The words you use matter. When risk managers fail to establish a common vocabulary or create a shared understanding of risk throughout the enterprise, they undermine the impact and value of a robust governance, risk management, and compliance framework.
Effective Enterprise Risk Management must look across divisions and operations, and seek to balance a company’s growth all while protecting its business interests. It can be tempting for some business units to perceive risk management as someone else’s problem and a silo with its own nomenclature and methodologies. But this approach marginalizes risk management as an impediment or ancillary to the core business and nothing could be further from the truth.
This tension results in an incomplete understanding of the risks facing the business with the potential for real financial implications. When GRC professionals fall back on risk management language or technical jargon that business divisions do not clearly understand or share, stakeholders may fail to grasp the value or impact of GRC as a business driver, contributing to inefficiencies and suboptimal decision-making. Without a shared language, risk cannot effectively be managed.
Risk Management Programs Benefit from a Shared Vocabulary
According to PwC’s 2020 Global Risk Study, only 50% of companies felt they had the right data to anticipate and manage risk. Even within different GRC functions, companies lacked consistent language, data or frameworks to ensure the consistent assessment of risk across the organization. When a common risk language is not spoken universally within and across functions, organizations may misallocate resources or focus on lower priorities, missing valuable opportunities to generate revenue.
On the other hand, establishing a common risk language and agreed upon definitions is crucial for collaboration and resource allocation. Centering an organization on a common nomenclature around how risk is referenced and measured improves each stakeholder’s ability to understand potential risks. This shared understanding, in turn, allows for decisions that accurately reflect the impact on the business and align with companywide priorities.
A shared risk language also supports deeper collaboration. When everyone is speaking the same language, all stakeholders can contribute their knowledge and perspectives. Enterprise-wide inputs enable a GRC framework that’s more accurate and robust in capturing and managing potential strategic, financial, operational, and reputational risks.
Further, a GRC framework that consolidates the impact of potential risks into relevant and easily understandable metrics will be more broadly adopted and used. The risk management mindset no longer remains just the domain of GRC professionals, but functions as a business driver, as GRC tools and metrics have become critical to the decision-making process.
So how can GRC professionals translate their work into a shared risk language that is easily understood, supports collaboration, spans the enterprise and, ultimately, grants them a seat at the table?
Risk in Translation
In our most recent episode of the GRC & Me podcast, we interviewed Melissa Ryan, Principal and Co-founder at Asureti, to talk about just that: the language of risk and how a common vocabulary can help organizations embed risk assessment and management into the decision making process. This episode, along with her article Risk as Rosetta Stone, provides a roadmap for GRC professionals to translate risk into a shared language that recognizes the value of risk as a business driver.
Below we walk through the four key steps to universalizing and creating a shared risk language at your organization.
Agree on a taxonomy
A taxonomy is an identification or naming structure that provides a clear understanding of risk assessment, monitoring, and remediation. Essentially a common vocabulary, a shared understanding of the taxonomy across divisions is crucial to effective reporting and decision-making. A standardized taxonomy enables comparison across time periods, business units, and regions, enabling better analysis and decision-making.
Establish a common measurement and ratings system
Unlike the traditional, internal ranking of risks as high, medium, or low, a robust risk ratings matrix incorporates points of reference that are commonly understood across all functions. This may include financial metrics such as prospective cost savings, operational metrics such as potential downtime, or reputational metrics such as local, national, or global impact. By designing a risk management scale that uses common measurements and quantifies potential implications to the organization, priorities can be more easily identified. Risk management automatically becomes a key part of the decision-making process.
Employ a consistent companywide risk management framework
GRC professionals use a risk response framework in order to guide the process of managing identified risks. This may include metrics that identify when a risk is acceptable or when action must be taken. This same structure can be used more broadly across the organization. Identifying key, cross-divisional metrics and triggers for action or enhanced approval will facilitate faster decision-making while embedding a risk management culture.
Operationalize the framework through technology
No matter how consistent the taxonomy, measurement system, or framework, the information must be easily accessible to those who need it. Designing risk management systems and processes that consistently use the same risk language will ensure the systematic use of that data across the firm. Technology that incorporates this data and standardizes it across business units and regions enables more efficient resource allocation and faster, better-informed decision-making.
An effective GRC program must work to embed a common risk language throughout their organization. Whether to educate, persuade, analyze, or inform, GRC professionals can generate a deeper understanding of the value of their work and the additive role of risk as a business driver, (helping them gain a seat at the table).
Visit asureti.com to contact Melissa Ryan directly.