Risk teams act like the defenders of the organization. Many risk and security teams will take the position that it is their job to protect the organization. That was why they were hired, and that is what they will do. This leads to multiple bad behaviors, such as telling the business units what they can and cannot do, banging a shoe on the table to demand budget in the name of protecting the organization, and fundamentally ignoring the needs of the business. Fundamentally adopting the role of the "protector" puts risk professionals in an adversarial position to the mission. In addition to being ineffective, this also reinforces that outdated dogma that this is just a technical problem, handled by technical people, buried in IT. In a risk-engaged culture, the dialogue is not about how to protect the business, but how to accomplish the business vision while engaging in appropriate risks (Lakshmi, 2016). It's a simple, but powerful dialogue change from "Here are all the risks with that idea" to "Here's how we can make that happen, given your budget and the probable risks we'll face."
Mechanism of Financing
Risk management is an increasing area of focus for most organizations, as risk profile complexity and interconnected relationships grow explosively. According to a 2016 survey of risk executives by the Risk and Insurance Management Society, 74% of respondents state that their ability to forecast critical risks will be more difficult in three years. Moreover, the leading obstacle to forecasting critical risks noted by these executives is the continued lack of cross-organization collaboration.
To understand the full scope of risk, organizations require a comprehensive view across all business units and risk and compliance functions, as well as key business partners, suppliers and outsourced entities. As a result, new technology solutions are emerging to increase the collaborative nature of risk management, both within and external to the organization.
Risk Management Model
Over the past decade, risk management programs have matured to focus on more than just compliance and on the interconnected nature of operational risk across an enterprise. Gartner defines this approach to risk management as integrated risk management (IRM). IRM is a set of practices and processes supported by a risk-aware culture and enabling technologies that improve decision making and performance through an integrated view of how well an organization manages its unique set of risks. New leaders in digital risk also need the right metrics to make better business decisions by linking risk and performance. Risk metrics can also be used to direct audit and compliance resources to focus on the right areas rather than succumbing to the dreaded "check-the-box" syndrome. Gartner's research focus in 2017 will include views on how companies can link risk management and corporate performance management via metrics (Lakshmi, 2016). Using key risk indicators tied to key performance indicators, business leaders can deploy risk management resources to areas that will have the greatest impact on the future success of the business (Lau, 2016).
Fire and engineering risk control
Finally, to support your efforts to manage these new risks, you need the right systems. Gartner will explore the current trends for use of IRM solutions in areas such as legal, e-discovery and operational risk management. Gartner will also discuss new and future trends around the evolution of digital risk management technology. It also means accountability is measured in defensibility of decisions, and not a proxy for who to discipline when something goes wrong. Defensibility means that stakeholders would agree that the best decision was made with the information available at the time. Bad outcomes may trigger a review of defensibility, but bad outcomes do not equate to poor defensibility. A good risk-engaged culture supports a common understanding of defensibility (Damodaran, 2016).
Risk-engaged cultures are sadly lacking in many organizations, and this undermines the very foundation of any risk process. If you don't have a good risk-engaged culture, then, regardless of process, decisions will not be defensible.
Advantages of Risk Captive Culture
Transparency is a very hard culture shift, but is absolutely necessary. It exposes the unwanted reality that you can't eliminate risk. When risk decisions are made, by definition, there will be residual risk, and many organizations suffer from reluctance to be transparent about known risks they have consciously chosen to not address. Challenges include everything from legal liability to looking bad in front of peers, management, the board, internal audit, regulators, customers, etc. However, given that there is no such thing as perfect protection, this transparency is only a reflection of reality. The benefit is that it creates better decision making and prioritization, which is good business (Damodaran, 2016).
The failures of a poor risk-engaged culture are easy to spot by those who understand good risk engagement, but the impact is hard to explain to executives who have poor risk engagement. Following are some simple red flags for failing risk culture.
Speculative Risk Cannot be insured
It is common for executives who lack understanding of technology dependencies on business outcomes and are tired of reading headlines about hacking to declare that there is no acceptable level of risk. These are people who believe that, with the right investment and the right people, it is possible to prevent all possible security failures. There are board members who only invite the CIO to report to the board on cybersecurity so that the CIO can tell them, "Everything is going to be OK." It isn't. That isn't how technology risk works, but that gap in understanding and expectations makes it nearly impossible to engage these executives in an appropriate risk-based conversation. That is a failure of risk culture.
