Professional Postgraduate Diploma in GRC – Masterclass Evaluation template for Executive Summary
Preamble
Generali Group is a financial services organization that specializes in the provision of insurance services around the world; therefore, it is open to numerous global risks that can materialize in a wide variety of new and unexpected ways, thereby leading to severe legal and reputational ramifications for the company. The company has 420 subsidiaries in the United States, Europe, Middle East, Latin America, and Asia and employs more than 74 000 people, which means that it requires full GRC functionality that can guarantee holistic risk management (Generali Group n.d.).
GRC practitioners of any large enterprise functioning within financial services setting have to recognize strategic risk as “a principal factor in the holistic management of risks” (ICT 2015, p. 1). By doing so, they would be able to develop and implement strategic risk management policies at the corporate level, which will help them to effectively mitigate the effects of exposure to uncertainties associated with the management processes and objectives of their companies.
This reflective journal aims to explore strategic risk management and highlight the importance of risk-focussed personnel for enhancing the competitive advantage of financial services organizations. The topic is of high relevance to me because by incorporating effective risk management practices into the corporate strategies of Generali Group, it is possible to improve the company’s tolerance to a wide range of threats.
Cross-contamination of risks
The first learning point from the Masterclass is that risks faced by companies providing financial services are often interrelated and can lead to cross-contamination resulting in severe consequences such as loss of reputation. GRC practitioners engaged in strategic risk management have to recognize the key areas of concern in order to prevent risks of multidisciplinary nature from crystallizing.
An ever-changing landscape of modern risks includes the following elements: macroeconomic, cybersecurity, reputation and brand equity, regulatory and legal, new technologies, business interruption, market developments, natural catastrophes, and financial crime (AON 2017; Griffiths 2017; ISO 2009). In order to effectively deal with these risks and prevent them from cross-contamination, GRC leaders create unique risk management ecosystems within their companies. According to a recent survey, companies spend on average 12 percent of their revenues on GRC activities (Grant Thornton 2016). The allocation of GRC costs varies greatly among companies; however, on average financial services organizations spend 28 percent of their GRC budget on financial risks, 27 percent on compliance risks, 20 percent on operational risks, and only 13 percent on strategic risks (Grant Thornton 2016).
Strategic risks are referred to as “the uncertainties and untapped opportunities embedded in a company’s strategic intent and how well they are executed” (Mohammed & Sykes n.d., para. 2). Risk-focussed personnel understands that such risks can spill over to all areas of a company’s operations instead of influencing an isolated business unit. Unfortunately, risk management is often conducted separately from frontline assessments of strategic nature, which means that organizations cannot follow a resilience imperative. Effective GRC strategies should not only include risk assessment, management of risks, control processes, and communication systems, but they also have to transfer risk decision-making procedures to the front line (PWC 2017). A recent study reveals that only 13 percent of companies lead risk decision-making from their first lines (PWC 2017). It means that organizations that are not capable of “aligning ownership of key business risks with ownership of risk decision making” (PWC 2017, p. 5) are more open to adverse results of cross-contamination of risks than their front-line counterparts.
Third-party governance and strategic risk management
The second learning point from the Masterclass is that third-party governance is an important component of strategic risk management. Outstanding GRC practitioners should know how to translate risks into business value. It can be argued that all risks have to be viewed as drivers of opportunity by 21-century leaders (Grant Thornton 2016). Therefore, effective managers should opt for the holistic approach to risk, which will help them to devote maximum strategic attention to all business functions. This is especially true when it comes to gaining full visibility of risks associated with third-party actions.
The process of prudential risk management presupposes the control of third-party risks that can substantially damage the reputation of a company and compromise the continuity of business. Therefore, financial services companies willing to implement
superior control systems minimizing their exposure to strategic risks should extend their regulatory efforts to third parties that include, but are not limited to, “providers of IT and supporting business processes, all contractors, marketing partners and agents, brokers, and franchisees” (Deloitte 2015, p. 6).
In order to avoid multi-million-dollar fines, GRC practitioners of financial services organizations should embrace new approaches to the safety of their enterprises. Third-party governance is especially important in the world of technology-driven innovations that create new risks associated with cybersecurity and big data. The need to mitigate technological risks facing third parties is highlighted by a recent report that indicates that cybersecurity is considered the most substantial threat to modern corporations (Kroll 2016). The report also shows that almost 60 percent of companies do not have effective protection against data breaches (Kroll 2016).
