The risk landscape of the modern business environment is constantly evolving, and companies need to maintain continuous oversight to deal with key risks that could threaten their businesses. Over the past decade, a number of highprofile corporate crises, many directly attributed to failures in risk management, have highlighted the extent of the problem. Notable recent examples include the collapse of UK construction giant Carillion and the cyber attack on shipping and energy company A. P. Moller Maersk. Corporate boards are demanding the ability to continuously monitor risk exposure, using metrics to assess, validate and verify whether risk is increasing or decreasing. In addition, companies stand to benefit financially from reducing their total cost of risk (TCOR).
Risk monitoring maturity
Risk management is a growing priority for companies across all sectors, not just in highly regulated environments. Senior leadership needs to better monitor risk to support improved decision-making, as well as to minimize the likelihood of catastrophic events with crippling financial and reputational consequences. This is not a task a dedicated risk function can manage independently of the rest of the organization, so a cross-functional approach at executive level is required to guarantee results. Additionally, there is a growing regulatory obligation on companies to make statutory disclosures about financial viability, solvency and liquidity in light of their key risks. This is coupled with pressure from active investors to provide evidence that risk management is reducing uncertainty and volatility, while improving confidence in financial forecasts.
However, there are shortfalls in the current risk management approaches of many companies that can leave them dangerously exposed. They either have no corporate-level mechanisms for monitoring and acting on risk exposure, or they gather relevant data but fail to develop appropriate metrics to support effective monitoring, control and timely remediation. These metrics can take the form of key risk indicators (KRIs), which can be used at all levels of management to measure the effectiveness of risk management strategies. Even when companies do employ KRIs, they frequently select inappropriate ones (for example, relying too heavily on lagging rather than leading indicators) or struggle to implement effective monitoring environments that will provide early warning when their risk management strategies are off track.