In a joint endeavor, KPMG and VTTI collaborated to challenge the traditional risk assessment models with their Dynamic Risk Assessment (DRA) approach. The traditional risk assessment models, which assess risks based on their individual impact or likelihood, have been widely applied by many organizations. The existing models, however, often overlook the interconnectivity between risks which could uncover additional dimensions for enhanced assessment and more pertinent risk mitigating strategies.
Introduction
In the rapidly evolving business landscape, organizations often face external challenges such as geopolitical developments, complex stakeholder landscapes, and the energy transition. Having a robust risk management strategy therefore becomes crucial. This article introduces a dialogue between Jennifer (JF), the Head of Governance, Risk & Assurance at VTTI B.V., and Ara (AH), from Governance, Risk & Compliance Services at KPMG.
The conversation explores the implementation and implications of KPMG’s Dynamic Risk Assessment (DRA) at VTTI to manage strategic risks more efficiently. Unlike traditional risk assessment models, DRA creates an interconnected view of risks, allowing organizations to develop more effective risk mitigating measures. This detailed discussion provides insights into the DRA process, challenges in execution, and how VTTI utilized the DRA report for risk mitigation and the improvement of their risk management capabilities. This valuable discussion provides key insights for IA and ERM professionals and offers a unique viewpoint on the implementation and benefits of DRA. For further background on the Dynamic Risk Assessment methodology, see [Kris18].
The DRA is designed to identify and quantify the interconnectivity between risks , providing a more comprehensive evaluation of potential threats. VTTI performed the DRA to obtain an integrated understanding of its risk ecosystem, including strategic, external, and operational risks, enhancing its risk management capabilities. The process involves a four-step system including risk identification, expert consultations, risk assessment, and reporting. Success factors include C-suite involvement, clear goal formulation, employing the right professionals, and effective expectation management. Challenges included aligning busy schedules and ensuring common risk languages. The process culminated in a report detailing risk impact, interconnectivity, likelihood, and velocity for strategic decision-making and continuous risk dialogue.
Ara Hovsepjan (AH), manager Governance, Risk & Compliance Services KPMG: KPMG is the outsourcing partner for VTTI in Internal Audit. In preparation for the 2024 annual audit plan and further professionalization of risk management, we started discussions about conducting a Dynamic Risk Assessment (DRA).
Jennifer Feuerstacke (JF), Head of Governance, Risk & Assurance VTTI B.V.: At VTTI, we have been working with KPMG for a while, and we are always on the lookout for better practices and expert insights. After having heard of DRA, I was curious about the proposition and how it could help our organization to better facilitate the discussion about risk management.
Dynamic Risk Assessment at VTTI
Who are you and how did you get to know each other?
AH: KPMG is the outsourcing partner for VTTI in Internal Audit. In preparation for the 2024 annual audit plan and further professionalization of risk management, we started discussions about conducting a Dynamic Risk Assessment (DRA).
JF: We have been working with KPMG for a while at VTTI, and we are always on the lookout for better practices and expert insights. After having heard of DRA, I was curious about the proposition and how it could help our organization to better facilitate the discussion about risk management.
What is KPMG’s Dynamic Risk Assessment?
AH: The traditional risk assessment models, which assess risks based on their individual impact or likelihood, have been widely applied by many organizations. However, the existing models fail to recognize the interconnections among the risks, which may reveal enhanced assessment dimensions and more relevant risk-mitigating actions. In response to this, the Dynamic Risk Assessment (DRA) has been developed based on proven scientific modelling, expert elicitation, and advanced data analytics. DRA enables organizations to gain a deeper understanding of how risks impact the different parts of the firm and subsequently, to design more effective and efficient risk mitigating measures.
Why did VTTI perform a Dynamic Risk Assessment?
JF: VTTI operates in a highly dynamic and constantly evolving business environment with a variety of external challenges and often subject to strict regulatory aspects. Examples of external challenges include the overall energy transition, complex stakeholder landscapes, and geopolitical developments. As the Governance, Risk & Assurance lead, my goal is to contribute to the delivery of VTTI’s business objectives and enhance its resilience to risks. To achieve this, it is essential to firmly integrate risk management into VTTI’s daily activities.
The primary reason for executing DRA is to obtain a concise and integrated representation of VTTI’s risk ecosystem, including strategic and external risks, as well as more operational risks. By gathering insights and creating an interconnected view of risks, we can effectively address distinct risk clusters in the organization. The execution of DRA provides an opportunity to further enhance the professionalization of risk management activities and improve processes, recognizing the importance of evolving risk management tooling and enhancing our risk management capabilities.
The Dynamic Risk Assessment process
What does the Dynamic Risk Assessment (DRA) process look like?
AH: The Dynamic Risk Assessment process consists of four steps, divided into risk Identification and risk Assessment.
- Steps 1 and 2: Individual Interviews & Workshop with Experts
We started by identifying at least six experts for individual interviews to compile an initial risk list. Selecting the right experts to achieve the best possible result is key. It is crucial to determine appropriate risk scales with the client, as this is vital for the most accurate risk assessment. In step 2, we collaborate with a large group of experts to validate and narrow down the risks, ultimately identifying a maximum of 20 strategic risks for the organization. - Steps 3 and 4: Risk assessment and Reporting
In step 3, all experts will use the DRA survey tool to assess the identified risks based on probability & impact, connectivity, and velocity. Subsequently, we analyze the results and discuss them in step 4.
