The 2021 risk report from The Institute of Risk Management South Africa (IRMSA), highlights the extraordinary times we are living in, according to Sean Pyott, managing director at Thryve, where uncertainty and existential threats have taken their place alongside more familiar problems.
In the report, IRMSA discusses its call to action under five headings:
- Integrating strategy, risk and resilience
- Adaptiveness and agility
- Beyond the risk register
- Risk culture and maturity
- Leveraging the risk professional.
Mr Pyott said: “Strategic decisions are about making decisions in a context of uncertainty, but companies are often neglectful of strategy. They excel at developing and deploying strategy, then find evaluation and changes to strategy as too taxing or destabilising. This is partially because strategy does not use risk to its advantage, as risk is often in the back, softening blows to the company.
“But suppose we accept that risk is also about identifying opportunity (manifested in sense and respond risk management). In that case, the relationship between risk and strategy becomes clear – and the outcome of that relationship is resilience.”
When it comes to adaptiveness and agility, Mr Pyott suggested: “Even before the pandemic, organisations already faced a substantial threat. Digital transformation and digital disruption already began separating the future’s winners from the losers. In some ways, all the pandemic did was bring this reality home to roost much sooner. All those companies that could adapt to work-from-home cultures quickly were investors in some level of digitalisation, forcing them to be more agile and adaptive.
“Digital technology adoption is key to this as it reduces costs and improves efficiencies, such as through-process automation. But this is also a question of company culture – agile companies require a mindset that will make them competitive for the future. That mindset will come from integrating risk and strategy.”
A risk professional can often feel like a waiter at a high-end restaurant, he said. “There is so much they could tell you about the meals and beverages, but patrons gruffly just refer to the menu and send the waiter on their way. Risk professionals can have similar anxiety whenever the exco or board reach for their risk register.
“A risk register is important but also one-dimensional. It records visible and often run-of-the-mill risks, yet doesn’t reflect the many other ways the risk profession can help organisations make the right decisions in time.”
Mr Pyott added: “Risk registers also encourage risk silos and permit many people to think risk is someone else’s problem. That may cut it for reactionary risk. But the world today needs proactive risk management that has champions across the company and informs stakeholders in near real-time.”
However, risk is not solely for the risk department, just as company computer systems don’t exist only for the IT team, he said. Both are a means to an end – the end being to enable individuals and help them run a successful company.
“Traditional business culture has separated risk from the rest of the business and created a silo for it,” he continued. “Perhaps it was too technical or cumbersome to bother the average employee with. Yet, that has changed on three levels. First, today’s world moves too fast to leave risk in a silo. Second, that pace means employees will benefit greatly from engaging with risk-based thinking and processes. Third, modern technology makes risk management much more accessible, even to laypeople.
“At the very least, an organisation should assign risk-related responsibilities and roles across the company, backed by a well-articulated accountability framework.”
Finally, said Mr Pyott, risk managers must remember these calls to action are not isolated. “They are all different dimensions of the same central argument: risk management needs to be expanded, made accessible, and empower everyone strategically,” he stressed.
“Central to this view is the narrative that the skills of risk professionals are woefully underused. Fortunately, the pandemic has given many companies reason to expect more from their risk people. In this spirit, IRMSA calls on the industry to focus on developing more risk professionals, as well as to spread the risk competency into other areas. For example, many business degrees still offer little to no attention to risk management.”