‘new age’ risk frameworks in a post-pandemic world
by Kristen Gantt In this unprecedented time of uncertainty caused by COVID-19, we are moving from ‘sheltering in place’ to slowly re-opening both our businesses and personal lives. We’ve launched into a surreal and futuristic world almost overnight with rapid change in business models, delivery channels and ways to interact with customers and stakeholders. Looking back, some organizations have used this time as an opportunity to bounce forward by reinventing the way they do business, while others struggled to bounce back and maintain relevance. In either scenario, this new world raised the bar high on adaptability. During the disruption, both previously known and unanticipated risks are prevalent. What’s clear is that resiliency through change requires vast increase in the speed and quality of intelligence from the owned business operations and extended enterprises on which the business depends. Known risks changed the degree of ‘heat’ based on new operating models and processes that run them. Unanticipated risk scenarios presented themselves and required quick understanding of the new underlying processes, fast assessment of potential threats, and rapid design of risk treatment to reduce the potential for significant loss. How then do risk frameworks adapt to the new normal? This article, exploring a variety of useful techniques aimed to vastly improve the quality of risk intelligence, beyond core GRC and risk data structures. Some of these methods are borrowed and re-invented from other business operations and/ or industries, and each is designed to help risk frameworks ‘bounce forward’ in this new era.
‘new age’ risk assessment: a focus on process discovery The interconnectedness between traditional risk ‘domains’ has become undeniable. The common denominator between risk categories, or ‘domains’, and the Lines-of-defense (“LoD”) who manage these risks, is clearly the end-to-end (“E2E”) processes used to deliver critical goods / services through defined products. What the COVID-19 experience has reinforced is that the extended enterprise including third-party, its people, processes, technologies used to deliver quality goods / services are inextricably entwined to sustain delivery of these products and services. At the same time, a significant proportion of regulatory obligations directly link to how the organization decides and processes transactions. To enable compliance, processes and control activities need to be well-designed. Ultimately, siloed risk assessments based on siloed views of E2E process can no longer survive the new era.
004
Intelligent Risk - July 2020
