Risk Management’s Third Dimension: Velocity
The traditional way of understanding risk is to consider the likelihood of risks occurring and weighing their relative impact. It works great if there are just a few risks, and the organization can prepare for the impact of each one.
However, the world has sped up. Technology, digital transformation, IoT and social media have all contributed to the accelerated pace of change. Companies today also have distributed workforces and vendors all over the world. There are growing calls for consumer privacy and data protection, as well as the meteoric rise in IT, identity and third-party risk.
Traditional risk management can’t keep up. Risk management must evolve to be a valuable tool for organizations managing risk at the speed of business in the 2020s. The question is, how?
Add a third dimension
The new way of understanding risk accounts for the likelihood and impact of risks but also adds a third dimension: risk velocity. That is, the speed at which the risk is hurtling toward the organization. Its relevance is best stated by PwC’s directors’ bulletin, “Risk management at the speed of business.”
“Risk velocity measures how fast a risk can impact an organization. It is the time that passes between the occurrence of an event and the point at which the organization first feels its effects.”
By considering risk velocity, you can go from two-dimensional to three-dimensional risk management. You’re able to see and understand risks with greater clarity, which you can leverage in analysis and assessments. That data enables you to be proactive with controls, alert stakeholders, and brace for impact with business continuity management. It’s like getting an advanced warning.
Putting velocity into practice
Factoring in velocity provides risk management with valuable insights that become more tangible and real in practice.
Consider Gartner’s Top 10 emerging risks for first quarter 2019. It features everything from accelerating privacy regulation to global currency instability. However, viewed from the lens of the highest impact and velocity, three risks rise to the top: retaliatory tariffs/trade war, pace of change and business ethics.
Tariffs are disrupting the supply chain of many businesses in 2019. It’s a risk that’s already hit many organizations or is speeding toward them. It’s why Apple, Microsoft and other tech companies are requesting exclusion from the latest proposed tariff on tech products produced in China.
The pace of change has hit home with all businesses worldwide. Forbes calls the pace of change relentless and cites AI and Big Data as change agents.
Business ethics, the moral principles that guide the way a company behaves, is high velocity. One unethical choice by an executive can spread like wildfire, impacting the company stock price and upsetting customers.
To gain a greater understanding of risk velocity, consider a risk with a low velocity like a regulation that will take effect in three years. You still need to address the risk and prepare for the regulation, but it’s not a risk rapidly approaching and demanding preventative controls and a response plan.
Update your risk analysis
A good way to adopt velocity is to plot risks on a scale of 1-5 (low to high) based on likelihood and impact. That’s the traditional way of understanding risk, so it’s familiar. Now overlay velocity on a scale of 1-5 to provide another input on risks.
To derive value from risk analysis, multiply likelihood and impact’s numbers and then add the number for velocity. The higher the number, the greater the urgency to apply risk management tactics. The highest number is likely to occur, will be impactful and it’s quickly coming at the organization. Seeing it now gives you time to slow the velocity or to prepare when it hits.
To illustrate, compare a key supplier to a proposed tariff. Both present a risk to the company. If the supplier can’t deliver, you can’t serve the customer. The proposed tariff can make it cost-prohibitive to make or sell the product. The extra cost the tariff adds will lead to customer defection. While both impact the company in a similar way, they differ on the degree of impact, the likelihood and velocity.
The supplier has been with the organization for years. They’re practically an extension of the organization. It’s unlikely the supplier will change. Impact is minimized by the contract offering time to switch suppliers. It’s an ongoing risk, but it’s not fast moving.
In contrast, the tariff scores high on all counts—likelihood, impact and velocity. It’s likely to happen according to media reports. The impact is bigger because the tariff applies to all overseas suppliers. And once the tariff takes effect, the company will feel its effects immediately.
As Gartner put it, “organizations of all sizes should be wary of risks with high velocity, as they can cripple your organization rapidly if they were to materialize.”
As business has evolved, so must risk management. Today, business moves at breakneck speed, and technology provides the fuel to business and consumers. It calls for adding a third dimension, velocity, to risk management. By adding velocity to likelihood and impact, you’re in a better position to manage risk and take preemptive action.
NSCC members face a new compliance requirement: cybersecurity confirmation. It sounds easy, complete a form, but risk is high. Here’s guidance.
Compliance departments are seriously challenged these days. As business swirls in response to COVID-19, compliance has taken a back seat. That can lead to trouble—violations, fines or both—due to missing deadlines. Management, in a questionable move, may ask compliance to do something taboo. Instead of reading a half empty glass post designed to help compliance deal with these challenges, they instead get a half full glass post that is brimming with optimism for compliance’s role during COVID-19.
COVID-19 has pushed several risk disciplines into the spotlight, including business continuity, third party risk, cybersecurity, and data privacy. We’ll explore each one and deliver advice and guidance.