Gravity. You can’t see it, but it’s always there — and you could say the same about risk in business. Even if you can’t see it, you need to plan for it.
Businesses large and small learned about risk the hard way when the pandemic hit. Some businesses struggled to keep their doors open, while others were overwhelmed by new customer demand. There is even a risk in becoming essential! We cannot ignore risk any more than we can ignore gravity, so we must take measures to manage it.
“Risk management is not meant to slow down the business… It’s not meant to get to an answer of ‘no,’ but to help get to a thoughtful answer of ‘yes.’”
When businesses manage risk properly, they can be prepared to respond to events of all kinds. “Risk management is meant to help leaders make timely and risk-informed decisions,” said Adam Ross, Grant Thornton Risk Advisory Services Principal.
“Risk management is not meant to slow down the business,” Ross said. “It's meant to help the organization achieve its strategic objectives and outcomes. It’s not meant to get to an answer of ‘no,’ but to help get to a thoughtful answer of ‘yes.’”
Effective risk management requires knowing your business inside and out, including the processes, people and policies, so that you can identify potential risk areas and create responsive actions to address them.
Supply chain and third-party risks top the list
Where do companies see the greatest risk? In a poll taken during a recent Grant Thornton executive forum on risk, attendees indicated that they see supply chain, third-party and compliance risks in almost a three-way tie.
The causes for risks can be complex and interwoven. “At the forefront, I would probably look at sanctions — and specifically the relatively new sanctions that were, and are being, rolled out against Russia and Belarus,” said Grant Thornton Risk Advisory Services Managing Director Sven Stumbauer.
“For sanctions compliance — and sanction exposure risk management — data is crucial,” Stumbauer said. To comply with sanctions against Russia, for instance, businesses need to determine whether they have suppliers, customers or other business relationships in the region. Even if an entity is not on the Office of Foreign Assets Control sanction list, the 50% rule says that an entity’s property and interests are blocked if it is directly or indirectly owned, 50% or more, in the aggregate by one or more blocked persons.
“If you think about a manufacturing company, you can see the practical challenges of determining the ownership of suppliers, customers and others, to avoid taking on potentially significant sanctions risk,” Stumbauer said. “Keep your data current and updated, because the sanctions lists around the globe keep changing on no preset schedule. You might be in the clear today, and subject to a change in the sanctions list tomorrow.”
Government sanctions and regulations can have an immediate effect on a company’s business partnerships, processes and supply chains. So, businesses must have a plan in place to pivot quickly in case of a disruption. No plan can predict every disruption, but a well-constructed and agile framework can help businesses deal with unexpected obstacles better than their competitors do.
Compliance, ESG and fraud
Government regulations can have a profound impact on business as well. While some businesses might not prioritize Environmental, Social and Corporate Governance (ESG) risks, they do need to prioritize compliance with the growing ESG regulations.
“Compliance risk management should integrate into the overall business planning and the strategic operations.”
Grant Thornton Risk Advisory Services Managing Director Tony Yang noted that the SEC has proposed rules that push businesses to prioritize compliance in their environmental policies and actions. “Compliance risk management should integrate into the overall business planning and the strategic operations,” Yang said. That requires a risk management program that is both proactive and reactive. The plan must align risk management to support the overall goals of the company, strengthening its mission and vision. “I would say that more and more people are realizing that ESG and climate risk is an existential risk to the business, to the operations, and to the strategy,” Yang said.
“Fraud has been, and continues to be, on the uptick since the beginning of the pandemic.”
Another trend to watch is the growth of fraud. “Fraud has been, and continues to be, on the uptick since the beginning of the pandemic,” Stumbauer said. He said that his experience has shown the importance of risk assessments that help businesses enhance their policies, procedures and the resulting internal controls. Stumbauer added that these assessments and the resulting risk management plans can help businesses maintain regulatory compliance and keep them from getting “in the crosshairs” of regulators or the Department of Justice.
“The biggest question from the board and senior management is generally ‘Are we putting our scarce resources to best use in the right places?’ If you think about fraud, anti-money-laundering, prevention, sanction compliance, anti-bribery and corruption, the answer is fundamentally a risk assessment,” Stumbauer said.
Identify your risk priorities
Businesses need to focus their risk management and resources in the way that most effectively addresses their unique risks. So, how do you identify and maintain your unique risk profile?
Grant Thornton Risk Advisory Services Principal Meredith Murphy highlighted the opportunity of monitoring performance, and changes in risk profiles, using the abundance of data that businesses gather internally and have access to externally. For instance, a business could analyze data about safety incidents in the field to help determine whether they were more due to a training issue or a management issue. That can lead to better decisions about how to mitigate or avoid risks. Tools like Tableau, Microsoft Power BI and Alteryx can help businesses organize, interpret, analyze and evaluate large amounts of information. “Try to select the data that is most directly from, and most relevant to, the business processes,” Yang said.
“Companies are using data to build risk-sensing dashboards across compliance and audit activities. This allows for a risk-based allocation of resources in response to both actual and escalating risks across the business.”
Apart from answering specific questions, your risk management plan must be agile enough to help you identify new priorities. “Companies are using data to build risk-sensing dashboards across compliance and audit activities. This allows for a risk-based allocation of resources in response to both actual and escalating risks across the business.”
Risk management touches all parts of a business, and many risk areas are related to different levels of company culture and performance. It’s important to look for correlations and dependencies in any risk assessment, to see if a targeted problem has caused other underlying issues.
That’s part of why effective and agile risk management practices drive organizational value in many ways. Ultimately, these practices lead to better-informed decisions that make companies better prepared to successfully address new issues.
Risk is unavoidable. So, the businesses that confront it with a well-planned and executable risk management plan will be the ones aligned for success.
Our featured risk, compliance and controls insights
No Results Found. Please search again using different keywords and/or filters.