How to Make Sure Risk Appetite Is Aligned Across All Stakeholders
Supply Wisdom Team
Most enterprises are now leveraging third parties to play key operational roles. Third parties can drive greater efficiency, functionality and productivity often with much less effort and at a lower cost than a proprietary solution. Unfortunately, there’s a downside to third-party relationships, and that’s the inherent and potentially significant increase in risks that they bring to your organization. While risk mitigation is important, enterprises that run heavy on risk-avoidance behaviors, may take so many precautions that they fail to realize the benefits they seek. That’s why realization of your organization’s key strategic initiatives requires a third-party risk-management program that balances risk control with risk appetite.
What Is Risk Appetite, and Why Does It Matter?
Simply put, risk appetite is how much risk your organization is willing to accept to advance its strategic business goals. Most banking institutions, for example, take on additional risk by offering online banking options to their customers. Although, online banking adds a significant increase in risk related to cyberattacks and hacked client accounts, the added customer-service value of convenience and cost savings for the banks are sufficient to create an appetite (or tolerance) for this risk.
According to KPMG’s 2019 Enterprise Risk Management Benchmark Study, organizations cite practical applications of risk management as a top challenge. Deciding where to draw the line when it comes to risk appetite can be difficult, especially since risks vary based on the type of third-party solution and are continuously evolving over time. Additionally, different stakeholders inherently have different risk appetites.
Who Should Be Involved in Aligning Risk Appetite?
One of the first steps in laying the foundation for success is aligning risk appetite across all stakeholders. Take sales for instance, which is more likely to push the envelope on risk in favor of driving revenues. If they have a much greater appetite for risk than other stakeholders such as compliance and legal, the result can be internal misunderstandings and slow decision-making.
To minimize these internal struggles, risk-appetite conversations should involve the Three Lines of Defense, senior leadership and industry experts.
Three Lines of Defense
Based on a systemic framework for risk management, the Three Lines of Defense model involves three levels of defense against risks and threats within your organization:
Operational management who owns the day-to-day management of risk
Compliance, Risk management, and other control departments who support operations by setting goals, providing education about managing risk and facilitating implementation of compliant processes.
Internal audit who assesses the performance of other lines of defense and report on potential gaps that need to be addressed.
The highest-level decision-makers should be involved in setting risk expectations across your organization as they most likely will be held ultimately responsible for any issues that arise. Additionally, they may need to champion projects or implementations that involve taking on some risk.
Whether they are in-house subject matter experts, consultants or members of the third-party team, industry experts can help all other stakeholders understand in greater detail the actual risks that would be assumed under a specific third-party solution or relationship.
How Can Stakeholders Align on Risk Appetite?
Understandably, risk can be a topic that sparks controversy between stakeholders. For example, compliance’s risk-avoidance tendencies are often higher than those of operations, and, therefore, you can expect some friction between these areas. Some suggestions for productive risk appetite conversations include:
Involve enough people to get a full picture about the overall risk appetite of the enterprise. That means including all stakeholders in the discussion.
Ensure that your regulatory risk matrix is current. When expectations regarding compliance are clearly defined, it makes it easier for all stakeholders to understand where the lines are so they can manage risk while remaining safely within the bounds of the law and industry regulations.
Create or update your sourcing policy framework. Each stakeholder should understand the strategic goals of your organization and how much risk is appropriate in the journey to fulfill those goals.
Create rule sets for monitoring and managing risk. Focused on financial institutions, OCC Bulletin 2013-29 notes that the OCC expects banks to adopt an effective third-party risk management process commensurate with the level of risk and complexity of their third-party relationships. Tiering your third parties from low, moderate, high to critical- based on the risk their relationship poses to your organization is important to ensure risk management processes, including ongoing monitoring, are appropriate for each level of risk.
Set thresholds for reconsidering the risk. When aligning risk appetite, it’s important to remember that risk is not static. All stakeholders might be able to agree that using a certain third-party service app is worth the risks and can be appropriately managed at this point in time. But third-party apps get updated and relationships and risks change. It’s critical to create a plan with thresholds for reevaluating risks and also ongoing monitoring of risks to know when risks change.
According to PwC’s 2019 Risk in Review Study, organizations with the most dynamic risk-management, audit and compliance professionals are more likely to make better decisions, provide improved customer service, meet revenue-growth goals and have greater appetites for risk that let them achieve more in the future.
How Can Supply Wisdom Help Manage Risk?
Supply Wisdom is a real-time and continuous risk intelligence and monitoring solution. With the most comprehensive risk framework in the industry - more than 300 risk parameters are continuously monitored across 14 categories of third-party and location-based risks - you can be assured that you will know in real-time when risks for your third-party relationships change. Additionally, Supply Wisdom is a tiered solution offering appropriate risk coverage for each level of risk posed by your third party relationships - from low to medium too high to critical. By matching your third-parties’ risk levels to our risk monitoring tiers, your organization can monitor your third-party universe efficiently and cost effectively for risk.
Interested in learning more? Request a demo today.