Sturdy
Businesses need to update their risk management approach Reuters

Traditional approaches to risk management are failing to meet modern requirements. In today's hyper-connected world, compartmentalising dedicated risk managers and restricting them to working in silos to identify and reduce risk seems counterintuitive. If we're all better connected and advocating for wider cross-collaboration, why are risk departments still largely disjoined?

Business evolution must go hand-in-hand with risk evolution

It's time for a change. As organisations evolve both digitally and socially, physical and cyber risks are multiplying. Given the high reputational and financial stakes, businesses need to realise the importance of fostering cross-departmental collaboration to identify and minimise a whole array of risk dimensions. From macroeconomic and political to sustainability, health and safety and data privacy, risks must be managed across the business, with every stakeholder on the same page. Currently, this isn't always the case and this is why we're seeing a move away from traditional approaches to risk management.

Let's place cyber risk under a microscope. Should it only be the responsibility of a CISO to manage? Simply, no. As almost every department uses technology and handles some form of data, the responsibility to manage cyber risk must be shared across the business. It's vital the whole business buys into that responsibility and understands its role in protecting the business against opportunistic cybercriminals. This is important as the shift to hybrid and remote working models combined with the adoption of new technologies and connecting IoT devices means more entry points and potentially more vulnerabilities to exploit. It would be simply untenable for the task of keeping critical data and systems safe to be in the hands of one person.

Bringing together disparate functions is critical to understanding interrelationships between different departments and identifying shared risks. Such a cross-divisional lens and the ability to connect the dots are essential to preventing the negative impacts of one risk on other business areas. It also ensures alignment between the identified risks and the organisation's strategy, helping to create a more dynamic and agile response to the changing risk landscape.

Risk management vs customer experience

The approach a business takes to risk management can have significant implications on customer experience and expectations. Thus, organisations need to consider how to strike the right balance between their decision-making when it comes to managing risks and meeting customer demands. With organisations increasingly adopting new technologies, data and cyber risk is once again a good example to illustrate the point.

Whilst some customers may want to see and feel the security layers, others might prefer priority was given to the product's usability, speed, or convenience. Most people are likely to be okay with layers of security in their banking applications to protect their money but may not be so accepting of the same protocols to watch their favourite films on streaming platforms. The trouble with getting the balance wrong in either direction is that businesses can risk either introducing unnecessary risks or losing their customers, or both.

In the area of Physical security, again we can see a divergence of approach. Physical security is at the top of the list for enterprises wishing to house their IT infrastructure in data centre colocation facilities like Telehouse. Customers want to see clear security measures such as access controls, perimeter fencing and CCTV and are happy to go through access control protocols to keep their equipment safe. But ask a customer of a retail shop if they want to have to go through an access control protocol to get into their favourite shop to do their weekly food shop, I suspect the answer would be no. A one-size-fits-all approach to risk and security management simply doesn't work.

Identifying new opportunities

Some employees might see risk management as an uncomfortable subject, and others as a scary necessity. However, neither has to be, if the discussions around risk management focus on the opportunities managing risk will bring. There are powerful conversations that modern risk management teams can help facilitate across their business and industry by being passionate, curious, and aware of the changing world around them.

For example, identifying ESG risks and action plans can actually help organisations gain a competitive edge. Given that they impact environmental management practices, working conditions and compliance with relevant laws and regulations, their significance cannot be understated. Business leaders tend to see ESG and sustainability risks as needing strict controls, as getting it wrong can harm their reputation. And in part, that's true. However, what many often fail to see is the opportunity to improve reputation, working practices and efficiencies, or even influence the regulatory landscape for the better. In turn, these can help differentiate the business from its competition.

Keeping progress whilst regulations lag behind

It's perhaps not news that current regulations are falling behind when it comes to risk management. Technology evolves much faster than regulators can keep pace with, which unfortunately can translate to a lack of clarity and divergent views. Delays in publishing guidance on how to safely implement new tools and not accidentally risk non-compliance can also cause confusion for companies trying to navigate the legal environment.

This doesn't however mean that we should slow down the adoption of AI or IoT until the legislations catch up. Quite the opposite. Embracing a more proactive and collaborative approach to risk management holds the power to accelerate legislative progress, without hindering the growth of individual organisations or whole industries. With most businesses now on digital transformation and innovation journeys, regulators consider how their input can impact projects and the realisation of tangible tech benefits across the entire economy.

Working across business departments and together with industry groups or even regulators, and abandoning the practice of siloed risk management, will help to change the perceptions of the legislative landscape and the effectiveness of risk managers. It will help guide more informed decision-making and make risk management more inclusive and less scary. As a first order of change, all businesses need to realise that risk management should no longer sit on the shoulders of one group – and further change will follow.

Read more
By Sarah Draper Sarah Draper

Sarah Draper is the General Counsel and Chief Risk Officer, Telehouse. She joined Telehouse Europe as General Counsel and Chief Risk Officer early in 2022. Qualifying as a lawyer in 1998, Sarah has worked on some of the largest transactions across the Central Government and the private sector during her career.

Sarah was promoted to Assistant General Counsel and latterly Director of Risk Management and Internal Audit during her time there and successfully created teams, established mentoring programmes, led on diversity and inclusion, brought teams together to drive the strategic objectives of the Company and latterly helped the Group navigate its risks and issues.

In Sarah’s current position at Telehouse, her primary focus is helping the company achieve its strategic vision and objectives whilst keeping it safe, ensuring legal compliance at a corporate level, maintaining various accredited business standards, and navigating all risk-related issues and opportunities. Sarah holds a Bachelor of Laws (LL.B) in Law from the University of Leicester and has completed the Executive Leadership Development Programme at Saïd Business School, University of Oxford.