organization such as a chief risk officer, head of enterprise risk management or a chief audit executive. Think: risk management by committee, and your steward is the chair.

Integrated risk taxonomy: creating a single view of risk

With data coming from traditionally siloed risk functions across the three lines, the risk steward should drive creation of an integrated risk taxonomy — a fancy word for a structured information architecture, a fancy term for an organized inventory — that maps the risks that matter. Then the organization is managing the risks that truly are the most important to the organization.

Effective taxonomies become a “snowflake” — starting with core risks that build upon each other, creating complex interdependencies that are often unrecognizable by traditional risk analysis. These dependencies extend into third parties, fourth parties and beyond.

Connecting risks enables a more rapid identification and assessment. We’ve seen this play out with current events, such as the ongoing war in Ukraine, which introduced a series of risks from sanctions that quickly resulted in global and cross-sector impact. A connected risk taxonomy enabled organizations to rapidly assess the magnitude and exposure across human capital, supply chain, cybersecurity, strategy and operations.

First-line functions were planning for cash flow implications long before the second and third line assessed the impact of these sanctions. Leading organizations picked up on this quickly and amended their risk data and taxonomy. They continuously refresh external risk data through the assessment process and feed it back into the updated taxonomy. We’ll talk more about risk assessment and data sources in subsequent articles. 

Supporting your single view of risk with technology

An integrated risk platform is the foundational technology that enables connected risk capabilities by storing, aggregating and modeling relationships between various data sources in a central location. Smaller organizations often lack a comprehensive data architecture that is robust, scalable and physically and logically centralized; while many large enterprises still operate multiple disparate risk management tools. Today, simplifying process and technology experience is integral to enabling risk management connectivity, particularly for organizations managing remote or hybrid workforces.

Leading organizations drive uniformity through a harmonized technology solution — either by consolidating existing governance, risk management and compliance (GRC) systems into a single connected risk data lake or implementing a new scalable platform that is designed to be modular, modifiable and repeatable — to gain better insights.

Whether integrating existing systems or implementing net new, effective data and technology infrastructure:

• Enables a common risk ecosystem through a shared taxonomy and data model
• Consolidates and automates risk management activities, decreasing overall effort and training needs
• Realizes cost savings by removing duplication, decommissioning legacy systems and optimizing technologies (e.g., cloud, advanced analytics)
• Manages growing customer expectations through better informed risk-taking and decision-making

Getting started: three pragmatic steps to drive immediate value

Modernizing your risk management strategy can be complex and time-consuming, however, the benefits of an integrated risk platform will generate savings and unlock growth opportunities.

Regardless of where you are in your connected risk journey, your risk steward can take these three actions to generate tangible value immediately:

1. Perform a data scan to aggregate the various risk registers that exist within the three lines. Keep in mind that formal risk registers or risk frameworks are more common in second- and third-line functions, such as internal audit, ERM, SOX, IT security and compliance. Risk taxonomy data may not be as structured from first- and some second-line functions, but the goal is to get as much of the current state view as possible. It may also be useful to leverage a normative risk framework customized for your sector.
2. Conduct working sessions with business units, compliance and assurance functions to understand how each defines and documents risk, including how risks and objectives align to business capabilities and strategic objectives.
3. Leverage working session outcomes to create a centralized framework and common taxonomy. This becomes the common thread of risk language across the three lines — the foundational component to connected risk capabilities.

A special thanks to Megan Duggan and A.J. Spalding for contributing to this article.