To maintain the integrity of the organization and execute on strategy, the organization has to be able to see their individual risk (the tree) as well as the interconnectedness of risk (the forest). Risk management in business is non-linear. It is not a simple equation of 1 + 1 = 2. It is a mesh of exponential relationship and impact in which 1 + 1 = 3, 30, or 300. What seems like a small disruption or exposure may have a massive effect or no effect at all. In a linear system, effect is proportional with cause, in the non-linear world of business risk management risks is exponential. Business is chaos theory realized. The small flutter of risk exposure can bring down the organization. If we fail to see the interconnections of risk on the non-linear world of business, the result is often exponential to unpredictable.
Mature risk management enables the organization to understand performance in the context of risk. It can weigh multiple inputs from both internal and external contexts, and use a variety of methods to analyze risk and provide qualitative and quantitative modeling. Successful risk management requires the organization to provide an integrated process, information, and technology architecture to identify, analyze, manage, and monitor risk and capture changes in the organization’s risk profile from internal and external events as they occur. Mature risk-management is a seamless part of governance and operations. It requires the organization to take a top-down view of risk, led by the executives and the board, and made part of the fabric of business, not an unattached layer of oversight. It also involves a bottom-up participation where business functions at all levels identify and monitor uncertainty and the impact of risk.
Organizations striving to increase risk management maturity in their organization become more:
- Aware. They want to have a finger on the pulse of the business and watch for change in the internal and external environments that introduce risk. Key to this is the ability to turn data into information that can be, and is, analyzed and be able to share information in every relevant direction.
- Aligned. They need to align performance and risk management in the context to support and inform business objectives. This requires the ability to continuously align objectives and operations of the integrated risk capability to the objectives and operations of the entity and give strategic consideration to information from the risk management capability, enabling appropriate change.
- Responsive. Organizations cannot react to something they do not sense. Mature risk management is focused to gain greater awareness and understanding of information that drives decisions and actions, improves transparency, but also quickly cuts through the morass of data to what an organization needs to know to make the right decisions.
- Agile. Stakeholders desire the organization to be more than fast; they require it to be nimble. Being fast isn’t helpful if the organization is headed in the wrong direction. Principled Performance enables decisions and actions that are quick, coordinated, and well thought out. Agility allows an entity to use risk to its advantage, grasp strategic opportunities, and be confident in its ability to stay on course.
- Resilient. The best laid plans of mice and men fail. Organizations need to be able to bounce back quickly from changes in context and risks with limited business impact. They desire to have sufficient tolerances to allow for some missteps and have confidence necessary to rapidly adapt and respond to opportunities.
- Lean. They want to build business muscle and trim fat to rid expense from unnecessary duplication, redundancy, and misallocation of resources; to lean the organization overall with enhanced capability and related decisions about application of resources.
Risk Management Information & Technology Architecture
Risk management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a collective whole. The risk management information architecture supports the process architecture and overall risk management strategy. With processes defined and structured the organization can now define the information architecture needed to support risk management processes. The risk management information architecture involves the structural design, labeling, use, flow, processing, and reporting of risk management information to support risk management processes.
Successful risk management information architecture will be able to integrate information across risk management systems and business systems. This requires a robust and adaptable information architecture that can model the complexity of risk information, transactions, interactions, relationship, cause and effect, and analysis of information that integrates and manages with a range of business systems and external data.
The risk management technology architecture operationalizes the information and process architecture to support the overall risk management strategy. The right technology architecture enables the organization to effectively manage risk and facilitate the ability to document, communicate, report, and monitor the range of risk assessments, documents, tasks, responsibilities, and action plans.
There can and should be a central core technology platform for risk management that connects the fabric of the risk management processes, information, and other technologies together across the organization. Many organizations see risk management initiatives fail when they purchase technology before understanding their process and information architecture and requirements. Organizations have the following technology architecture choices before them:
- Documents, spreadsheets, and email. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active risk monitoring.
- Point solutions. Implementation of a number of point solutions that are deployed and purpose built for very specific risk and regulatory issues. The challenge here is that the organization ends up maintaining a wide array of solutions that do very similar things but for different purposes. This introduces a lot of redundancy in information gathering and communications that taxes the organization in managing risk holistically.
- Risk management/GRC platforms. These are solutions built specifically for risk management and often have the broadest array of built-in (versus built-out) features to support the breadth of risk management processes. In this context they take a balanced view of risk management that includes performance as well as risk and compliance needs. These solutions allow an organization to govern risk throughout the lifecycle and enable enterprise risk reporting.
