Boards and senior leaders rely on accurate, relevant, comprehensive, and comparable information from risk assessment programs to identify, assess, prioritize, and mitigate key risks to their organizations. While organizations have historically developed programs to assess both financial and non-financial risks, these programs were often developed in silos and therefore are not fully aligned.

This disconnected approach to risk assessment design has led to common challenges, including inadequate risk information, inefficiencies in execution of risk assessments, and resulting regulatory scrutiny.

Key challenges resulting from misaligned risk assessment programs

INADEQUATE RISK INFORMATION

Risk assessments fail to provide actionable information to mitigate risks and improve the control environment due to gaps in coverage (leading to missed risks) or contradictory results (impacting the ability to interpret and act).

INEFFICIENCIES IN EXECUTION OF RISK ASSESSMENTS

Substantial inefficiencies arise in execution, review, and challenge of risk assessments due to both duplication of scope and inconsistent methodologies and definitions (employees must learn to execute multiple different risk assessments).

REGULATORY SCRUTINY

Regulators increasingly scrutinize disparate, siloed risk assessment programs, and organizations struggle to articulate how to maintain a cohesive and comprehensive view of risks and the underlying control environment.

These challenges, and the resulting suboptimal outcomes, are caused by the various approaches organizations take in executing different aspects of a typical risk assessment program, including governance, inputs, assessment units, methodology, process, and outputs. A simple example of risk assessment misalignment is that siloed programs often lack common definitions for "high" versus "medium" versus "low" risks. As a result, we have observed situations where, for example, the same risk may be rated as "high" by a given program and "low" by a different program, with limited justification for the disparity. In these cases, boards and management teams struggle to interpret and effectively prioritize investments to improve the control environment.

Given these suboptimal outcomes, leading organizations have started to take concrete steps to actively align their risk assessment programs, both for non-financial (including operational) risks, and where possible, for financial risks. However, risk assessment alignment must be carefully designed in line with leading practices to maximize the chances of success, particularly given the need to coordinate and generate consensus across multiple stakeholder groups in the organization, including Front Line Units, Corporate Functions, Risk, Compliance, and Internal Audit teams.

In this report, we further detail the problem of misaligned risk assessments and propose a structured, tried and tested approach to more robustly and ultimately more successfully align risk assessments. The report summarizes the problem and our approach through the sections described below.

Summarizing the approach — addressing risk assessment challenges

THE PROBLEM: Organizations often perform risk assessments as disparate, siloed point solutions

Organizations perform many risk assessments across the universe of risks (financial and non-financial), both as key risk management tools and to comply with regulatory requirements. However, organizations have most commonly developed risk assessments reactively, often to meet specific regulatory requirements or expectations. As a result, individual risk assessments are often ineffective risk management tools, and duplication, overlap, and inconsistencies occur across an organization’s suite of risk assessments.

THE COST: Many risk assessments contribute little to managing risks yet organizations invest heavily to develop and execute these assessments

Despite heavy investments in development and execution, risk assessments often contribute little to managing risks. Common issues include misalignment between risk assessment outputs and Front Line Unit senior leaders’ perspectives on their top risks, as well as difficulty in interpreting and using results from misaligned risk assessments to enable management to effectively prioritize and allocate resources. These shortcomings create real costs to the organization, including both direct financial losses and reputational, client, counterparty, and regulatory impacts.

CALL TO ACTION: Organizations need to rethink the risk assessment ecosystem

Despite the material costs of ineffective and misaligned risk assessments, we often find organizations stuck in the status quo, continuing to expand significant resources to complete risk assessments that provide limited value. Given the regulatory, financial, and non-financial costs, there is urgency for organizations to align risk assessments to deliver improved risk management and efficiencies.

WHAT GOOD LOOKS LIKE: Organizations need to deliver a more strategic risk assessment ecosystem

While there is no one-size-fits-all approach to designing a risk assessment, we have identified key principles to apply in the context of developing a strategic risk assessment ecosystem and designing effective individual risk assessments. Most importantly, risk assessments must be designed with a “customer centric approach.” The true test of effectiveness is that end users, across lines of defense, view the risk assessment as useful to enable of better risk management across the organization.

HOW TO DELIVER: Oliver Wyman’s tried and tested approach to align risk assessments

Oliver Wyman has been supporting organizations to both reimagine the strategic risk assessment ecosystem and redesign individual risk assessments. We believe that a measured and carefully designed approach is critical to maximize the likelihood of successfully aligning assessments, given the large number of involved and impacted stakeholders. We have designed, applied, and refined a tried and tested seven step approach that has successfully delivered risk assessment alignment for a range of complex institutions.

CONCLUSION: THE BENEFITS OF RISK ASSESSMENT ALIGNMENT

We believe that there is urgency for organizations to begin the journey to aligning their risk assessments and achieving a strategic risk assessment ecosystem. The costs of misaligned and ineffective risk assessments are significant, and pose material regulatory risk. Through aligning risk assessments, organizations can better manage and mitigate the key risks they face and achieve operational efficiencies. As organizations begin this journey, it is critical to employ a well-structured, tried and tested approach to maximize the likelihood of success and protect against negative outcomes.