Aarti, can you please tell the Risk Insights readers about yourself and your professional experiences?
With pleasure! I’ve been working in risk and resilience for the last seventeen years. I first started in the early 2000s when both government and industry were exploring the benefits and potentially negative consequences of digitalisation. I specialised in the emergence of cyber threats and risks. I then moved into security risk management, providing advisory services to multinationals operating in high-risk environments. In 2008, I started to focus in on corporate crisis management. I found it fascinating to watch how organisations managed risk events that they hadn’t been able to prevent. For the last seven years, I have been a Partner at 4C Strategies, where I am responsible for the go-to-market strategy for all of our solutions in the UK&I. One day, I’m supporting an airline with their implementation of enterprise risk management or audit & compliance software. The next, I’m working with an airport or retail bank to help strengthen their crisis response capability. For me, it’s all about helping people gather the information they need to make risk-informed decisions and equipping them with the skills and tools to manage uncertainty.
We look forward to you presenting at New Generation Operational Risk: Europe 2017 where you will be discussing operational risk and resilience. Why do you believe this is a key talking point for the Summit?
For many years, risk, compliance and resilience professionals have worked in silos in terms of how they structure, resource and manage the frameworks, programmes and reporting outputs for which they are responsible. In our experience, these silos result in disjointed approaches that render it almost impossible to provide senior executives or regulators with a “single version of the truth” in terms of risk picture, compliance status or operational readiness. These silos also mean that awareness and mitigation of key issues or risks can fall through the gaps because of a “grey zone” in terms of organisational ownership and responsibility. We now see organisations looking to find ways to integrate their approach to operational risk, ERM and other areas of risk with the work being carried out both by those tasked with assurance and with resilience. There is a growing recognition that this will deliver structure, cohesion and a more complete approach. More surprisingly, perhaps, businesses are also beginning to recognise the operational efficiencies that such integration will bring.
What techniques do you endorse to source meaningful data from the frontline?
If a business wants to establish a more joined up approach to risk and resilience, access to the same data by personnel across functions, across the organisation and across the globe will be one of the critical success factors. So, one of the biggest topics for discussion is “how do you bring data from so many different functions and areas together?” Of course, the ability to use any of this data in a meaningful way will be heavily dependent on where it has come from and how complete it is. Businesses are now starting to recognise that it is not sufficient to merely give access to risk and resilience platforms to staff working in mid-level management or specific functions. This will only tell them half of the story. Businesses want to empower all staff with the means to provide relevant information, which can then be analysed by the relevant expert teams or managers and transformed into timely insight. Mobile apps are being used an enabler to gather operational “ground truth” and provide signals or early warning for potential risks, failures or incidents. It helps that apps are easy to use, which – as we all know – is a key factor in staff buy-in to these types of initiative.
Without giving too much away, can you give an overview as to what the build, verify, track approach entails and why this is a good tactic?
Well, you’ll have to wait until my talk for all the good stuff! Let’s just say, we have been very fortunate at 4C Strategies to have clients from a diverse range of sectors – from military institutions, fire services and national central banks to retailers, airports and energy suppliers. At their core, all of these organisations share common challenges in relation to risk management and resilience. This has helped us to develop our thinking and, accordingly, our solutions. Our “build, verify and track” model helps organisations to determine what good looks like in terms of their risk management, compliance requirements and resilience capabilities. This platform then provides the organisation with a base from which to build compliance or capability to the levels required, verify or validate that the business is performing as it needs to, and track live compliance and capability levels on an ongoing basis. This model can be applied to just one area e.g. cyber risk, people risk, physical security or business continuity. More interestingly, it can be used as the common model for an integrated approach to risk and resilience. Its outcomes can start to inform that “single version of the truth”, so often lacking at both operational and senior management levels.
How do you foresee the role of the operational risk professional evolving over the next 6-12 months?
Based on some of the themes I’ve discussed today, you won’t find it surprising to hear that I think operational risk professionals will start to become much more involved in the wider risk and resilience efforts of their businesses. They will form one of the constituent parts of this “integrated” approach both in terms of contributing to generating that overall risk and readiness picture, but also benefitting from the activities and the information coming to them from their colleagues in other functions.
