Are you over exposed? Why Business Risk Assessment is central to good business planning
With unstable economic and political landscapes, risk management becomes a key component of business planning in both horizons i.e. Strategic and Tactical – whilst becoming ever more challenging.
The last 12 months have seen many businesses caught short, both in terms of risk identification and evaluation and in their crisis management; from the likes of TSB with its change management programme to Facebook and its data management and provision with third parties.
At Step5 this is often one of the first steps we carry out for our clients as we work to assess the context and impacts of any business change programme and to really understand the risks during implementation and post-delivery.
Howard Dickel, CEO of Step5, explains why this has become so important and how new technologies can help us do this more efficiently.
The assessment of business risks itself has changed in two significant ways in recent years:
First, due to various factors including social media, speed of change, speed at which new competitors join the market, more stringent regulatory and compliance frameworks and an ever-increasing threat from cyber-attacks and data management and storage, business risk has become a key boardroom topic, and a part of everyone’s role in the organisation.
Smart businesses now implement a ‘3 Lines of Defence’ (3LOD) model – with the traditional audit and compliance functions operating at Level 3 to provide policy, oversight and assurance, business risk champions working at Level 2 in each business function providing local expertise, training, governance and reporting, with the Level 1 role – the front line – being part of everyone’s role.
Secondly, we are seeing a growing use of Complexity Assessment Frameworks to determine the complexity of the structural, socio-political and emergent – amount and pace of change – intricacy. This acts as an early predictor of the level of risk associated with an enterprise or initiative.
“Many predict that ultimately, the business resilience response will be operated by AI with oversight, communications and engagement being delivered with a more human touch.”
At Step5, we use research from Cranfield University as part of our standard approach and carry out a Complexity Assessment – using a tool we have developed – at the outset of any engagement to determine the level of risk, and ensure we consider the full range of potential risk areas as part of our standard risk management approach. This ensures we allocate the risk skills and experience – both in terms of leadership and the rest of the team – to a project.
New disruptive technologies are driving this change. The increasing prevalence of data analytics and AI has enabled organisations to develop a Digital Twin of the Organisation or DTO, allowing a business to model, in the virtual world, a twin of the physical business – modelling various business risk scenarios, and the responses to those risks, to understand the implications for the organisation. This is both much cheaper and faster than the traditional approach of the annual exercise of business risk response and business reliance planning.
We can hope that in the future the use of DTO will quickly move from scenario planning and testing to become the core system that drives the response to a business risk event.
Ultimately, the business resilience response will be operated by AI with oversight, communications and engagement being carried out by people.
To ensure that their organisation no longer focuses solely on immediate risk but instead on building a culture of long-term resilience, risk managers need to implement a best practice model, such as 3LOD and make sure that the management of risk becomes a part of everyone’s job – supported by clear role definitions, training and communications. They also need to ensure that the Boardroom leads by example, with the review and management of risks. It must create and maintain a culture where identification and management of risk is encouraged and rewarded.
The bottom-line benefits of doing so are clear. A business risk event can be catastrophic, in terms of regulatory fines, financial impact including revenue, profits and share price and brand impact in terms of trust. Any activities to identify risk and agree responses ahead of the risks impacting the organisation, will have a very real benefit.
Increasingly, businesses are mandating evidence of a robust risk management and business resilience model that has been regularly and rigorously tested across the supply chain. The lack of a robust model will preclude many businesses from bidding for and winning new business.