GRC Tuesdays: What Are the Top Risks for 2020 and How to Better Involve All Stakeholders?
Predicting risks is sometimes more of an art than a science. And this blog isn’t about our current state of preparedness for a pandemic type of scenario like we are facing with the Coronavirus. Also, not being a Doctor, I am most certainly not qualified to comment.
This blog instead will focus on reports that consolidate views on what are the top risks for the year ahead. But with a new twist I hope.
In Governance, Risk and Compliance, we usually focus exclusively on the business risks. Hence the ones provided by executives. Here, I wanted to compare these inputs with the concerns of the wider community with regards to the top risks that they feel are the most pressing.
In my experience, stakeholders in the risk management process, be it employees, contractors, and so on, will be much more involved if they can relate – personally that is – to the risk events that are asked to manage. Presenting these risks only from the perspective of the organization therefore cuts them from this connection. In this blog, I’d like to offer thoughts on how to reconcile both views: business and community, in order to ensure a successful outcome for both parties.
For this purpose, I selected 2 reports:
* North Carolina State University’s Enterprise Risk Management (ERM) Initiative – Executive Perspective On Top Risks 2020 => North Carolina State’s University has been working with Protiviti in surveying board members and C-suite executives worldwide about risks that are likely to affect their organizations for the past 8 years and these are the results of their latest publication;
* World Economic Forum (WEF) – Global Risk Report 2020 => World Economic Forum’s findings are based on a survey of members of the diverse communities. WEF has also been working with academics (National University of Singapore, University of Oxford and University of Pennsylvania) for this 15th edition of the report.
Top Risks from the North Carolina State University Enterprise Risk Management Initiative
From the top 10 risks identified, 3 are usually included in the internal control framework: Impact of regulatory changes (#1) and Cyber threats & Privacy and information security (#6 and #7).
These 3 risks are not only operational in nature, but also carry inherently non-compliance aspects which explains why they are also monitored by the Control and Compliance teams.
Unfortunately, control owners sometimes feel that they are simply “checking the box” when performing the control activities in relation to these risks. As a result, the effectiveness of the risk response program around these is often questioned.
So the question becomes: how can we change this perception of a simple “bureaucratic risk management approach” and increase the engagement so that risks are adequately taken care of? This is where the second report comes into the picture.
Top Risks from the World Economic Forum
From the WEF – and therefore from the perspective of the wider community, we can see that the top risks relate mostly to 4 categories:
* Environmental (Climate action, Extreme weather, etc.);
* Technological (Cyberattacks, Information infrastructure breakdown, etc.);
* Societal (Water & food crises, Infectious diseases, etc.) and
* Geopolitical (Interstate conflicts, Global governance failure, etc.).
Of course, most organizations can’t – alone – mitigate these risks. But interestingly, we can see that some of the risks keeping executives awake at night are listed here as well. Including the 3 mentioned above.
Making the 2 Views Meet to Foster More Involvement from Employees and Other Stakeholders
Governments usually push new regulations in order to better protect consumers or investors but also to respond to some of the Environmental and Societal risks. For instance, recent Environmental, Health and Safety (EH&S) regulations have been issued to ensure that pollution is decreased, and as a result to try and tackle climate change. Furthermore, in countries where water is already a scarce resource, “Water Acts” have been introduced. These are regulations that companies have to abide by and as such, are a component of the “Impact of regulatory changes and scrutiny on operational resilience, products and services” ranked as top risk in 2020 by executives.
Concerning risks #6 “Cyber threats” and #7 “Privacy/identity management and information security”, they align perfectly with the Technological risks in WEF’s report.
As a result, instead of just aiming for compliance with a “tick the box” approach, why not instead present the regulation in a way that the employees – or any other stakeholder – can relate to?
* Environmental regulations across the world are not only designed to save cost by reducing the use of energy consumption or reducing waste with recycling methods, but more importantly about safeguarding water and other resources;
* Data Privacy regulations such as the EU General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) in the USA are really focused on protecting our personal data – as consumers and citizens;
* And to make a focus on a legislation that is often perceived as having little added value: Sarbanes Oxley Act is not about creating more work for Consulting organizations and software vendors. It’s to protect the investment of the public by ensuring the veracity of corporate financial statements.
By presenting business risks with a “citizen lens”, I firmly believe risk management programs would be more effective. Stakeholder in the process will be more engaged in both adequately representing the risk, and mitigating the effect of the threat or trying to reduce its likelihood.
Do you think I am being too naïve? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard