Avoid the enterprise and reputational risks of poor risk management
Book publishing companies and booksellers paid almost no attention in 1994 when a tiny online bookstore called Amazon appeared, and certainly didn’t imagine that it could grow to become a corporate threat to their very existence.
How is this relevant to enterprise risk management (ERM)? Because ERM aims to spot risks on the horizon before they happen, before they have even been considered to be a problem, and well before management realises they have a risk management problem.
While the COVID-19 pandemic in 2020 took the world by surprise, those companies that were able to quickly pivot in response to the situation fared better. And while an ERM analysis might not have specifically identified a worldwide pandemic as a risk, companies that had set up ERM processes to manage enterprise risks, both broad and long-term potential risks, were better prepared.
You might say, “but our company already has a risk assessment process in place.” The problem is, without the holistic nature of ERM that looks at management of risk across the whole enterprise, a typical risk assessment – or traditional risk assessment – can miss things.
The risks of traditional risk management
Traditional risk management focuses on avoiding risk but it is limited by its siloed nature, with specific roles taking responsibility for different areas of risk. Each functional leader manages the risks for their area of responsibility, but no-one looks at risk management for the whole entity.
This can lead to the following problems:
• risks can fall between the silos if they don’t neatly fit under one functional area
• risks for the company as a whole can be underestimated by functional leaders because it doesn’t affect their functional area (“not my problem”)
• risks can be managed without considering the impact on or consulting other areas of the company (e.g. the finance department refuses to accept particular payment services because they are focussed on the management of default risk, which severely reduces the customer base because they cannot pay without those services or technology)
• overlooking risks outside the company and only focusing on internal risks that can be controlled within the company
• inability to see the magnitude of long-term risks.
Falling between the cracks
These problems mean risks can be missed, particularly if they are large and slow moving, but ultimately catastrophic, such as climate change or a new technology or services that seems innocuous and niche to begin with…
Sometimes the risk seems almost inconceivable until much further down the road. At its peak in the 1970s, who at Kodak would have believed that one day consumers could take professional quality photographs using a telephone, with no need of a camera or photographic film?
Enterprise risk management seeks to overcome the limitations of risk assessment by taking an enterprise-wide view of risk and implementing management of risk at a strategic level. By looking at the big picture, ERM is more likely to avoid the dangers of traditional risk assessment. Companies using ERM are less likely to miss important risk signals, or to wait until the risk hits them before acting because by then, it’s too late.
Types of risk
So what risks does ERM consider?
Because ERM looks holistically at the whole enterprise, ERM looks at all kinds of risks.
Some of those corporate risks include:
• Human resources / conduct and compliance
Reputational damage is an everpresent risk
Given the value assigned to corporate brands, it can be argued that brand and reputation are some of the best and most valuable intangible assets that companies can have but until recently, it wasn’t possible to get insurance that services brand damage. This makes management of the reputational risks arising from customer interactions or employee conduct a serious concern for companies.
But in today’s complex enterprises, where marketing, sales, customer service, communications, customer experience and frontline sales and service functions can all sit in different management teams, it can be easy for reputational risks to fall through the cracks.
While People Development teams can work hard to ensure employees have the skills to do their jobs properly, even these teams can be siloed, with Learning and Development sitting in one team, while Human Resources, Internal Communications and Employee Engagement sit in different management teams. This makes risk management across the organisation a challenge.
YakTrak can address these risks using its unique cloud-based software platform that can not only track conversations that your staff are having with customers, but also the conversations your leaders are having with their people. In addition, and most importantly, Yaktrak also tracks the remediation that takes place after a conduct risk or compliance breach has been identified and makes reporting to management about remediation easier. ERM makes your risk management challenges easier.
Best ways to respond to risk
In general terms, some of the types of possible responses to risk include:
• Acceptance or tolerance of a risk
• Avoidance or elimination of a risk
• Risk transfer (e.g. sharing the risk via insurance services)
• Mitigation of risk using internal control procedures
• Other risk prevention activities
How an organisation responds is somewhat dependent on that organisation’s appetite for risk. Risk appetite (aka tolerance) is the level or degree of risk that an organisation is comfortable with. Some organisations are more risk averse than others, and some industries naturally lend themselves to being more risk averse. Regardless of an organisation’s tolerance for risk, however, management of it is imperative.
ERM in highly regulated industries and services
At a board level, risk, and particularly compliance and conduct risk, has become a regular topic for highly regulated industries. Following the Hayne Royal Commission into Financial Services Industry in Australia, there has been an increased need for transparent governance and appropriate responses and monitoring systems around risk management. While these changes place a governance burden on companies and their management, they are generally considered by society to be in the best interests of customers, employees and organisations themselves.
Highly regulated industries include:
• Finance and banking
• Aged care
Other countries have similar requirements and resources for governance and regulation to minimise risk, including the Sarbanes-Oxley Act (SOX) of 2002 and the Committee of Sponsoring Organizations (‘COSO’) that developed from the National Fraudulent Financial Information Commission (the Treadway Commission) in the United States. International advisory guidelines and standards around risk management are also helpful, such as the ISO 31000 Risk Management standard and recommendations for safeguarding against financial risk such as Basel III.
Good corporate risks
Once upon a time, the best course to chart to avoid corporate risks was seen to be insurance. Traditional risk management is about avoiding risk but enterprise risk management looks at risk with an enterprise-wide lens and can also consider “good risk.”
Good risk is the kind of calculated risk that can help grow companies and is a cornerstone of the twenty-first century entrepreneurial world of business and innovation.
A good way to tell if an organisation is on top of ERM is whether they have a Chief Risk Officer in their company. These organisations recognise that ERM can become a competitive advantage as well as a sensible corporate risk approach. And by placing enterprise risk as a key part of corporate strategy, these organisations are able to use the information and insights from ERM assessments to inform their strategic plans.
The importance of enterprise risk and company strategy
The key to ERM is that it is tied to strategy – what are the risks that may impede or provide opportunities for achieving a particular strategic business aim?
One outcome of ERM is that your organisation isn’t just trying to manage risk, it is trying to manage risk to achieve strategic goals. In this way, ERM can also become a tool for strategic decision-making, because risk is being assessed through the lens of strategy.
Some of the questions your organisation should consider when undertaking ERM is:
• What internally could affect each element of our business strategy?
• What externally could affect each element of our business strategy?
• What systems, frameworks, audit processes and ERM processes do we have in place to respond to these internal and external risks?
Turning strategy to behaviour
YakTrak is a software-as-a-service (SaaS) people development system that includes a conduct risk and compliance module. YakTrak lifts capability, maximises performance and minimises the danger of compliance breaches by supporting a culture of continual learning and training.
YakTrak is affiliated with GRIST Consulting. At GRIST, consulting staff saw the leadership of organisations struggle to get their teams to understand and buy into strategy. GRIST knew they needed to translate that strategy into actionable behaviours for the frontline teams and tactical managers. They did this by breaking strategy down into step-by-step micro-behaviours that encouraged team members to focus on small actions that would help to achieve the overarching business strategy.
YakTrak now offers the same process when responding to risk. YakTrak has customisable workflows that allow organisations to set out the behaviours they want to see in relation to identified risks, and build a sequence of actions to develop capability around that risk and to response appropriately if that risk occurs.
Implementing enterprise risk management (ERM)
While the best enterprise risk management (ERM) draws upon complicated mathematical models and actuarial analysis to understand the cumulative effects of risks, these skills are less prevalent outside of the insurance industry and aren’t necessary to begin with. Even a small entity can use an ERM-style of analysis to best understand their risk profile and management of it.
ERM is an ongoing process for all organisations
The first step of implementing ERM is to consider it an ongoing process, not a discrete analysis. ERM done well is a continuous loop that begins with consideration of the strategic goals of the organisation. In other words, consider what’s important to the company and warrants enterprise-level attention and risk management. Next the ERM process identifies risks related to those corporate priorities, does a risk assessment, develops an action plan to respond to those risks, then puts management in place to monitor and measures the control of those risks.
