The first iPod was released by Apple in 2001 and with it came an unprecedented freedom on personal music. In the 18 years since, we’ve seen the iPod’s central concept become the norm. The idea of creating a technology that could automate, personalise and ultimately improve lives, by granting unlimited access to our favourite albums wherever we went. This is now standard across all media – film, literature, gaming, radio (see: podcasts) and eventually, trickling down into our lives. Becoming the quiet, or vocal sidekick, depending on what volume your Alexa is set to, that we rely on for much of what we do.
Technology has blurred the lines between our personal lives and working lives so dramatically, they often look like the same thing. Take email for example, our personal inboxes are flooded with promotional emails from brands, then we’re reading and writing emails all day at work – to the point where it’s become the bane of our working lives. The advent of ‘big data’ and use of the cloud means we have more storage for information, but also brings great security concerns. This convergence of events presents a critical question: can we still manage risk using pre-digital processes?
Traditional risk management, like the traditional work environment, is very contained in its thinking. The ‘risk team’ usually sit at the centre, where they aim to understand some pre-defined risk categories, creating processes by which the wider business feeds back into the centre to prove compliance. These ‘compliance’ checks tend to be pushed out to other teams in the business reinforcing a silo driven mentality and ultimately, misunderstanding the impact of risk on business performance.
When the ‘’rise of the regulators’’ is added into the mix, we see more and more procedures being pushed out into the business. Critically, the business often has little understanding of why they are completing these compliance tasks other than it is mandated by the risk team to provide assurance to the regulators. In recent years, as additional regulations have hit businesses. Which is no bad thing as it forces firms to be more accountable. However, what’s happening is a series of compliance checks are created that ironically distract teams from the regulation’s core function: protecting and serving the end customer.
At best, this drains resource from improving the business. At worst, teams try to bypass the compliance checks or controls - increasing the potential for things to go wrong.
This practice of asking teams to provide feedback on whether they comply with centralised risk controls, forms the basis of traditional, linear and centralised risk management.
Yet still, there is another layer to this. In the wider world of risk management, teams traditionally work in isolation - again leading to missing potentially game-changing risks.
If we take a step back and ask ourselves ‘what are we trying to do through managing risk?’ and ‘what are we trying to protect?’ then we can see the need for a new way of working.
The time of all-in-one solutions has gone. It has moved even further than a matrix environment - we are now facing a ‘labyrinthine’ landscape with entrances and exits constantly shifting, forcing us to grow and become adept at viewing risk from all angles. To be swift in responding to potential threats and even faster to recover if the risk materialises and causes us an issue is critical.
At Communisis, we achieve this by working together across teams and business functions. Maybe unusually for a company like our own, each area identifies and manages their own risks. Then there is an overarching risk process that is aggregated across the business, to ensure that we’re focusing on the right things. People are our greatest asset, particularly when spotting potential risks, but the old methodologies have limited the scope of risk identification. That’s not to say there should be no boundaries, after all, you can’t go off-road if you don’t know what the road ahead looks like. But with the right tools and understanding, the whole business can identify potential issues and help implement improvements.
To achieve this, the foundation of subject matter expertise needs to change as well, risk professionals need to work together and provide the toolsets to empower the whole organisation to understand what threats it faces. With the new, digitally empowered consumer, more and more channels open while none close. This new paradigm aims to focus on resilience while combining risk thinking to gain better insight.
Rather than working in silos, Communisis has merged our risk SME’s into one team bringing together Data Protection, Information Security, Operational Risk, Business Continuity and HSE.
Initially, this may feel overly complex, like the digital labyrinth environment. But if you view the teams as a Venn diagram, new understandings come from the overlaps, creating exciting insights and increasing simplification for a stronger, more sustainable business.
An example of this is where we recently combined the audits for the information security and business continuity standards ISO27001 and 22301.
The auditors had ‘’never seen this approach before’’ and it unearthed exciting overlap – proving the value in this method. It adds a new depth to our understanding, improving controls in these areas as a result.
Bringing forward this culture of unified risk management aims to boost resilience and in turn, creates a more sustainable business with greater potential to grow. So, for us to achieve this, we must support and inspire the teams to continue their learning.
Knowledge is only power when shared. Ensure that each area has responsibility for the controls in their own areas but start simple and add layers if stronger controls are required. Critically, common sense practices are a good place to start.
Why is it important for us to manage our risks effectively? It comes down to trust, any business needs the consumer it serves to trust that they will do a good job, provide what is required and when it is required. This can be achieved by being resilient, most people accept that things can go wrong therefore it is essential that the risks are fully understood. Not just managing blind compliance, but proactively using that risk knowledge to build resilience into everything we do. So, in the event of an emergency we retain the trust of our customers because we recover quickly.
In conclusion, effective risk management in a digital world requires unified teams with outcome-based thinking. Reducing pure compliance and focussing on proactive resilience will support sustainability and growth but to do this, risk processes must be understandable, layered and relevant. Never forget that knowledge can be power if you share it and encourage others to use it themselves.