Knowing that risk management has to change and knowing 'how' and 'what' to change about risk management are two different things.
There is widespread agreement that organizations on the critical path of decarbonization and digital transformation need to change how they manage risks. Stakeholders of all sizes and influence are demanding more transparency and want risk information immediately available to help them make decisions about whether to invest in/provide insurance for a business, purchase products from specific brands, or to welcome organizations to operate in their communities. It has become crucial for these organizations to have a common understanding of what is being asked of them across multiple sectors. The goal of risk management frameworks is the disciplined allocation of capital and resources that creates and sustains value to the stakeholders. As organizations orient themselves to the new realities of stakeholder expectations, many will simply pour more resources into the existing activities. This blind doubling-down is a costly mistake. Leaders who are accountable for how risk performance is measured and valued need to step back and consider the basic questions their organization needs to answer.
No Need to Ask ‘Why’; Ask ‘How’ and ‘What’
Anyone who has read Start With Why by Simon Sinek is familiar with ‘The Golden Circle’ of ‘Why’, ‘How’ and ‘What’. He stresses that organizations need to focus on why they are in business rather than what they sell or how they do it. In the case of valuing risk performance, the question of ‘Why’ has already been answered. Stakeholders’ demands for transparency is clear. Risk management policy, commitments and reports were the processes and tools of yesterday but will not do for those of tomorrow. Today, these are seen as table stakes - barely enough to get by and certainly not enough to win. The questions organizations must answer in order to value risk performance are ‘How to Change’ and ‘What to Change’. The model below contrasts these two questions and classifies organizations who can or cannot find the answers.
How to Change
There are several authors who have done a lot of work on organizations change. Before diving into the steps of change, they must first clearly articulate how they are going to change. The answer exists on a scale of incremental to transformational.
Considering the demands of stakeholders and the opportunities the trillions decarbonization and digital economy offers, organizations can ill-afford to be slow or take one step at a time. Emboldened organizations who are confident in their purpose are those who are inspired by the opportunity to lead. That opportunity is now. Organizations that move towards the right of the model will be able to build on the momentum of the change they are making and move away from reporting what happened to measuring and communicating what’s happening.
What to Change
With the commitment and resources in place to transform how risk performance is valued, organizations need to carefully plot their next steps to ensure that what they focus on balances the needs of quick wins and demonstrating long-term value creation. The vertical axis in the model anchors the organization's efforts and activities. While not zero-sum, organizations moving up the axis will be more focused on activities of quality assurance rather than reactionary quality control activities. In short, understanding performance to validate the results they achieve. Information gathering at an industrial scale will allow internal decision-makers to better understand the current risk exposure as well as the performance of the control systems in real-time. Weak signals that are received will be connected to organizations data landscapes – knowing what to measure and linking the correct data sources (both internally and externally) - that will help them learn and improve at an institutional level. Organizations will be able to proactively predict and prevent unwanted events rather than being stuck in the cycle of report, repair and repeat.
Characteristics of Organizations Navigating Change
Organizations navigating how to change and what to change will fall into one of four classifications:
Leader: Has the capacity to listen for emerging risk performance issues and intervene prior to events. These are resilient organizations who mobilize resources to address significant challenges and take advantage of opportunities that are presented to them.
Lesser: Will struggle to scale due to the incremental approach to valuing risk performance. These organizations are inefficient at making data work for them. They will find that they will be the ones working for data.
Laggard: Ineffective application of resources to value risk performance. To use a bookshelf metaphor, they will have beautiful bookends but no dynamic information to fill the library in between as they cannot service the needs of their decision-makers and stakeholders.
Loser: Expect these organizations to stagnate and see their value plummet as they double down on failed approaches of the past. They will likely see an erosion of talent and trust.
For organizations that aim to value risk performance and differentiate themselves from their peers, they first must acknowledge the questions they need to ask and how to answer them. Leading organizations will be those who transform their approach to risk management to develop the capacity to measure and communicate risk exposure and control system performance to decision-makers and stakeholders. They will be able to differentiate themselves from their underperforming peers who will struggle to capture the data they need or solely rely on their current suite of policies, standards and reports. By transforming the process (i.e. quality assurance) and not focusing on the outputs alone (i.e. quality control), leading organizations will be able to proactively manage risks and emerge as resilient champions of their respective sectors.