As vaccine rollouts continue and organizations begin to rethink how their business models will adjust as we move to the next “new normal,” risk professionals are looking to leverage the positive risk management lessons learned from navigating the pandemic to strengthen their organizations’ enterprise risk management processes to manage the ever-evolving risk landscape.
Over 200 risk leaders from around the world joined us for our Spring 2021 ERM Roundtable Summit to hear insights from peer risk management leaders who shared details about some of their recent risk management work.
Engaging Executives in Risk Discussions in a Virtual World
The remote, virtual work environment that most organizations find themselves managing added a new challenge for ERM programs as ERM leaders sought to engage their management teams in risk identification and risk assessment activities. Pre-COVID style in-person risk workshops haven't been possible in 2020 and early 2021, so ERM leaders are turning to virtual platforms to engage executives in conversations about emerging risks to their business.
Angela Hoon, VP of Internal Audit and Risk, and Todd Hillman, Senior Manager of Internal Audit and Risk, at Advance Auto Parts shared how they leveraged virtual platforms to engage their leadership team in discussions about external trends and emerging enterprise level and business unit level risks to the company’s strategic priorities. They used a combination of cross-functional team virtual workshops (via Share Point) and business function workshops to tease out risk challenges that may be on the horizon.
One-on-one virtual interviews of board members and senior executives combined with group facilitated virtual workshop discussions with multi-levels of business function leaders provided the foundation for risk identification and risk assessment. Participants engaged in discussions while at the same time sharing their risk thoughts real-time via the Share Point platform, which helped foster a rich level of engagement and dialogue for participants. A key to the success of these workshops was the level of preparedness in advance of the meetings, preformatted documents for participants to complete tasks, and a clear agenda. These collectively ensured a high level of participation among participants, which ultimately generated tremendous insights about risks on the horizon.
Managing Risks to our Nation
Most risk professionals are overwhelmed by the volume and complexities of risks affecting their organizations. Imagine what it must feel like if you are trying to help manage systemic risks that might affect the United States of America. That’s what Bob Kolasky, Assistant Director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), deals with daily as he helps lead the Department’s National Risk Management Center. Bob provided an overview of the work of the National Risk Management Center.
The NRMC works closely with the critical infrastructure community to identify and analyze the most significant risks to the United States. The NRMC works with government and industry to identify, prioritize, and manage the most significant strategic risks to the Nation’s critical assets, systems and networks that provide functions necessary for our way of life. The focus of the NRMC is to ensure the security and resilience across 16 critical infrastructure sectors, such as generating power to supplying clean water. Bob shared insights about the process the NRMC uses to keep an eye on emerging risks through networking communities and he encouraged participants to take advantage of the periodic risk updates provided by the NRMC (NRMC Resources at this link: https://www.cisa.gov/nrmc-resources).
Escalating Compliance Expectations
Often when we think of compliance challenges we tend to think those are issues for entities in regulated industries, such as financial services, energy, and insurance. However, as highlighted by Amy Matsuo, National Leader for KPMG’s Regulatory and ESG Insights, there is a growing sense among business leaders that there is a rising tide of rules and supervision that will continue to escalate for organizations of all types and sizes. Expectations related to climate and social changes, privacy, security, anti-trust and consumer protections (and the list goes on) are impacting entities in all industries, not just the regulated ones.
Amy shared perspectives about a number of compliance themes, particularly related to climate and ESG and consumer protection. She highlighted how regulators are starting to expect companies to identify and refine ESG and climate-specific risks across risk disciplines, including reputational risk. And, there is a growing refocus back to consumer and investor protections with regulatory attention to fair access, anti-trust, and privacy. Amy challenged participants to evaluate their organization’s existing core risk management activities, framework, and coverage for effectiveness and potential redundancies. She encouraged them to keep a finger on the pulse of rapidly changing federal, state, and local obligations and to increase the frequency at which they refresh their risk assessments in order to account for the new environment.
Understanding Emerging Board Expectations
Bonnie Hancock, Executive Director of the ERM Initiative, moderated a panel of three individuals currently on a number of corporate and not-for-profit boards: Kelly Barrett, Janet Cowell, and Lloyd Johnson. This expert board of director panel shared insights about the importance of having entity management engage in more robust risk thinking, with an emphasis on linking risks to what is most important strategically for the enterprise. Each emphasized the importance of having a reliable risk management system with regular communications from management to the board about the ever-changing risk environment.
The panel of directors emphasized the importance of having rich dialogue and discussions with management rather than a “death-by-PowerPoint” review of risk data. They also highlighted the importance of having the full board engage in discussions about top risks, while at the same time emphasizing the value of delegating responsibilities to sub-committees of the board for deeper-dive analyses of specific risks issues, with subsequent reporting by the subcommittee back to the full board.
Highlights from 2021 State of Risk Oversight Report
ERM leaders are constantly evaluating their organization’s approach to risk management and they frequently seek benchmarking information about the state of risk management practices in other organizations. To meet that need, the ERM Initiative at NC State, in partnership with the AICPA, conducts an annual survey of the state of risk oversight practices. Mark Beasley, KPMG Professor and Director of the ERM Initiative, provided highlights from the forthcoming 2021 State of Risk Oversight Report: An Overview of Enterprise Risk Management Practices (now released – download report here).
Mark noted the 12th annual report reveals that executives believe risk volumes and complexities are at their highest level in 12 years, increased by significant events tied to COVID-19, social unrest, recent elections, extremely low interest rates, and a host of other triggers. Recent realities are revealing a need for real change in how organizations oversee the constantly evolving risk landscape.
This 2021 State of Risk Oversight Report highlights over 40 different dimensions of risk management practices that readers can use to benchmark their risk management processes along several dimensions. And, it includes a Call to Action and an Evaluation Template that executives can use to quickly assess their risk management programs. In addition to providing analyses for the full sample, the report includes sub-analyses for large organizations (revenues > $1B), public companies, and not-for-profit organizations.
Leaving with Key Take-Aways
Jeff Lovern, Chief Risk Officer of Principal Financial’s International Operations, closed out the day with a summary of a number of key take-aways he gleaned from the jam-packed Summit agenda. Jeff highlighted a number of ideas he heard that will provide food-for-thought for potential implementation in his organization. Other participants shared insights and ideas during two different breakout sessions as well.
Watch announcements on our ERM Initiative website for future workshop opportunities. Remember…Risk management isn’t getting easier, it’s just becoming more important!
Read ERM articles as soon as we post them
Keep up-to-date with current developments in ERM. Subscribe to the ERM Newsletter.