Risk management: When to respond and when to accept risk

A coordinated risk response helps companies determine how to respond to risks and which risks may be overmanaged.

In brief

• An integrated response to risk management with centralized command helps companies manage risks using the right resources and builds trust among stakeholders.
• Not all risks are equal. Identify assurance gaps and determine where the risk steward must evaluate, improve, optimize or monitor risks.  

Once you’ve aligned your risk universe across the entire risk ecosystem and turned data into insight to determine which risks matter most, how do you determine that you’re taking a connected risk approach? In this fourth installment of our connected risk series, we explore the third quadrant of the integrated risk management wheel and the benefits of a coordinated risk response to reduce redundancy and achieve the desired coverage.

The integrated risk management wheel demonstrates the four key stages of connected risk.

A connected risk approach relies heavily on exactly that: connection. Coordination, communication and complementary actions are at the core of the connected risk approach. Organizations are transforming at an unprecedented pace because the world is changing faster than ever before. Resources must be deployed in the most efficient and effective ways to mitigate risk to an acceptable level, not eliminate it.

Think of the old belt-and-suspenders analogy. In some instances, multiple layers of assurance are required, but sometimes, enough is more than enough. Having an integrated ecosystem with a shared view of risk helps determine when to respond and who is best positioned to take action. Having a centralized command and control function driving risk management activities across the three lines can drastically reduce cycle time and eliminate redundancy to better manage the risks that matter at the right time and with the right resources.

Leading companies and startups alike use the following considerations to develop risk management strategies that instill confidence and build trust among internal and external stakeholders by determining who is best positioned to respond to achieve the desired level of assurance.

Four risk management items to consider when coordinating a risk response

• Gather information: Gather information on internal and external assurance functions and activities, their scope of work and mandates. Once you have a better understanding of the risks that matter, consider revisiting the work you already did when getting started.
• Understand requirements: Obtain an understanding of the executive and board committees and their requirements with regard to risk oversight and reporting (e.g., risk thresholds). When do they want the belt, and when do they want suspenders?
• Map risk coverage: Create an assurance map by plotting your risk ecosystem on the x-axis and risk universe on the y-axis. Develop a scoring system for the desired level of assurance and perceived actual level based on current mandate and response. Identify where you have “assurance gaps” in current coverage and where you may be over-responding based on assessed risk and desired level of assurance.
• Activate: Hold the risk steward accountable for coordinating the actions across the organization to address residual risk where appropriate. Think about your response strategy using the following framework:

Evaluate – When a risk is assessed as high but an assurance structure is in place to mitigate the risk, the appropriate response would be testing or assessment activities to independently evaluate the risk mitigation in place. Think: SOX testing or process audits.

Improve – When an organization has high risk exposure and a high perceived assurance gap, the appropriate response is likely to improve the overall processes and implement or strengthen controls to mitigate risk exposure. Think: pre-system implementation support.

Optimize – When assessed risk is low and the assurance gap is lower than the desired threshold, the risk is likely over-managed. Organizations will look to risk functions to improve, automate or rationalize control activities in these cases to better allocate resources in line with risk. Think: process redesign.

Monitor – When assessed risk is low and the perceived assurance gap is high, risk functions will leverage technology to track key performance and risk indictors. Think: continuous monitoring.

Your risk steward will play a pivotal role in helping decision-makers understand their assurance gaps while creating a calculated and purposeful response. Their goal is to work with stakeholders to find the right balance between evaluating, improving, optimizing and monitoring risks to confirm completeness of coverage while being judicious with time and resources. Leading companies are leveraging technology as a crucial component to find harmony in these four areas to build a coordinated risk response that inspires trust and confidence among stakeholders.