Sabrina Serafin speaks with Jason Sammons of our Process, Risk & Governance practice about implementing risk management as a strategy to help small and mid-sized businesses grow and reach their potential.
One Size Fits One: Implementing Risk Strategy Transcript
This transcript was assembled by hand and may contain some errors.
It has been edited for readability.
Sabrina: Welcome to Frazier & Deeter’s Culture of Compliance podcast series, where we discuss compliance as a competitive advantage in today’s marketplace. I’m Sabrina Serafin, Partner and National Leader of Frazier & Deeter’s Process, Risk & Governance practice. Today, we’re talking to Jason Sammons, who is a partner in our Process, Risk & Governance practice about the changing risk landscape and some interesting findings from recent studies about corporate risk. Welcome Jason.
Jason: Hello, thank you.
Sabrina: Before we start talking about the results of the studies that you’re going to reference today, I’d like to make note to the audience that we’re really just scratching the surface of this topic, and Jason is always available to further this discussion with any of our listeners. Jason Sammons’ contact information is available on frazierdeeter.com, and he would be more than happy to take a deeper dive into these topics.
But to start today, Jason, we want to dive into the major concerns for risk managers and individuals and organizations who are tasked with the responsibility of managing risk and how this landscape is changing. So, of the two studies that we want to discuss, the first is the AICPA’s 2018 “State of Risk Oversight.” Jason, can you introduce this and walk us through some of the key findings?
Jason: Late in 2018 the AICPA conducted a survey and a study of the evolving practices as it relates to enterprise risk management, and we found this study really interesting. They surveyed almost 500 companies that included a high mix of publicly traded corporations, financial institutions and not-for-profit organizations. A good diverse mix that had a couple of really interesting takeaways, the first being that 60% of that population felt that risks and risk management is increasing in complexity, as well as the volume of risks.
And I think that that represents a continual change in the landscape of risk management in general. For a number of years, most people were plodding along. It’s been a while since the financial crisis, and with the change in technology, the competitive pressures, the disruptive innovations that companies are facing, they’re starting to experience some of those challenges and some of those risks to their underlying business. Further, 65% of the respondents said that they have recently experienced an operational surprise due to a risk that they did not adequately anticipate.
Sabrina: Can you give an example of what one would term “an operational surprise?”
Jason: One example that I’ve studied recently related to a company who relied on a third party to provide IT managed services, and in a weather event, they lost connectivity to run their operations from their primary data center. While they had performed the basic disaster recovery type planning efforts, they had not fully anticipated the effort to fall back to their original production center.
In the return to try to get the primary systems back up and running post-event, they experienced significant challenges in restarting the processing in the operations, so they were unable to serve customers in that interim period, which was very much unanticipated in their overall testing strategies. Another key point that is a good take away is that less than 25% of the organizations in this survey rated their risk management practices as mature.
Sabrina: So for our listeners, can you define what mature would be perceived as?
Jason: That’s another great question. I think when we talk to our clients and friends about risk management, one of the often used phrases is that one size fits one when it comes to risk management. So what defines mature for one organization may be different than for another organization. But what I would speculate in this survey it had to do with having a formal, repetitive process with clearly defined risks, clearly defined actions as to who’s responsible for managing those risks and most likely a governance body that’s responsible inside the organization for risk management.
Sabrina: So the remaining 75% and I would suggest a lot of mid- to smaller-sized organizations with limited resources, how are they coping with the risk management responsibilities?
Jason: I think that risk management is a part of every manager’s day to day responsibilities. I think that companies underestimate the value of formalizing enterprise risk management, the overall risk literacy and risk language that develops inside of an organization. While these operational surprises we talked about are prevalent, the vast majority of items that do show up on an enterprise risk management framework, there’s rarely items on that list that people have not already thought about. This just brings everything into one common place for organizations to talk about and common language and how they assess the severity and the potential impact that those risks could have on their organization.
The last point on this study is that over 80% of organizations struggle to effectively integrate risk management with their strategic planning efforts. And this ties in with the recently updated COSO ERM framework that is actually titled and oriented around managing risk in the context of strategy and performance. A lot of companies and a lot of professionals historically have talked about risk and control together. What the new COSO ERM framework really encourages companies to do is to think about risk and performance, risk and strategy and start with the company’s objectives for success, how they are aligned and identify the core risks that really impact or could impact their execution and achievement of their strategic objectives.
Sabrina: I think that’s exactly where we bring this discussion into the fold around how the culture of compliance is something that should be introduced within the organization and moving from a risk and controls view of the organization to a risk and strategy view of the organization ties into exactly what this podcast series is driving towards.
