If we look at the real meaning, according to the dictionary definition, the word risk is defined as “danger of harm”. However, according to many sources in today’s business world, we see that risk is defined as “the effects of uncertainty on goals”. The main reason for this difference is due to a change in the business world’s perspective on risks. As the techniques for managing risks have developed, it has become clear that risk does not actually only mean harm. With the changing perspective, avoiding harm in risk management has not been enough for companies, and companies have tried to make creating benefits part of their culture while avoiding harm. Organizations that have managed to establish proper risk management have indeed benefited themselves by managing to go beyond avoiding harm.
So why can’t many companies still get enough benefits even though they are aware of everything, despite this change of perspective? There are two simple reasons for this: the subjectivity of risk perception and the non-adoption of risk management. To detail these two reasons:
- The risk is shaped according to the feelings and experiences of the person while passing through the perception filters of the person. In other words, the magnitude of a risk for us is determined by our experience and perceptions. Therefore, risk is actually objective, but the perception of risk is subjective. We can explain this by an example like this: is the probability of an earthquake the same for two people living in the same city, in the same apartment, on the same floor? Yes. Since they are in the same building, the condition of the building will be the same for the two neighbors. Moreover, considering that they live on the same floor, is the effect of a possible earthquake the same? Yes. However, according to the experience or personal judgments of these two people, their perceptions of this risk may be different. Can we expect that a person who has experienced a major earthquake before and a person who has never experienced an earthquake to have the same perception of earthquake risk? No.
Not only the perception of past experiences but also personal feelings and thoughts can prevent the objectivity of the risk. For example, in informing about a risk that the risk management department has determined at a high level; The biases that the process owner has against the people who have informed him/her and determined the level of risk, subjectivize the risk. More decisively, the human relationship between the person from whom information about risk comes and the person reported can manage the perception of risk in that person with excessive confidence or excessive insecurity. In other words, the fact that the employee has an excessive sense of trust toward the people in the risk department obscures the objectivity of the risk by making the person feel less concerned about that risk. On the contrary, a person can again overshadow the objectivity of risk by ignoring the words of people he/she does not trust at all, and ensure that risk management cannot be done in a healthy way. ‘The Human Bias‘ mentioned in Daniel Kahneman’s bestselling book ’Thinking Fast and Slow’ can be deepened with too many examples. However, the example of confirmation bias will be extremely appropriate to the fact that a person cannot be impartial in this regard. A person favors information that confirms the thoughts he/she already believes in, and tends to perceptually ignore thoughts that are different from his own thoughts. This proves that people’s perceptions cannot be objective.
- The fact that risk culture is not adopted by the entire organization is the source of most of the problems related to risk management in the business world. Business owners in companies that have not been able to create a risk culture think that risks are not their problem. In short, they have a perception that risk management is the job of the risk department or internal audit. As long as the business owner considers that the risks are the responsibility of the risk department, he/she cannot demonstrate the necessary competence in risk management. In fact, all he/she does is cut off the branch he/she is sitting on. Because the risk management department’s assessments of risks and the actions it determines make this business process much more efficient. However, if a healthy risk culture is adopted by the entire organization, business owners will also approach the risks related to their units with a more objective perception and contribute to the proper execution of risk management throughout the organization.
We can see that the two main problems I have explained above are mainly caused by human perceptions. So how can we get ahead of these perceptions? How can we objectify them against risks? By mapping risks with up-to-date and accurate data and providing more concrete information to business owners. The main element on which this information and data can be automatically tracked are the Key Risk Indicators (KRI).
SAP GRC (Governance, Risk, and Compliance) is technically compatible with any system (web services, small or large-scale software, etc.) without any restrictions. The connections it can make allow for instant and up-to-date tracking of KRI metrics (Figure1). This allows organizations to better manage their risks by instant monitoring of their risks, as well as by assigning automatic actions to related parties when their risk levels exceed predetermined thresholds (Figure2). Automatic tracking of KRI metrics is a fact that will upgrade the risk management in many ways. But for this harmony to be maintained, it is necessary to make sure that the data are accurate. Because after the entire system is automated, there will be KRIs that ensure the execution of the system. The fact that tracking of KRIs is easy thanks to GRC seems to be only a small one of the advantages provided, but in fact it is also very important for creating a risk culture within the company. Each employee can monitor the risks in their business unit and the metrics associated with that risk daily, and they can be provided with notifications when the levels of these risks reach certain points with more than one threshold value to be determined (Figure2). The fact that employees are guided by KRIs and their alarms, whether they want to or not, will map their risk perceptions with metrics and allow them to look at risks more objectively in light of the data. In this way, the person who has a business process will be stripped of both their personal experience and perceptions and will be freed from the perception that the risks are not their responsibility. On top of that, these KRIs are directly matched to the targets of the relevant business units or establishments and contribute to the achievement of the targets. Thus, the process is improved.
The yellow line indicates the first threshold value, and the red line indicates the second threshold value. The blue line is the automated monthly KRI line.
As an example, the receivable limits of a company can be shown. In this image, the first threshold value will be exceeded when the credit limits reach 90%, and the second threshold value will be exceeded when the credit limits reach 100%. As it can be seen, the credit limits have not yet reached the warning levels.
Threshold values, which will be determined according to the risk appetite of the company, play a big role in the automation of KRIs. It offers many automation options, such as sending notifications, triggering a risk assessment, or assigning automatic actions to related people.
As a result, perception is the most basic reason why organizations cannot take advantage of the advantages that risk management can provide in today’s business world. Thanks to automated, goals-related, up-to-date and healthy data-driven KRIs, companies can create an objective perception of risk; starting with a single employee first, as a department and eventually as an entire organization. This increases the efficiency and effectiveness of departments and the entire organization, starting with the employee. Therefore, it actually ensures that the goals are captured, which is the ultimate purpose of each establishment.
Human perceptions are not going to change in a day. Only with an adopted plan and vision can a risk culture be built in an organization. In addition to the regularization of risk management, GRC products are also very beneficial in the formation of a risk culture at all levels of the organization.
With our experienced consultants, ready-to-use rulesets, risks and roles that we have in our library, next generation solution technologies, our partners who are experts in their fields; as Solvia RS, we can perform your digital transformation and contribute to building a risk culture for your organization.