Risk & Regulatory Intelligence (or should it be Wisdom)?
Intelligence and wisdom . . . we have seen these words bantered around quite a bit. While the market seems to be eager to grasp onto the phrase ‘risk intelligence’ it means nothing if corporations do not know what to do with the knowledge that intelligence brings them. There are ignorant individuals and organizations that acquire a lot of knowledge but fail to apply this to good business decisions. Wisdom requires intelligence/knowledge. Though, as Martin Luther stated – “All our experience with history should teach us, . . . how badly human wisdom is betrayed when it relies on itself” relying on ones own ‘wisdom’ is also a recipe for disaster.” – Proverbs tells us “Without counsel plans fail, but with many advisers they succeed.” (ESV, Proverbs 15:22) Wisdom ultimately comes when one considers multiple angles of looking at possibilities.
Organizations are in a complex environment of risk. They suffer from both internal risks as well as external. The legal and regulatory environment further adds to internal and external risks to monitor and be aware of. When the organization approaches risk and compliance in scattered silos that do not collaborate with each other there is no possibility to be intelligent, let alone wise, about risk decisions that could impact business strategy.
The challenge is for organizations to develop processes to harness internal and external information to be intelligent about their risk and regulatory environments so they can make wise business decisions. This involves gathering information from the internal environment such as:
- Losses. What has the historical trends and patterns been of loss to the organization?
- Issues/events. What events, issues, incidents, investigations has the organization undergone?
- Success & performance. Where has the organizational been surprisingly successful in seasoning opportunities and creating value?
- Controls. What is the state of controls in the environment? Are they effective?
- Policies. Does the organization have adequate policies and procedures? Are they current and up to date? Do responsible parties understand them?
- Risk appetite. Is the organization taking on too much risk or to little risk?
- Risk management. Is the risk taken adequately monitored and managed?
- Compliance. Are compliance obligations being met? Are there issues with law enforcement or regulators?
- Culture. Do employees understand and subscribe to the corporate ethics and code of conduct?
- Business relationships. Is there unwarranted risk, unacceptable values/ethics, or issues with compliance across 3rd party business relationships?
Over the years, many organizations have matured in their view of internal risk intelligence issues. However, external environment issues remain very broken processes. To date external risks are managed in a very ad hoc way with little accountability and oversight – if at all. Within legal and compliance it is not uncommon to have a myriad of legal professionals doing ad hoc monitoring of legal developments and compliance requirements and emailing parties of interest to developments with little to no follow-up.
Risk and regulatory intelligence of the external environment includes:
- Legal monitoring. Monitoring of new case law, regulations, and pending legislation to predict the readiness of the organization to meet new requirements.
- Geo-political risks. Monitoring of countries around the world that the organization has operations in or does business with to determine events that could have a positive or negative impact on the business. This includes civil unrest, terrorism, new laws, business dealings, etc.
- Environmental. Monitoring environmental predictions and threats of natural or man-made events that could impact the organization (e.g., tornados, hurricanes, earthquakes, volcanoes, mass virus/disease).
- Hostile threats and vulnerabilities/exposure. Monitoring of individuals, organizations, and governments who may act hostilely toward the organization as well as looking for vulnerabilities and exposure of the organization to threats.
- Financial risks. Monitoring of the capital markets and areas such as foreign exchange rates and commodities so the organization can capture return/opportunity while mitigate/control loss. This allows for proper hedging.
- Competitive environment. Monitoring what competitors are doing and evaluating their product, service, marketing, sales, financial, and partnering performance.
To be risk and regulatory intelligent, and from there to make wise decisions, requires a process to intake information, track accountability of who needs to act on it, and model/measure potential impact on the organization.
Corporate Integrity is monitoring the integration and expansion of many GRC systems/technologies that are being used to intake risk and regulatory information, weed through irrelevant information, and route critical information to specific individuals responsible for making a decision on the particular issue. This at a minimum requires workflow and process management capabilities, but in more mature systems provides direct integration with content/information aggregators in which the organization is profiled and relevant new developments are routed right to specific individuals responsible for evaluating that area.