We work with many fantastic organisations, helping them better embed risk management in their businesses. Thinking through what the next developments could be in risk management, we consider whether real time Risk & Control Self Assessments (RCSA) are even possible and if they are, whether they would add value.
From a technology perspective, the Wealth Management industry is shifting – there is far more integration between systems and providers, with the ability to obtain and share data across different systems and technologies. Would it be possible to have a fully integrated risk management system; where control failures and incidents could be directly identified and populated into the risk management system? Something that has actually happened, such as a risk event, is far easier to have some rules around it. It is binary and thresholds could be applied. It could be that kind of data could be mapped or matched to the risks and controls in an RCSA to determine the impact/likelihood. But programming “judgement” into a system is more complex (robo advice being a perfect example of how challenging that will be).
The fact is, risk requires judgement. Therefore the concept of a “real time” RCSA is that it’s more dynamic and adaptable to the changing risk conditions of a business. For many businesses, the RCSA sits off to the side of any other reporting and operational monitoring. Risks are updated every 3 to 6 months and only revisited in that reporting cycle. The contents remain fairly static. However, do risks really vary that much that real time is even needed? It will obviously depend on a number of factors including the type of risk. Is it the controls and actions which are more dynamic? And those are the areas which need to be more real time and should then feed into what the risk assessment should be i.e. if there is a control failure or a management action is late or not completed, does that have an effect on the overall impact of that risk?
So perhaps it’s not the risks that need to be more dynamic, it’s the information that should be readily available within a business, that feeds the RCSA which could be more integrated – instead of these pieces of information having to be manually collated & input, could they not be fed into the risk management system automatically and link to risks directly? Control failures, issues, breaches…all of these pieces of information, in theory, can be programmed, with thresholds. Probably not that straight forward though – given risk is mainly judgement, how would these pieces of information link to different risks? What if they impact more than one risk? What if there isn’t a risk to link to? And then it just feels too complicated.
I’m passionate about keeping risk simple and for risk to add value to a business. Risk management needs to be proportionate to that business, the risk management framework needs to utilise existing and readily available information, the risk outputs need to help the business – inform decision making, identify areas of focus, identify control remediation, identify areas which don’t need any attention! In my view, a risk framework has now become too prescriptive, which doesn’t allow for proportionality or judgement. Risk is common sense. And if you think about it, if an RCSA is truly adding value, then it should be “real time”, regardless of technology.
What do you think? Is risk still a tick box? How can the RCSA process add more value to a business? What do you think the next big development is in risk management?
If you want to talk to us about your businesses risk management framework or control environment, then contact us. We’re experts in bringing practical risk management to life, embedding in within businesses in a pragmatic and easy to understand and interpret way.