通过有效的风险评估来解锁成功

© Oliver WymanEXECUTIVE SUMMARYBoards and senior leaders are dependent on accurate, relevant,comprehensive, and comparable outputs from risk assessment programsto appropriately identify, assess, prioritize, and mitigate key risks to theirorganizations. While organizations have historically developed programsto assess both financial and non-financial risks, these programs were oftendeveloped in silos and therefore are not fully aligned.As a result, organizations face the following keychallenges:•Risk assessments fail to provide actionable information to mitigate risksand improve the control environment due to shortcomings such as gaps incoverage (leading to missed risks) or contradictory results (impacting theability to interpret and act).•Substantial inefficiencies arise in execution, review, and challenge ofrisk assessments due to both duplication of scope and inconsistentmethodologies and definitions (employees must learn to execute multipledifferent riskassessments).•Regulators increasingly scrutinize disparate, siloed risk assessmentprograms, and organizations struggle to articulate how to maintaina cohesive and comprehensive view of risks and the underlyingcontrol environment.These challenges, and the resulting suboptimal outcomes, are driven bythe myriad of different approaches taken across organizations to executeeach dimension of a typical risk assessment program, including governance,inputs, assessment units, methodology, process, and outputs. A simpleexample of risk assessment misalignment is that siloed programs often lackcommon definitions for “High” vs. “Medium” vs. “Low” risks. As a result, wehave observed situations where, for example, the same risk may be rated as“High” by a given program and “Low” by a different program, with limitedjustification for the disparity. In these cases, boards and management teamsstruggle to interpret and effectively prioritize investments to improve thecontrol environment.Given these suboptimal outcomes, leading organizations have started to © Oliver Wymantake concrete steps to actively align the risk assessment programs, both fornon-financial (including operational) risks, and where possible, for financialrisks. However, risk assessment alignment must be carefully designed in linewith leading practices to maximize the chances of success, particularly giventhe need to coordinate and generate consensus across multiple stakeholdergroups in the organization, including Front Line Units, Corporate Functions,Risk, Compliance, and Internal Auditteams.In the rest of the paper, we further detail the problem of misaligned riskassessments and propose a structured “tried and tested” approach tomore robustly, and ultimately more successfully, align risk assessments. Wesummarize the approach through the followingsections:•The problem— we introduce the commonly observed problem of siloedand misaligned risk assessments.•The cost— we outline the cost of the current state of risk assessments —including both limited contribution to risk management and the associatedfinancial and operationalburden.•Call to action— we explain why there is urgency for organizations toalign risk assessments and reap benefits including more useful results andreduced operational burden.•What good looks like— we lay out the principles for effective riskassessment alignment.•How to deliver— we describe our “tried and tested” approach that wehave used to align risk assessments for a range of our clients.•Conclusion— we summarize why now is the time for organizations toinvest time and effort to align riskassessments. © Oliver WymanTHE PROBLEMOrganizations perform risk assessments as disparate, siloed point solutionsOrganizations are currently performing many risk assessments across the universe ofrisks (financial and non-financial), both as key risk management tools and to comply withregulatory requirements. Banking regulators expect at least a Risk and Control Self-Assessment (RCSA) for non-financial (including operational) risks and a Compliance RiskAssessment (CRA) for regulation- and rules-related risks. Additionally, firms with footprintsacross multiple jurisdictions often perform other risk type- or jurisdiction-specific riskassessments (for example, for risks such as anti-financial crime, market abuse, conduct, fairlending, third party, information security, or privacy).Rather than defining a strategic risk assessment ecosystem to identify and assess theuniverse of relevant risks, organizations have most commonly developed risk assessmentsreactively, in most cases to meet specific regulatory requirements or expectations. As aresult, these risk assessments often were not designed in ways to effectively manage theuniverse of risks facing large and complex organizations by either most effectively improvingrisk management, or fitting into the broader ecosystem of related risk assessments andrisk management tools. Additionally, duplication, overlap, and inconsistency of siloed riskassessments often lead