On the other side of the spectrum, one Gartner client reported that executive management had created a sweeping and direct message to the entire organization: "Engage in more risk." There were good reasons for this, including a belief that the organization had become stagnant and predictable. Decision makers were reluctant to do most things for fear of something going wrong, and this had stifled innovation. Unfortunately this was done with no guidelines and, somewhat predictably, many managers immediately wanted to materially lower investment in cybersecurity and other technology controls where they saw no benefit. While it is possible that this an appropriate decision, the risk culture failure was that they were doing this with little or no knowledge of the attendant risks; they just wanted to jump (without a parachute).
Methods of Individual Risk Rating
An inconsiderate engagement of risk. Many organizations have created risk acceptance forms as a mechanism to engage executives. Gartner's experience indicates there appear to be only two types of people: those that will sign anything to get what they want, and those that won't sign anything no matter what it costs them. In both cases, the failure is not the amount of risk that is accepted, but rather the abdication of understanding the risk and the conscious decision making that makes a risk-based approach work. Engaging with risk is not about filling out a form, but in understanding all of the risks, including technology, time, cost and mission success, and determining the best way to achieve goals within an acceptable level of risk.
Failures of accountability. In most organizations, "accountability" means "Who do we fire when something goes wrong?" This attitude results in a situation where no one wants to engage in any type of risk acceptance because the consequences are clear. This kills the proper engagement of any type of risk. Accountability is a critical success factor in a risk-based approach. As your risk culture evolves, accountability should more appropriately be dependent on the defensibility of the decisions that were made. Risks are always present and failures from time to time are inevitable, but when something goes wrong, the organizations should look back at the decisions that were made. If they were informed decisions with good, defensible reasoning for choosing a course of action, then it was a good risk to take. Don't fire someone for accepting a risk; fire him or her for not understanding the risk accepted.
Failure to explain the risk. A risk culture does not sit only with non-IT executives. Risk and security teams also fail when they can't explain risk in terms of business outcomes. Executives cannot be expected to understand risks if they are explained poorly and buried in technology jargon. As in our stuntman example, a film director or producer should not be expected to understand the mechanics of practical effects such that they can independently make the call on what is acceptable. But neither can the stuntman compromise the director's vision simply because all risks can't be avoided. Indeed, engagement is the process of dialogue and compromise about what is possible with the limits of technology, time, cost and risk, and that dialogue and compromise must be two-way and thoughtful.
Senior business and technology leaders need to develop a narrative about risk in their enterprise. This narrative isn't about setting the "rules of engagement," but about defining the "commander's intent." It should include principles and ideals such as: "The customer experience is how we win; we must not jeopardize that experience through action or inaction." The narrative provides a "moral compass" of how the organization views risk and how risk-engaged decision making should take place. Moreover, it provides a framework for dialogue and how various stakeholders discuss risks. While this may seem trite and simple, such principles have powerful and lingering cultural effects. Consider the following two statements: "Failure is not an option" versus "Fail fast, fail early, fail often."
Consider how those two statements of commander's intent would be reflected in organizational risk culture and the ongoing dialogue about risk. Simply stating publicly how the organization views risk, from the top down, and creating a framework for stakeholders to discuss and engage with risk can have a powerful impact on risk culture.
Lakshmi, T. M., Martin, A., & Venkatesan, V. P. (2016). A Genetic Bankrupt Ratio Analysis Tool Using a Genetic Algorithm to Identify Influencing Financial Ratios. IEEE Transactions on Evolutionary Computation, 20(1), 38-51.
Damodaran, A. (2016). Damodaran on valuation: security analysis for investment and corporate finance (Vol. 324). John Wiley & Sons.
Lau, C. (2016). Financial Management.
Khan, M. N., & Khokhar, I. (2015). The Effect Of Selected Financial Ratios On Profitability: An Empirical Analysis Of Listed Firms Of Cement Sector In Saudi Arabia. Quarterly Journal of Econometrics Research, 1(1), 1-12.
Robinson, T. R., Henry, E., Pirie, W. L., & Broihahn, M. A. (2015). International financial statement analysis. John Wiley & Sons.
Hoberg, G., & Maksimovic, V. (2015). Redefining financial constraints: a text-based analysis. Review of Financial Studies, 28(5), 1312-1352.