The volatile global environment is resulting in a broader and more challenging risk landscape. New risks have been introduced, while existing risks such as Brexit, the US election, cybercrime, climate change, and economic disruption have not gone anyway - and in many cases have become even more severe during 2020.
This calls for a more consistent and integrated approach to risk management. One that enables more informed decision making through a holistic, enterprise-wide view of all the risks an organisation may face.
New regulations are also on the horizon. The Brydon Review, published in December 2019, is likely to lead to additional audit requirements and greater scrutiny over risk management and internal controls. With some likening the recommendations to a UK “SOX-lite”, pressure on the risk management function is only going to grow.
To explore these issues, and what they mean for the risk management function in 2021, Turnkey hosted a webinar that sought the views of a panel of experienced industry leaders. The panellists included Paul Thomas, former IT Internal Audit Lead at BAT; Stefan Gershater, former Head of Risk for Johnson Matthey; and Zoe Williams, Head of Internal Audit and Risk for several FTSE-listed companies.
In this blog though, we summarise the key themes and detail the most important contributions from our panelists.
The ripples of COVID: which risk domains have been brought more sharply into focus?
While the onset of the pandemic caused many major short-term challenges for companies all over the world, the long-term consequences have only just started to manifest themselves. For example, while many organisations had prepared for the more tangible impacts of COVID-related restrictions, the more human side of the pandemic was quickly found to have been overlooked.
Zoe Williams pointed out that the culture and wellbeing of workforces has been particularly affected, with employees being taken in and out of furlough or their usual working environments having a knock-on effect on their performance - presenting a risk to the performance of the business as a whole.
Two other major areas of risk were also identified by the panel. Stefan Gershater pointed out that the rapid pace of change within markets has made it difficult for many firms to increase their productivity, with subsequent risk of losing market share to more agile and responsive competitors. Paul Thomas also highlighted supply chains being affected due to the global nature of the pandemic, including the supply and procurement of goods internationally at a time when many borders were closed.
How risk management functions are being tested
Stefan Gershater remarked that organisations that have taken a dynamic, and more frequent, approach to their risk management are those who are likely to have performed better through the challenges of this year. He suggested that companies that account not only for high-level risks, but also the subsequent, more granular impacts in every area of their business will enjoy competitive advantage in the future, thanks to being able to react better and quicker in times of disruption.
Zoe Williams took a positive approach and pointed out that the pandemic has highlighted deficiencies in risk management in ways that may never have happened without the onset of COVID-19. While some organisations have been pleasantly surprised at the speed and agility of their response, those who have struggled have been able to learn valuable lessons, and take action to improve risk management frameworks for the future.
Big changes after Brydon?
The panel then turned its attention to the consequences of the Brydon review. Paul Thomas felt that the scope of risks that could be identified and reported on should now be widened as a result, with cyber-security, environment and health and safety (EHS) in particular given further consideration. Alongside this, he felt that businesses may move away from annual paper-based reports for their auditing in 2021, towards a more comprehensive and more regular approach that leverages technology to keep regular track of the most important risk indicators.
Zoe Williams added that how organisations deal with fraud will be especially difficult, with regards to where the line is drawn between subjective professional suspicion and objective facts and data.
Integration of risk is the way forward
“In a nutshell, IRM helps to turn fiction-based assumptions into fact-based assertions, which are supported by surfacing the right level of information up through an organisation.”
Marc Jackson, Practice Director, Turnkey
Stefan Gershater stressed the importance of Integrated Risk Management (IRM) in making risk a more central part of how businesses operate, rather than being “industries within themselves” that operate separately to the rest of an organisation. He also suggested that businesses should identify and assess risks in the context of the value they are trying to create, rather than the value they want to protect.
Zoe Williams drew on her own recent experiences with a company that had fully embedded Integrated Risk Management into its culture, with risk considered through every decision day-to-day and the risk management team acting as advisers and enablers throughout. Paul Thomas felt that Zoe’s example showed what was possible when Integrated Risk Management had fully matured within a business, and added that many organisations are still aspiring to reach that level even now.
The panel then went on to highlight the most valuable technologies in supporting a successful IRM strategy. Stefan Gershater recommended the use of automation to aggregate and analyse data to find patterns and insights. However, he also pointed out that working out the questions that need to be answered is the essential starting point, and that putting this framework in place early on pays huge dividends in promoting stakeholder engagement. Talking about how technology can support IRM, Paul Thomas suggested that no single piece of technology is a “one size fits all”. Rather that integration of several different solutions is likely to be the only way to suit the unique needs of an individual organisation.
What has been made clear by the pandemic is that many organisations have not conducted enough stress testing. All the panellists agreed that the differences between those who have and those who haven’t have been exposed by COVID-19. Collectively, the panellists also suggested that firms with a more dynamic and fluid approach to risk management were poised to gain competitive advantage in the current climate, and that many had viewed the pandemic as a positive opportunity to improve in this area.