Coronavirus exposes outdated risk management practices: Gartner

Organizations’ current approach to risk governance is not sufficient to tackle the complex risk environment organizations are facing today, according to Gartner. The COVID-19 pandemic is just the latest in a line of recent risk events showing how organizations are not properly set up to manage risk, especially fast-moving ones.

Gartner research showed that 87% of audit departments say their organization uses “three lines of defense” (3LOD) model for risk governance. This model states that line management should act as the first line of defense, identifying risks and implementing controls. Risk and assurance functions such as legal, compliance and Enterprise Risk Management (ERM) should act as a second line, overseeing and monitoring risk management processes. Finally, internal audit should act as a third line, taking a birds’ eye view of the effectiveness of controls and risk management.

“The response to the coronavirus pandemic is a perfect example of when the 3LOD and traditional risk governance don’t work very well,” said Malcolm Murray, vice president and fellow, research for the Gartner Audit and Risk practice. “Traditional approaches fail because they can’t effectively deal with fast-moving and interconnected risks. Pandemic is a rapidly developing type of risk that needs a dynamic risk governnance (DRG) set-up.”

“The coronavirus pandemic demonstrates why organizations need a new approach for governing the management of the many complex risks they face in today’s world,” said Murray. “Adopting the DRG principles helps organizations ensure they have the appropriate governance for different kinds of risks, with the right kind of risk management activities and the right people involved.”

Dynamic Risk Governance

The effectiveness of DRG was measured in a Gartner survey to over 200 organizations, looking at whether traditional or dynamic approaches to governing risk management led to better risk management behaviors and better risk outcomes. The three pillars of DRG each increased the occurrence of high-quality risk management behaviors:

Risk-tailored governance (18% increase)

The governance model should depend on the risk’s speed, the organization’s risk tolerance and internal constraints rather than relying on a one-size-fits-all level of scrutiny, such as centralized oversight for all risks or models based on industry norms. Corporate leaders should have the final say here, because the governance model should be determined based on the company strategy. A benefit of placing this authority with senior management rather with than the board and the assurance functions is more rapid response. These top executives can take faster action.

Activity-based risk governance (22% increase)

This means dispensing with the idea that only the first line owns all risk activities, and assigns accountability for risk management tasks without regard for the borders between first/second/third line. Senior management – not assurance functions – should determine who will decide the task owners for a particular risk. For some risks, it will not matter which exact function is accountable for each activity – as long as there is specific accountability assigned.

Digital-first risk governance (18% increase)

This means considering digital solutions during creation of the governance framework for the risk, not as an afterthought. For instance, if large parts of the risk management can be automated, then fewer functions need to be involved.

When looking at the risks related to the coronavirus pandemic specifically, adopting the DRG principles is beneficial at all three stages of dealing with the risk – response, recovery and restoration. For the first stage, adopting DRG means quickly identifying who in senior management should own the governance of the risk and quickly setting up an initial governance model that considers the fast speed of the risk. It means identifying the key risk management activities for this stage of the risk and assigning clear accountability for these to appropriate parties.

In subsequent stages, when attention shifts towards recovery and restoration, applying the DRG principles allows organizations to regularly revisit whether the risk is governed in the right way. Once there is more visibility to the path of the risk, additional risk management activities can be added, such as adding a focus on monitoring the risk and assessing longer-term impact.

“This isn’t just about risk managers, this is about the board of directors and senior management making risk governance a key consideration so that organizations become more resilient against fast-emerging risks, such as coronavirus,” said Murray. “The DRG methodology applies equally to the many fast-emerging risks presented by digitalization.”