According to Gartner, Dynamic Risk Governance is the new mandate and organisations need to get better at managing risk holistically. Furthermore, organisations are undergoing rapid change as they emerge from the pandemic and embrace the digital era. Consequently, they face a perfect storm of new, rapidly changing and interconnected risks.
The Three Lines of Defence model for risk governance is, according to Gartner, outdated and needs to be replaced by Dynamic Risk Governance. This new model consists of:
- Risk-tailored governance – creating distinct governance models for each risk and tailoring them to the strategy of the organization using risk appetite and volatility
- Activity-based risk governance – allocating risk management activities to the people best placed to conduct them
- Digital risk governance – putting opportunities to digitize risk management first, to increase the use of digital technologies, rather than considering them as an afterthought.
Dynamic Risk Management
In the same vein, the global management consultancy McKinsey has identified the need to adopt a new approach to managing risks.
According to McKinsey, in response to dramatic shifts in the risk landscape, nearly all organisations need to refresh and strengthen their approach to risk management by adopting Dynamic Risk Management.
The 3 core components of Dynamic Risk Management according to McKinsey are:
- Detect risks and control weaknesses – Anticipate, predict and observe threats rapidly based on disparate internal and external data points, and to assess risk magnitude, risk-impact duration and internal control effectiveness
- Delimit risk appetite – Set limits on risk taking dynamically, accounting for business values, strategy, risk management capabilities, and compliance environment
- Decide on risk management approach – Decide promptly if risk requires immediate or more prolonged response or mitigation and undertake appropriate response or mitigation with a feedback loop to track response and effectiveness
Gartner and McKinsey are not talking about the same things here, however, despite them being related – the ‘G’ and the ‘R’ in GRC (Governance, Risk Management and Compliance). And common to both proposals is the need for dynamism – the ability to be agile and move at speed.
With business models, technology, the risk landscape, regulations and geo-politics all changing rapidly and advice from analysts, management consultants and regulators continually evolving, how can organisations keep up?
|Dynamic risk governance and management requires agility in strategy, process and technology. The proposals from Gartner and McKinsey won’t be the last and organizations will want to adapt their strategy and processes continually. The underpinning data model and technology platform needs to be flexible and agile to adapt quickly to change.|
The role of technology in a smooth transition to Dynamic Risk Governance and Management
Organizations will continually be in a state of transition from strategy to strategy, process to process and the technology used must support migration. The Three Lines model won’t be replaced with Dynamic Risk Governance overnight but instead transition over time.
Similarly, static heat-map risk assessments won’t be replaced with dynamic quantitative risk measurement overnight and will transition over time.
The choice of technology platform will determine the ability of organizations to embrace change, seize opportunity and safeguard the business. Critical requirements are:
- 360-degree contextual awareness of risk – visibility of all the information that influences risk to business objectives and informs decision making
- Quantitative measurement, aggregation, prioritization and RoI assessment
- Real-time analytics, dashboarding and reporting
- Enablement of multiple risk governance and management strategies and processes across the Enterprise
Agility in risk management is now critical. If your technology platform can’t be deployed within a few weeks, adjusted to accommodate new strategies and processes within a few days, or if you need to rely on a vendor to make changes, you do not have an agile platform. As a result, you will struggle to implement Dynamic Risk Governance and Dynamic Risk Management.