Authored by: Michel Feijen, Managing Director, APAC, MetricStream

EY foresees Asia as a powerful engine for innovation that will account for around half of global consumption in the coming decade. But Covid-19 caught many organizations in the Asia Pacific region off-guard, and the health crisis soon turned into an economic one. According to an IDC report, infrastructural issues continue to plague organizations, people, and processes across Asia. Compounding this is the fact that authorities across the region are presently adopting operational resilience approaches focussed only on the financial aspect and not beyond. It is time organizations in Asia Pacific revisit their strategies and start looking at risks holistically. Likewise, businesses across the region must rethink their approach to evaluating inherent and residual risks as well as the effectiveness of their control environment.
 
Risk and Control Self-Assessment (RCSA) practices provide organizations with the ability to assess key operational risks and the effectiveness of controls that address those risks. Typically, a good RCSA approach could address many of the risk and resiliency challenges many businesses in Asia are facing. Unfortunately, traditional RCSA approaches are fraught with issues that inhibit full visibility and assessment of operational risks, provide a narrower view of risk posture, and constrain identification of control deficiencies. Because of this, we recommend a different approach for the distinct challenges Asian businesses are facing.
 
Achieving Harmony between RCSA and Business Strategy

According to a PWC survey of Asia Pacific CEOs, the lingering impact from the pandemic ranks as the top priority for 58 percent of the 1,618 respondents in the region. This was in contrast to global CEOs, who list cyber risks as their most pressing concern. Cyber risk was still the second-most prioritized risk in Asia Pacific while macroeconomic volatility was third.
 
These high-velocity and systemic risks can move under the radar when performing RCSAs in an inconsistent fashion, hampering an organization’s risk visibility and its ability to proactively manage risks.  Too often, RCSAs become a checkbox exercise conducted every now and then, circumventing their intention of honest evaluation of risk readiness and resiliency. The truth is, a modernized RCSA program helps ensure resilience and business continuity, which further strengthens and reinforces operational risk management best practices, while aligning it to strategic goals. It empowers risk managers to analyze RCSA results through the lens of organizational risk appetite, tolerance, and focus on holistic risk and key controls. As a result, businesses gain the ability to strategize, plan, and optimize resource allocation and utilization if and when a risk event occurs.
 
On the other hand, a technology oriented, continuous approach to RCSAs provides a real-time view of operational risks, empowering risk managers to verify the implementation of actions undertaken by identifying weaknesses and insufficiencies in the program. In turn, organizations can adapt and improve the effectiveness of associated controls, while saving time and effort.
 
With more readily available information on risks and controls, business agility is no longer out of reach, and better-informed decision-making no longer a pipe dream.
 
Quantifying Risk Via Integration

Asia Pacific organizations must stop viewing risk in isolation. Common but a flawed risk assessment practices that are still prevalent include a siloed approach that only focusses on distinct events. As if risks never evolve in isolation. Hence, it is important to understand and assess the interdependencies between risks and the effect of cluster events. Interconnected risks, if not assessed in a timely manner, can lead to drastic consequences for organizations.  An integrated RCSA-approach helps to map risks, business processes, assets, controls, and objectives, ensuring the complex risks of today are not beyond reining in.

An integrated approach also limits ambiguity by facilitating quantitative risk assessment and analysis. For instance, qualitative measures do not explain the whys and wherefores, due to pre-conceived bias and (mis)perception.
 
On the other hand, a quantitative approach associates a monetary or financial value torisk, ensuring the risk exposure can be interpreted by all, allowing timely action to be taken. Ultimately, a combination of both is the best way forward, but it requires businesses to leverage modern software solutions with advanced risk quantification capabilities.
 
With the pace of digitization today, agility and speed are driving the game. Managing today’s high-velocity, high-impact risks, requires advanced technologies that automate risk workflows and uncover real-time insights. The potential value this offers for empowering risk professionals to spot gaps, in a proactive manner cannot be overstated. Data analytics along with visualization tools further enhance the ability of risk managers to quickly understand the organizational risk posture, perform trend analysis, and prioritize actions.
 
However, the matter goes beyond just keeping up with the risks and avoiding the pitfalls of complex digital deployments. The present moment can seem daunting, but companies can position themselves as trailblazers and gain a competitive edge through their ability to thrive on risk. Harnessing solutions that comprehensively spell-out the organization’s risk profile and tolerance, as well as appetite to take on risk, can help modernize risk management. As a result, organizations gain real-time risk intelligence and improve agility and resilience.