Figure 1. The four steps of the Dynamic Risk Assessment process. [Click on the image for a larger image]
What are the success factors for conducting a Dynamic Risk Assessment?
AH: Over the past few years, we have identified several success factors through conducting DRAs. We noted that these factors were crucial for ensuring the desired quality and impact in every assignment carried out. An essential factor in successful Dynamic Risk Assessment (DRA) implementation is the involvement of the C-suite management. They need to understand and support the importance of risk management processes to allocate the appropriate resources and budgets, facilitating an effective DRA execution and realizing the outcomes. Coupled with this, clear goal formulation becomes crucial. Identifying these objectives during the goal-setting phase is crucial. They should be clear, widely understood, and set the expectations straight. Navigating through this intricate and continuous process, it becomes vitally important to seek out the right professionals. They should possess the necessary skills and experience to ensure they fit seamlessly into the process.
JF: Expectation management plays a crucial role to perform an effective DRA, and this involves appointing a C-level sponsor to discuss and manage expectations around risk management. This level of involvement creates realistic expectations among participants, ensuring they are engaged, aligned, and committed to expected results and outcomes. VTTI’s work culture and behavior effectively support risk management. The importance of the tone at the top and organizational culture in making ERM a success cannot be emphasized often enough.
What were the challenges during execution?
AH: Each time, we find that one of the biggest challenges is to free up the schedules of our C-level executives to carry out the risk assessment process. The struggle intensifies when our leaders need these experts to focus their energy on other priorities. Overcoming this hurdle means our leaders need to carefully plan a strategy that balances our available resources against the level of risk we are willing to take.
JF: This is very recognizable. We faced a similar challenge with our team as well. First, selecting the right people to involve in the dynamic risk assessment process is crucial. Then getting timely and thorough responses from all involved can take time and effort, as not everyone shares the same priorities, which can lead to misunderstanding of timelines and unnecessary delays. To overcome this challenge, we focused on clear communication with all DRA participants and reminded them of the importance of their input and the criticality of timely responses for the process to be effective.
We also addressed the need for clear common definitions and language for risk assessment. This process required finetuning to ensure that everyone had the same understanding of concepts and alignment on the interpretation of risk scales. As part of the DRA, we made deliberate choices, and given the dynamic nature of our environment, we periodically revisit the process to ensure a common language and consistent alignment on scales.
What were the deliverables and next steps?
AH: After completing step 4 of the process, we handed over the report to VTTI. This report visualizes the entire strategic landscape using the four dimensions of a Risk Assessment: impact, likelihood, connectivity, and velocity. Jennifer, what did you do with the DRA report and what choices did you make after receiving the results?
JF: Our company operates with an open mindset and consequence-conscious decision-making process. We carefully evaluate the implications of our choices. We discuss the DRA key insights regularly, sometimes specific to a risk domain and sometimes broader. We also share essential points with the Audit Committee.
This ensures an ongoing risk dialogue and helps integrate consciously factoring risk aspects into daily decision-making. As a risk facilitator, it is important to be aware of the overall landscape and how this impacts our business. Building connections that help people understand the interconnectivity of risks featured in our DRA in their daily work is a continuous process. It requires refreshing the discussion from time to time and evaluating if things have changed.
Keeping the dialogue going is the essence. Especially the aspect of interconnectivity represents a mental shift for the organization since there was a tendency to focus on risks from a functional perspective. The insight was not so much on the individual risks, but more on the way they influence each other.
That also means taking the DRA and looking deeper into the risk ecosystem with more detailed risk analysis. For external or strategic risks, the approach to address them is different to more preventable operational risks. That is where each risk owner needs to work on a suitable, cross-functional approach that goes deep into the organization, and ensure the actions are relevant.
After the DRA, we started taking a fresh look at our existing risk & control matrices (RCM) to see where the interconnectivity aspects play a role and if we need to take a different approach to some topics. While we did the DRA at enterprise level, our team of experts also included operating site representatives, who now take the learnings of the process to their teams, giving a new impulse to the local site dialogues on risk.
Finally, we ensure we have the right assurance activities in place to close the PDCA (plan, do, check, act) circle. Risk-based auditing is part of the approach, along with focused actions aimed at enhancing awareness around specific themes.
Within VTTI, we recognize the importance of better risk dialogues and necessity to address risk in a cross-functional manner. Sometimes, cross-functional communication is challenging, given everyone’s full agenda and different perspectives on a topic. Still, dialogue is vital as it can reveal insights that are not visible on paper. It can also help identify the low-hanging fruit and promote a lean approach to processes. Expert elicitation as a concept ensures there are participants with relevant knowledge in any given dialogue. For any topic, ensure that knowledgeable colleagues within the organization are involved in the discussion.
Reference
[Kris18] Kristamuljana, A., Van Loon, B., Bolt, J. & Terblanché, A. (2018). Digital Risk Assessment: Above and Beyond the Hidden Structure of Interconnections between Risks. Compact 2018/2. Retrieved from: https://www.compact.nl/articles/dynamic-risk-assessment/