Enterprise Risk Management: Risk Management Dashboards: Make Protecting Your People a Priority

Risk Management Dashboards: Make Protecting Your People a Priority

William Laurent, William Laurent, Inc.

Risk Management is now a top agenda item for corporate boards, even though there is not always a consistent and correctly structured approach to the handling of risk. As a premium component of corporate governance, the attention given to risk management topics will only increase in this century. Because of this focus, risk management dashboards are gaining prominence, as they attempt to tackle the many dimensions of business risk above and beyond the traditional areas such as legal, market, credit, and asset risk. Various industry studies show that most company boards have established risk policies and control mechanisms in place to oversee risk; after all, failure to properly mitigate and handle enterprise risk could mean the overnight destruction or collapse of an entire business entity. Yet, curiously, only about 25% of major companies have a functional “CRO” (Chief Risk Officer) title at this time (though in fairness, this number is quickly growing).

In the last few years, the historical means of managing risk, using primarily internal or subscription-based information sources, is quickly mutating; companies are concentrating more and more on what is happening outside corporate boundaries. For example, many large companies have special risk management teams that incorporate ex-government intelligence officials, or have agents “on the ground” in various geographical locales who are tasked with conducting threat assessment and risk-related research. Since 9/11, the experts in enterprise risk management are giving additional weight and scrutiny to considerations that are outwardly hostile in nature. For example, a study by ISMA (International Security Management Association), whose primary members are the chief security officers in large publicly traded companies, has listed their largest concerns as:

Business continuity
Employee safety
Property crime
Political unrest
Terrorism

The fact that an organization like the ISMA exists and is assisting legislative and regulatory bodies in an advisory capacity (and liaising with educational institutions) speaks volumes. It shows that executives, audit teams, regulators, and various risk professionals now want dashboards that track and manage risk around new classifications of exposures and threats to their companies’ and clients’ business viability. External risk factors are gaining credibility and attention with senior management, many of whom until recently have been solely concerned with more internal factors such as portfolio management. The good news is that from both logical and physical perspectives, many of the same frameworks to model and monitor risk used in the past can be leveraged to protect corporate assets and lives. However, an unfortunate obstacle for many companies wanting to begin (or improve) the risk dashboard development process may be procuring data that will help paint a holistic risk picture on an international level. In this case, as part of the dashboard platform specification and creation process, serious attention should be paid to potential sources of non-standard business intelligence needed for the dashboard to be fully functional—both initially and on a daily going-forward basis. Many times outside expertise will to be brought in to help educate companies on what intelligence is available in the international marketplace and how this information is not only critical to the success of the risk dashboard, but how it can help drive corporate strategy. According to Kirk Dauksavage, CEO of RiverGlass Inc., a developer of intelligent web monitoring software “The trend – or more, accurately, the imperative is the identification of relevant information from the WWW. Did you know that The Office of the Director of National Intelligence has referred to the Internet as ‘the source of first resort’ and estimates that upwards of 95% of the information required for guidance of our national policy is available in open [web] sources? Just imagine the edge companies gain if they can put the power of the Internet to effective use in their risk and threat mitigation efforts.”

Although corporations sometimes have a reasonable understanding of which of their physical assets may be exposed to excess risk, they seldom apply the same sort of diligence to their employees. Ironically companies usually expend far more time and energy (through background checks, drug testing, enforcement of stock trading policies, etc.) limiting the potential liability that may result from the actions of employees, rather than actually protecting their well-being when they are traveling into a potentially hostile environment. Company travel intranet sites are a good start; nevertheless, these sites need to become more integrated with corporate security departments to include dynamic travel advisories for employees, whether they are on business or vacation travel. Political and geographical threats mutate and evolve, as do those related to corporate espionage and sabotage.

Best practices and feature sets of such risk dashboards will provide:

Clear lines of accountability and responsibility in risk identification and mitigation

Robust reporting of risk, based on a system of alerts and thresholds

Risk score carding and risk intelligence hierarchy creation

Clear definitions of each dimension and category of risk

Ability to collect and make sense of unstructured and internet-based data elements

Incident command and response functionality

Calendaring and notification of special political events, protests, and more

Means to track risks over time

Virtual data integration and federated queries

Corporate executives and senior managers have an ongoing need to make informed decisions on the travel and living logistics of their expatriate employees and themselves. Risk perspectives change when people’s lives are considered! Having an intuitive and graphical interface that can qualify and quantify such hazards greatly limits corporate liability and while increasing resource stewardship and employee loyalty. In a theme similar to that implemented by the U.S Department of Homeland Security, a series of color coded risk thresholds should be implemented in order to visually categorize travel risks from a high-level:

Low (Gray/Black) : No credible threats; continue to monitor and report on threats or vulnerabilities
Minor (Blue) : Low overall threat levels although some risk is present
Medium (Yellow) : Specific and credible threats; proceed with caution
High (Orange) : Imminent threats reported; proceed with utmost trepidation
Critical (Red) : Incidents in progress; suspend all travel activity to location

Graphical “heat maps” that show levels of risk exposure across geographical regions would accompany such information along with an automated system of alerts and notifications tied to threat level categorizations. Such functionality can embed voracious accountability into not only risk management processes, but also day to day operational processes. All companies need the ability to better discern how risks to both business capital and employees can be minimized. The reality is that political instability and natural disasters are dynamic and unpredictable, and threats to business continuity lurk everywhere. We must remember that risk management applies to all aspects components of the business, including its most important resource—its people. And thinking of risk in geographical and geopolitical terms is here to stay.

From a higher level, a new generation of BI platforms are being developed with risk management as their primary focus, supporting a larger function of corporate governance. Such platforms should be able to gauge and report risk at various minutiae in real-time across all geographic regions, no matter how a business’s organizational silos are structured. Globalization has required a paradigm shift in how we think of and visualize risk. As our notions of risk become more sophisticated, so do the platforms used to manage risk: senior managers now seek to be educated about risk from one central repository or portal from which responsibility accountability for risk mitigation can be delegated. This has created an exciting new opportunity in business intelligence—the creation of risk intelligence hierarchies (RIH) which will help pinpoint flawed policies or operational issues where things and people are in danger, and assess the likelihood and consequences of such dangers. Once the leading indicators of corporate risk are understood, it is much easier to embed controls in business processes to reduce risk, with all the auditable metrics and KPI you come to expect from a real-time BI dashboard.

For more information on William Laurent please visit www.williamlaurent.com