As we move into the 4th step of ORSA implementation, Risk Monitoring, Control, and Action Plans, we begin to see the importance of adhering to best practices when executing Risk Culture and Governance, Identification and Prioritization, and Risk Appetite and Tolerances.
With the necessary structure in place to track and collect risk intelligence, the next step involves orchestrating a plan for improvement. Why is a plan for improvement so critical? Besides limiting the risk exposure of your organization, consider that under the SEC Rule Proxy Disclosure Enhancements, Boards of Directors and executive leadership can be found negligent for having inadequate or ineffective ERM programs. The caveat? Having a demonstrable plan for improvement can greatly reduce or even exempt companies from penalties under the Federal Sentencing Guidelines.
The Right Way to Monitor Control Activities
Boards and CEOs are depending on risk managers to monitor key risk indicators at the business process level. This can be accomplished one of two ways: Testing and Business Metrics.
Testing provides a high level overview of whether a control is occurring, usually in the form of a simple pass/fail. Testing does not, however, provide actionable steps to take in order to improve a mitigation activity. The result is that many organizations are only testing compliance with internal policies, which may or may not tie back to the specific risks that the policies were designed to mitigate.
Let’s consider an example. An Insurance Organization with an online customer service system is experiencing unacceptable downtimes, and the correct staff members never seem to be available to fix the problem. The organization implements what would appear to be a reasonable control activity by insisting that every member of the support team be trained to refresh the system. The company tests internal compliance with this policy by tracking whether the online training has been completed. Unfortunately, even if everyone takes the training, the company has no idea whether this control is fulfilling its purpose.
In testing compliance to the policy, the organization has lost sight of the risk. If they had tracked a business metric, like system downtime, they would have realized that the controls in place made no difference to the impact or likelihood of system failure. Business metrics may have indicated that the system was going down during peak usage hours, like lunch, when staff was unavailable. With no business metric tracking, the organization continued with a Band-Aid approach when money might have been better spent upgrading system memory.
Developing the Action Plan
To avoid this common pitfall, your key business metrics need to be aligned not only with the control activities you’ve designed, but the risks they were designed for. Keeping track of these linkages can be impossible with two dimensional spreadsheets, but is critical to monitoring the risks you’ve identified so that your action plans and control activities are meaningful and measurable.
As a risk manager, approach process owners in need of assistance with mitigation plans geared toward their most severe risks. As you develop actionable plans for improvement, don’t lose sight of the end goal or fall into the trap of testing controls rather than monitoring risks.