Prudential Risks
The third learning point from the Masterclass is that GRC practitioners have to be able to identify and properly analyze prudential risks (ICT 2015). By doing so, risk-focused personnel will secure the reputation of their companies, which is especially important in the context of the finance sector. The ramifications of the 2007 financial crisis have led to financial services organizations emphasizing more on GRC activities (ICT 2015). The interest in prudential and conduct issues has reached its peak with the issuance of new policies and regulations by the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) (ICT 2015).
No organization can ignore with impunity macro-prudential risks. In order to resolve issues associated with prudential stability, authorities apply macro-prudential regulatory tools that focus on the following elements of companies functioning on financial markets: capital adequacy, liquidity, asset quality, profitability, management performance, and sensitivity to systemic risks (ICT 2015). Macro-prudential policies exist in order to prevent intermediaries from externalizing costs of their behavior, which is a behavior that might lead to severe consequences for a financial system. GRC specialists in organizations such as Generali Group have to understand how these tools and policies limit systemic threats. It will help them to reduce systemic risk contribution associated with the behavior of their companies. Other factors that should be of particular interest to risk-focused personnel include, but are not limited to, the balance of payments, exchange rates, GDP growth rates, and regional and international economic landscapes (COSCO 2016; ICT 2015).
Micro-prudential risks are another area of concern for GRC practitioners of financial services organizations. Micro-prudential regulation is necessary to limit systemic risks pertaining to the stability of an individual company. Even though the foci of policies aimed at the management of micro-prudential risks is an organization, they are often intertwined with broader macro-prudential regulations. These overlapping policies have to be understood by effective GRC leaders who want to increase the resilience of their companies.
Utilization and recommendations
In terms of the practical application of the key learning points described above, risk-focused personnel of Generali Group has to be cognizant of an ever-changing landscape of modern risks in order to avoid their cross-contamination. GRC practitioners of the company should create a unique risk management ecosystem that will help the organization to minimize the effect of threats associated with macroeconomic trends, cybersecurity, reputation and brand equity, regulatory and legal environment, new technologies, market developments, and financial crime, among others (Griffiths 2017).
To create an effective risk management ecosystem, the company should adopt a strategic top-down approach. Such an approach is only effective when it is aligned with a bottom-up process for operational risk management (GAD 2013; FRC 2014). Furthermore, GRC specialists of Generali Group have to clearly define the current level of the company’s risk tolerance and identify the consequences of bad outcomes. Risk tolerance analysis has to be regularly reviewed at board meetings. The board of the company should evaluate the likelihood of bad outcomes in order to make informed decisions. Such an approach to the decision-making process will allow greater focus on the most important areas of concern. All lessons learned from such reviews should be summarised in reports.
Conclusion
After thorough conduction research on the Masterclass topic, I have realized that effective strategic risk management can provide a company with a decisive edge. By reducing the harmful influence of strategic uncertainties, an organization can ensure that its reputation is not damaged by the actions of third parties as well as other unwarranted events. Now I know that strategic risk mitigation is the process that only includes risk assessment, management, control but also transfers risk decision-making procedures to a company’s front line, thereby fostering a high level of responsiveness.
Reference List
AON 2017, Global risk management survey report.
COSCO 2016, Enterprise risk management: aligning risk with strategy and performance, Web.
Deloitte 2015, Third party governance & risk management: turning risk into opportunity.
FRC 2014, Guidance on risk management, internal control and related financial and business reporting.
GAD 2013, Strategic risk management.
Generali Group n.d., At a glance.
Grant Thornton 2016, Balancing risk with opportunity in challenging times, Web.
Griffiths, S 2017, Professional postgraduate diploma in governance, risk and compliance: masterclass 2: strategic risk management, International Compliance Training Ltd, Birmingham.
ICT 2015, ICA professional postgraduate diploma in governance, risk and compliance: course manual – module 3, International Compliance Training Ltd, Birmingham.
ISO 2009, Risk management—principles and guidelines.
Kroll 2016, 2016 Corporate risk survey: trends in cyber security, fraud, compliance and Big Data, Web.
Mohammed, A & Sykes, R n.d., Sharpening strategic risk management, Web.
PWC 2017, Risk in review: managing risk from the front line.