Responsibilities for business leaders
While actuarial skills may not be required for all entities undertaking ERM processes or risk management, companies should ensure appropriate resources are allocated. The functional and tactical actions that need to be undertaken to support the ERM process include:
• Risk management procedures, processes and protocols
YakTrak and risk management – helping companies stay on course
Once a company has enterprise risk management (ERM) in place, a system like YakTrak become helpful, because its conduct risk and compliance tool facilitates the regular cycle of identifying risks, assessing risks, responding to them, and monitoring those responses. Using customisable workflows, each company can build a conduct risk workflow that suits their business structure, management and processes. Customised reports can deliver insights and information for management and team leaders.
Similarly, once a risk (aka a breach) has happened and been identified, it can be a challenge to ensure that each management department that needs to know about it does, and that appropriate action has been taken to remediate the breach. YakTrak’s conduct risk function is a powerful tool that can help by tracking each remediation step within its online system, using customised workflows.
Compliance management in action
YakTrak’s compliance and conduct risk workflow can incorporate inputs from the compliance team, frontline and retail team leaders, customer remediation team and governance teams if necessary. YakTrak makes risk management easy. In addition, senior leadership can also have oversight of the entire process via their own customised dashboards of insights and information.
To understand how YakTrak can help manage a conduct risk breach between a contact centre team member and customer, watch this 90-second video.
YakTrak as an early warning system
Medium-to-large companies in Australia are already using YakTrak to assist their management of conduct risk of their customer-facing employees and leadership teams.
Recent data from a superannuation customer showed that using YakTrak created better goal setting and that the performance of frontline teams improved, with referrals and quality assurance improving. An added bonus was that YakTrak was identified as an excellent early warning system – because all YakTrak’s data is logged in an online platform, it was easy to see when coaching stopped between a leader and their team member, when goals weren’t being achieved (or set!) successfully and when quality started to decrease. These early alerts from YakTrak meant that the organisation’s management could intervene early, before small problems became big risks.
The value of audit trails
One of the consequences of increased regulation and governance in Australia is the need to be able to provide evidence to the regulator of remediation of breaches. YakTrak is able to pull data logs out of the system easily to provide to regulators as required.
We needed to make a cultural shift to move away from measuring output to a behavioural approach. If the regulators came to us and said “show us your coaching evidence” we would be able to pull it out of YakTrak. YakTrak helped us build risk awareness.
– Leisl Banfield, Change Manager, Bankwest
Read more about how Bankwest uses YakTrak.
Happy customers say cloud-based YakTrak is easy to use
In a recent survey of YakTrak’s customers across the energy and insurance industries, users were overwhelmingly positive about their experience using YakTrak’s people development software in the management of their business. Of the YakTrak users surveyed, 79.4% found YakTrak easy to use, and 63.2% said YakTrak had made their role easier.
Read case studies highlighting some of the work we have done with Australia’s most well-known companies.
YakTrak helps ERM while maximising performance
Legal and regulatory requirements are changing constantly. Software that evolves and changes as quickly as you do is imperative for risk management.
YakTrak is proud to say it’s not like other enterprise software systems. It’s easy to implement, simple to use and maintain, and cost-effective to customise. It’s safe and secure – with all data kept in Australian-based data centres or any international location as required.
YakTrak’s software system provides modules for people development (the base module), quality assurance, and conduct risk, as well as provision for data leakage protection.
Customised dashboards and reporting can provide executive line of sight for management across individual, team and company performance.
So what is the best strategic course of action for your entity to consider?
Consider your business’s online and customer processes, corporate strategy, audit trail needs and risk assessment requirements. Think about your current risk management practices. Make sure you support your teams and leaders with the right resources – including tools like YakTrak. Developing an ongoing enterprise risk management (ERM) system, with support services from companies like YakTrak can provide robust insurance against the unexpected.