How does an organization that is constantly trying to keep the lights on incorporate what are best practices or compliance activities? Can you talk to us more about how that strategic aspect is being introduced to organizations across the board?
Jason: Every entity exists to create value, and effective enterprise risk management programs are designed to promote the creation of value, to preserve value that has already been created. Many times, I think that this concept is mistaken for just focusing on the downside of risk or not taking risk. But we all know that successful businesses have been created on taking the right risks and the concept that the fastest cars have the best brakes. It’s something we talk about in terms of the imagery. That risk is not in and of itself bad. What’s ineffective in terms of risk management is not managing the right risks or not knowing which risks you’re managing.
Sabrina: So now that we’ve talked about the perspective of risk management from the executive standpoint, let’s change gears and talk about the boardroom. I understand there was a study that came out of North Carolina State University called “Executive Perspectives on Top Risks for 2018,” and its subtitle was “Key Issues Being Discussed in the Boardroom and C-Suite.” Can you tell us some of the findings from that study?
Jason: This is something that’s also published on an annual basis, and we like to consume and observe the trends that are occurring in this area. Usually they publish a list of the top 10, 20 risks that companies are facing across a variety of organizations. These involve a combination of macroeconomic, operational and strategic risks. Again, the concept is to consider risk in the context of strategy. One of the primary things that companies have faced is the rapid speed of disruptive innovation, the new and emerging technologies that threaten business models.
Jason: We see the examples throughout financial institutions, we see throughout transportation with Uber and Lyft and others of the world, how we pay our bills, how we communicate with each other. And so the legacy companies that have long dominated in that space, if they’re not anticipating these disruptive technologies, people can move really quickly and take market share.
Sabrina: Can you tell us more?
Jason: Some other things that came up on this study revolve around people, and I think continuing to see the importance of people and culture to an organization’s success is really important, so that manifests itself in a couple of ways. Resistance to change, though, also connects back into the first point about adopting disruptive technologies, disruptive innovation and responding timely and accordingly and then having the right culture to escalate risk issues and deal with them appropriately, to discuss them, and having a culture that encourages candid and open communications.
And then, the last couple of things that I would highlight from the study is, obviously, the cyber threats and the emphasis on data security and privacy. I believe those will continue to be key elements of any organization’s risk management strategies. And then, two things came into the list that are new in the most recent study; the first being utilizing data analytics and big data, and we see that in many, many different ways. But again, converting the information that companies collect and using that as a competitive advantage, while also respecting, again, the privacy concerns and the other regulatory requirements that exist. And then the rising expectations and just the overall transparency that we operate in today, where our consumers have a very big influence on the results of an organization, as well as the broad investor community and the public perception of an organization’s values and operations.
Sabrina: Thank you for that, Jason. I would speak for our audience in saying I believe it all seems very overwhelming. And the overall risk management process is still overwhelming. What advice do you have, or what direction can you give to our listeners who are really just trying to take this all in and prioritize?
Jason: I think you’re right, it is a lot, and managing a business is a challenge. I know that the most successful companies embrace that challenge. But I think considering the role of enterprise risk management in their organizations, my advice is to identify and really highlight the things that they want to focus on. So most organizations have a pretty precise strategy as to how they’re going to succeed in their given marketplace and the number of risks that really matter to be focused on does not need to be a long list. I think the goal is really to have a composite view of risk across your organization. You’re never going to achieve a consensus view of risk where everyone sees it the same way.
Sabrina: Can you define what you mean by a composite view?
Jason: So a composite view of risk is having the input of a wide variety, a diverse section of your organization, people at different points of views with different priorities, and what you expect by having the input of those people is A) they’ve had the opportunity to give their input, and B) the most significant items will naturally rise to the top. Even in this study that we’re talking about, of the top 10 risks across this large population of organizations surveyed, one in four of the respondents rated each of these top 10 risks as having a low or less significant impact on their organization.
Sabrina: How is that possible?
Jason: People are most interested in what’s right in front of them. And on the on the flip side of that, the other three people, three out of four, are viewing each of these risks as having a significant impact, so there’s not a lot of gray area in this survey in particular. But I think we find that in practice as well that, the outcomes of the one on one conversations, the surveys, the workshops that we conduct is that the top five to eight to 10 risks naturally rise to the surface and allow management to have a manageable list of items with which they need to manage going forward.
Sabrina: Well Jason, I want to thank you for joining us today on the podcast. And to our audience, thank you for listening to Frazier & Deeter’s Culture of Compliance podcast. Please join us for our next episode as we continue to discuss transforming compliance requirements into investments in your business.