The right risk management technology architecture choice for an organization often involves integration of several components into a core risk management platform solution to facilitate the integration and correlation of risk information, analytics, and reporting. Organizations suffer when they take a myopic view of risk management technology that fails to connect all the dots and provide context to business analytics, performance, objectives, and strategy in the real-time business operates in.
Some of the core capabilities organizations should consider in a risk management platform are:
- Internal integration. Risk management is not a single isolated competency or technology within a company. It needs to integrate well with other technologies and competencies that already exist in the organization. So the ability to pull and push data through integration is critical.
- Content, workflow, and task management. Content should be able to be tagged so it can be properly routed to the right subject matter expert to establish workflow and tasks for review and analysis. Standardized formats for measuring business impact, risk, and compliance.
- 360° contextual awareness. The organization should have a complete view of what is happening with risk in context of performance, risk, and compliance. Contextual awareness requires that risk management have a central nervous system to capture signals found in processes, data, and transactions as well as changing risks and regulations for interpretation, analysis, and holistic awareness of risk in the context of risk and performance.
- Support for multiple risk frameworks. The risk management technology architecture should allow the organization to harmonize risk management across the organization. The business can use different risk management frameworks in different parts of the organization and still integrate risk data and reporting with an enterprise perspective.
- Define and map objectives and controls to risk. Controls are used to mitigate and monitor risk. Every control in the environment maps to the risks addressed, using an integrated risk and control framework. Risk technology should allow for complete integration and reporting on objectives and controls in the context of their relationship to risk across the enterprise.
- Establish and communicate risk policy. Risk technology should allow the organization to develop, approve, and communicate policies to address risk. This establishes expectations and a culture around risk, including risk capacity, tolerance, appetite, accountability, and controls.
- Manage loss and incidents. Loss represents the materialization of risk and must be documented and fed into risk models. Risk technology enables the management of incidents and records loss as an integrated component of a risk management process.
- Allocate risk accountability. Risk management requires that someone is responsible for risk. Risk without an owner is like a leaf blowing in the wind. Risk technology tracks accountability and ownership through its risk taxonomy, and enforces accountability through task management, workflow, and escalation. Through reporting and metrics, owners see risk from different perspectives and understand the risks they are responsible for.
- Advanced risk reporting and trending. Risk technology manages and monitors risk at the enterprise level and within individual departments. This permits detailed reporting, dashboards, trending, and analytics that scale to the needs of the department or enterprise. Organizations can establish and monitor risk metrics through KRIs and map them to objectives and processes. Reporting is customizable and scalable to context and level of detail appropriate to the audience — whether process owner, manager, executive, or board member.
- Risk analytics and modeling. Mature risk technology should support a breadth of risk analytics and modeling to meet the diverse needs of groups across the business. The solution can track and model spending to treat risk in the context of exposure.
- Understand the interrelationship of risk. Risk technology provides for identification and categorization of risk into hierarchical structures to effectively manage and assign accountability. However, individual risks can also relate to risk outside of a hierarchical model. The risk information architecture allows for hierarchical categorization of risk, as well as mapping and relationship of risk that does not always fit into neat hierarchies.
This post is an excerpt from GRC 20/20’s latest Strategy Perspective research: Risk Management by Design: A Blueprint for Federated Enterprise Risk Management
- Role of Risk Content & Intelligence in a Risk Management Strategy. Attend GRC 20/20’s next Research Briefing to learn about the range of risk intelligence and content offerings available in the market that can enable a GRC strategy and integrate with GRC technology solutions. GRC 20/20 has mapped over 125 providers of GRC intelligence and content with more than 350 content offerings across these providers.
- Have a question about Risk Management Solutions and Strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .
- Risk Management by Design Workshop. Engage GRC 20/20 to facilitate and teach the Risk Management by Design Workshop in your organization.
- Looking for Risk Management Solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over 500 requirements for risk management solutions.
GRC 20/20’s Risk Management Research includes . . .
Register for the upcoming Research Briefing presentation:
Access the on-demand Research Briefing presentation:
- How to Purchase Risk Management Solutions
- Market Overview of GRC (Risk) Content & Intelligence Providers
Strategy Perspectives (written best practice research papers):
- Risk Management by Design: A Blueprint for Federated Enterprise Risk Management
- Model Risk Management: Enabling A Firm Foundation for Model Risk Management
- Policies, The Last Mile of Risk Management: The Relationship Between Risk and Policies
Solution Perspectives (written evaluations of solutions in the market):
- Sword Active Risk: Providing 360° Contextual Awareness of Risk
- MEGA’s Solutions for Model Risk Management: Innovation in Risk Management
Case Studies (written evaluations of specific strategies and implementations within organizations):