Building long-term ERM resilience: Experts share the keys to success
It’s 2024, but for many organizations, their enterprise risk management (ERM) practices are stuck in the past. There are still companies of all sizes — big, small and in between — who don't really have a risk management function or structure.
Why is this a big problem? The risk landscape has changed so dramatically. Take AI, for example. Everybody’s using it, and it’s having reverberating effects on everything we do: productivity gains, labor losses, people needing to be re-skilled.
Are we headed into a risk management repeat of what happened with social media — where we discovered all these terrible behavioral and cognitive consequences on young people, including their ability to interact socially — 15 years after the fact? Or are we going to be older and wiser this time, contemplating the future risk of generative AI now, and preparing ourselves with future scenario planning?
AI is just one risk of many. Given everything that’s going on in the world today, companies that are lagging behind had better kick it up a couple of notches — fast.
I recently hosted a session at Diligent’s ERM Virtual Summit, entitled “Future-proofing your business: ERM strategies to build long-term resilience.” I was joined by GRC analyst and pundit Michael Rasmussen, also known as the “Father of GRC;” Andrea Bonime-Blanc, founder and CEO of GEC Risk Advisory, as well as board director, strategist and author; and Martyn Brush, the former CRO of global markets for the Royal Bank of Scotland, who’s now also a board director with Fordham Global Foresight and CEO of ePanoptes.
Here are some highlights from our conversation.
Considering all facets of risk
Rassmussen pointed out that many risk management leaders don’t take a broad enough view.
“Too often, risk management in the United States is a Sarbanes-Oxley compliance exercise and not true risk management. Let me check my checkboxes or controls, then I want my get-out-of-jail-free card.”
Other companies automatically gravitate toward cybersecurity when they should consider so many other risks in constant flux, such as regulations and enforcement actions, the external geopolitical environment, economic risks (including inflation and commodity pricing), third parties, technologies and processes, and mergers and acquisitions.
Bonime-Blanc highlighted how a good ERM program can provide a holistic view of these converging risks. “It’s going to help you not just understand and identify your risks and the various buckets of risk that are applicable to your footprint,” she said. “It also really helps you understand where you can do better — how you can create better products or services, better structures, better processes.”
As the definition of risk expands, Rasmussen emphasized the need for collaboration, harmonization and balance.
“It’s chaos trying to keep all this change and risk in sync,” he said. “To me, the chief risk officer is like the conductor of an orchestra who has to make sure all these things are in balance and working together collectively.”
Choosing what to focus on
Brush spoke of his time at an investment bank, where the gigabytes of data his team analyzed on a daily basis made up only part of the risk management story. The truly important element? “Asking the questions that are outside the things you’re measuring.”
This includes looking at the factors you don’t think will impact your business. Brush talked about companies underestimating the extent and duration of business risk after Russia’s invasion of Ukraine. These impressions were soon proven wrong. “Energy was disrupted. Chip production was disrupted,” said Brush.
He moved these prognostications to a present-day scenario: the continued global adoption of AI and the infrastructure, like chips, needed to power it.
“Nvidia's results last week underline exactly how important chip production is going to be for our near future,” he said. He then mentioned the chip fabrication facilities needed for this production. “A significant proportion of them are sitting on an island 80 miles off the coast of China.” Given the long timeline of chip fabrication, how will geopolitics, climate change and other factors impact this picture?
Combining the right people and the right culture
Finally, we talked about the people behind all of these efforts. Who should you make sure is on your ERM team? What processes should you have in place to bring out their best thinking and work?
I’ve seen great success when small teams dedicated to the salient, important, challenging issues like anti-corruption to cybersecurity work with two or three members of the C-suite and executive team. There's a powerful interconnection.
Bonime-Blanc also emphasized this, stating, “I think one of the most important things, beyond having the right tools and structure, is having the right people in the loop, and putting together a diverse team of experts.”
Rasmussen cited the importance of “right-brain thinking on risk — that creative, imaginative outside-the-box thinking. Risks are so interconnected, and models are limited; they're not the real world,” he explained.
“Models are there to provide you with insight, but they won't tell you what the future is going to hold,” Brush concurred.
Brush recalled risk advice from former military leaders. While businesses operate in two states — war and peace — members of the armed forces have a third state for making the most of non-crisis time. “They practice,” he noted. “They train. They review every mission to see what was learned properly. It’s not some box-ticking exercise, and there is no blame.”
“Risk is often about culture,” he said. “It's about having people brave enough to ask questions.”
And one final bit of advice from Brush: Don’t forget to “actually do the risk management after you’ve made all the decisions at the board level.”
For more expert insights into how your organization can build a more effective ERM strategy, watch all four Diligent ERM Virtual Summit sessions on demand.
