The risk maturity journey is a problem the risk profession has been grappling with for far too long. It’s time to focus on data
I benchmarked, modelled and studied risk maturity for three years, engaging with over 150 organisations and picking up many great tips, anecdotes but also hearing the questions and frustrations of senior business and risk leaders.
One over-arching pain-point was that many felt stuck, having implemented best practice frameworks and templates but feeling they still needed to do better in terms of influence and affect in the boardroom, decision making, and delivering real value through risk management. The proverbial risk maturity journey is the problem our profession has been grappling with for far too long.
Most of us know risk management must be simple so that we can engage a wide audience of senior, busy, impatient non-risk experts but what we often overlook is that the output needs to deliver value in terms of helping these same senior stakeholders make better decisions.
It is important to consider the C-suite persona and think carefully about their needs, fears, personality traits, what they read, hear, say and in particular how they think about and make decisions.
In the shoes of your key stakeholders, you need to look at your risk register templates and the content within and consider this: Is it really about culture, influence, personal style or gravitas, or is the content in your risk registers simply insufficient to help them make real business decisions?
There are two improvements that we can all make to have greater impact.
1) The risks themselves are often too high-level.
When analysing the C-suite persona, they are used to seeing clear problem statements and business context explained to them. Instead of, “Risk of a cyber attack or data breach”, how about something that uses SMART principles and plain English i.e. “Recent IT security attacks affecting other companies have targeted outdated equipment. Our network so far hasn’t been hit but has a lot of unpatched legacy systems and equipment.”
2) No real data in risk registers.
The scores are not real data, they are best guess judgements against broad definitions and should be used for prioritising where to focus. Instead, bring in data in the dialogues and interactions with stakeholders. Natural follow-on questions from the above risk problem statement is: “What % of our systems are unpatched” and from that, a clear action is to improve on this. Take a performance management approach to tracking the risk. Each quarter we can lead by the numbers to show true progress.
When I speak to clients, executives, boards and committees I always ask them to support a data-led approach to risk management. This will automatically lead to better transparency and accountability of risks. It will also highlight areas of the business where data is not mature or unavailable, leading to other decisions on whether we should standardise or automate processes, align systems and improve data quality.
We might agree that for a particular risk, data is not feasible and we will have to revert to anecdote and narrative reporting by exception.
There may be some resistance. Some stakeholders will not appreciate increased transparency, after all, even in performance management terms, there will always be a small population that are under-performing.
Looking at your risk register, do you know which risks are “under-performing”? Perhaps answering this question, backed up by data, can tell them something they don’t actually know, which is valuable. Such an approach will begin shifting the tide from a risk maturity journey to a data-maturity journey.
Danny Wong is an enterprise risk management practitioner and CEO of GOAT Risk Solutions