The main risks that companies have been trying to mitigate for the last few years has not changed significantly. Regulation, risk forecasting, business continuity, crisis management, cyber crime, information security, data theft, IT disruption, climate change, terrorism, risk identification, data compliance, sanctions, risk resilience, and third party due diligence all get listed time and again. The impact of poorly managing risk can be significant and can include remediation costs, compensation to customers, reputational damage, lost contracts, and reduced sales. In order to manage this, many companies and government actors must undertake significant risk transformation programs to address incidents, remediate issues, and identify root causes. Risk transformation programs require a significant investment in time and allocation of capacity. The opportunity for companies, when managed well, is significantly higher than cost of investing in risk transformation, but it must include an appropriate amount of support and management attention to succeed, along with the right international and external international risk management expertise.
The most successful types of risk transformation programs are enterprise-wide risk transformation that consider risk frameworks, governance, risk culture, remuneration, accountabilities, travel risk management, enterprise security management, information security, risk resilience, and crisis management. These transformations are typically board or CEO-sponsored programs involving all businesses and functions and considering all risks that may impact an enterprise. These risk transformations include uplifting the risk management framework and policy governance; establishing, improving risk taxonomy; improving or creating a risk appetite statement, implementing a code of conduct, reviewing insurance, and ensuring all activities are face-based and intelligence led. Enterprise-wide risk transformations can support risk reduction directly and on changing the way the business operates by improving strategic and broader business transformations. Risk transformations take at least three to five years of dedicated effort involving internal and external capacity.
If your organisation is considering implementing a risk transformation program, ask yourself if leadership has the following elements in place, or willing to support the internal champions to create these pre-conditions:
- A risk transformation and improvement desire
- An external risk management partner
- A culture open for adaption and positive evolution
- A team that wants accountability
- Prioritisation from the Board
Organisations have a variety of cultural traits that help them succeed in different areas and this is the same for risk transformation. Continuous reflection is required to address deeply rooted cultural challenges and understand the international risk environment in which you operate., including genuine appraisals of successes and areas require more support. The leadership team needs to be supportive of desires to celebrate positive cultural behaviours and achievements, and welcome constructive challenging of cultural norms, and at all times ensuring psychological safety of everyone involved.
The risk transformation program team must have capabilities across project execution, strategy, business continuity, and international risk management. External risk management support for expertise and advice, as well as to support with navigating bumps along the way is going to be essential for success. And as with all activities, learnings must be captured and shared throughout the organisation. The risk environment is continually changing and learning from lessons and risk transformation programs will be essential to ensure continual improvement of risk resilience.