Mitigating risk across the company

As organisations face an ever-increasing range of risks, threatening different areas of the business in different ways, they must take a holistic and consistent view of the risk landscape in order to assist the board with making better-informed risk management decisions.

The elevation of the role of chief risk officer (CRO) across every industry comes as organisations acknowledge that operational, compliance, regulatory and strategic risks can pose an existential threat that could severely affect the viability of the business or see it make the headlines for all the wrong reasons.

Governance, risk and compliance (GRC) are the pillars of building a resilient organisation, yet even some of Australia’s most highly regulated sectors still struggle to effectively manage risk.

For example, the financial services royal commission found that many Australian financial institutions had inadequate risk frameworks, particularly when it came to the identification, assessment and mitigation of non-financial risks.

The challenge for modern CROs is that not all risk is created equal. While CROs can adhere to risk management standards like ISO 31000, they cannot be experts in every area of the business where they need to address risk.

Meanwhile, those working at the coalface in each business unit better understand the risks their unit faces, but they don’t necessarily understand risk management and how the risks in their area can affect the wider business.

As a result, organisations are known to take a siloed approach to risk management which doesn’t classify risks in a standardised manner and measure them consistently across the organisation. Different definitions of what constitutes a significant risk within these different silos makes it difficult for boards to weigh different risks and make informed decisions, says George Pantazis, founder and chief executive of risk management software platform RiskWare by Pan Software.

The CRO has the responsibility for creating a risk culture, but people across the business are uniquely placed to understand risk, as they ‘‘know their patch’’, Pantazis says. For instance, the IT security department is in a better position to comprehend the vulnerabilities of the organisation regarding cyber attacks, whereas the health and safety team is most suitable for understanding the repercussions of working with a specific combination of chemicals.

‘‘The challenge is that assessing risk can be subjective and requires those subject-matter experts to make value judgments based on their own knowledge and experience,’’ he says.

‘‘This then makes it difficult for the board to compare apples with apples when addressing the actual threat those risks pose and determining how to respond.

‘‘As a result, the risk data between departments is skewed and do not achieve the holy grail of risk management: enterprise risk intelligence.’’

Pan Software’s enterprise risk intelligence Software, RiskWare, helps businesses take a consistent approach to recognising, understanding and mitigating the wide range of risks which modern organisations face in every aspect of their operations. RiskWare incorporates Pan Software’s SOCRAITES artificial intelligence engine to offer greater risk management insights.

Enterprise risk intelligence software (ERIS) allows an organisation to take a more standardised approach to understanding risk. When organisations take a siloed and disjointed approach to risk management, they tend to use different tools – sometimes as simple as a collection of spreadsheets.

Reliance on spreadsheets and manual processes is a risk in itself, as organisations lose historical risk management information which can assist with quickly and accurately recognising and mitigating risks as they arise, Pantazis says.

‘‘When that historical information is lost, it is very difficult for organisations to maintain best-practice risk-control libraries, meaning they need to reinvent the wheel each time that risk arises,’’ he says. ‘‘Valuable knowledge can also be lost as those people who best understand specific risks change roles or leave the organisation.

‘‘As well as this, manual processes can leave organisations struggling to maintain their protocols for immediately notifying the relevant stakeholders when there is an incident, which makes it more difficult to contain the impact when a risk is realised.’’

Artificial intelligence such as RiskWare’s SOCRAITES, is a powerful tool to assist people managing risk throughout an organisation. It ensures information captured is relevant, consistent and reliable, while also supporting the broader business through the identification, assessment and mitigation of its risk environment.

‘‘The role of AI is certainly not to replace people,’’ Pantazis says. ‘‘AI’s job is not to make decisions around risks which impact the business, because it’s people who truly understand the different risks. Instead, the role of AI is to act as an assistant to those people in making better risk management decisions in their field of expertise.’’

‘‘As organisations move from GRC systems to ERIS systems and put their people front and centre of their risk management strategies and initiatives, only then will they truly gain the many benefits of enterprise risk intelligence.’’