Where Risk (and GRC) Technology Fails
Risk management is a huge topic these days with organizations looking for solutions to help them manage enterprise and operational risk across the departments and functions. However, there are many risk management technology projects that have failed to meet expectations, have gone over budget, and well past project deadlines.
Why? . . . there are many reasons.
One is simply that the organization is trying to do too much too fast. They are overly ambitious on what can be achieved in a given time frame. This is particularly true when risk management has been an ad hoc “fly by the seat of our pants” operation (Urban Dictionary: to pilot a plane by feel and instinct rather than by instruments, to proceed or work by feel or instinct without formal guidelines or experience). Many areas of the organization have not thought through risk management and then it is pushed upon them.
Another reason is a failure to align risk with business strategy, objectives, and performance. The ISO 31000:2009 definition of risk is “risk is the effect of uncertainty on objectives.” This might be done well at a project or operational process, but as you rollout enterprise and operational risk technology the organization fails to provide the alignment of risk to business strategy and objectives.
The primary and disastrous failure of risk technology implementations I want to focus on in this post is risk normalization and aggregation. This is something that the major analyst firms leave out of their reviews and ranking of GRC solutions (note: GRC is a broad market and includes the range of risk management technology solutions available).
Risk normalization is simply the ability to compare apples to apples. If one department’s high risk is another department’s low risk this should be evident in risk reporting. Risk aggregation is the ability to take risks from different areas of the business and roll them up into an enterprise view of risk that makes sense. Risk normalization and risk aggregation work hand and hand. To aggregate risks properly requires that the technology have the logic to do risk normalization.
CASE IN POINT: I will never forget a panel I hosted at a GRC conference. On this panel was the Corporate Secretary/Assistant General Counsel for a major financial services brand. This role was responsible for the overall risk and GRC reporting that went to the Board of Directors. He stated to all in attendance that his Board never wants to see a risk report from their __________ GRC platform again (consistently a leader in major analyst reports). Explaining this further he stated the risk reports were broken and meaningless as one departments high risk was discovered to be another departments low risk and everything globulated to the center on heat maps and made no sense (my view of risk heat maps is that they are often very broken and misused).
If Department A’s risk exposure is $10 million and ranked a high risk and Department B’s risk exposure is $100 million and ranked a medium risk, the overall risk report needs to reflect this accurately. Organizations run the ‘risk’ that Department A’s risk will be focused on while Department B’s may be overlooked. This is oversimplification, there are many other variables such as frequency, probability/likelihood, velocity, and more to consider as well.
The challenge is that many risk management solutions (including some leading GRC platforms) were developed as a department level solution for risk. They have a fairly flat view of the world. This leads to two points of risk technology failure in solutions that do not have native approaches for dealing with risk normalization and aggregation:
- Force everyone into one flat view of risk. This essentially pushes every department and function into the lowest common denominator. All have to manage risk to a common set of criteria and scoring and individual departments lose out in depth and detail they need within their specific context. It limits the ability to get a true department perspective of risk for the sake of enterprise risk reporting that is in turn degraded and can no longer be trusted as departments lose their granularity needed to accurately measure and manage risk to their specific needs. There is a need to measure, model, and analyze risk in different ways in different departments/functions of the organization. The way an organization measures models market risk will be different than how it models health & safety risk.
- Expensive services engagement to built out. Solutions that do not have risk normalization and aggregation as native features inherent in their technology will address this issue through implementation projects that are expensive and take a lot of time. GRC 20/20 has seen risk/GRC implementation projects that typically span from six months to over two years to rollout. The most common reason is customizing the platform to do risk normalization and aggregation. Then the platform breaks during the next upgrade process because of the behind the scenes customization of logic and rules done to support risk normalization and aggregation.
BOTTOM LINE: when buying risk/GRC technology solutions that are to do risk reporting across risk areas, make sure that the solution has been designed from the ground up to measure and model risk in the variety of ways different areas need and that the solution supports risk normalization and aggregation without the need for expensive customization and implementation projects. Further, do not assume that a ‘Leader’ in analyst reports actually has addressed risk normalization and aggregation because many of them have not. Failure to consider this may mean expensive implementation projects that take more time than expected, result in broken upgrades, and outright scrapping the platform to move to a different solution. GRC 20/20 has seen it all happen.
I encourage you to share your experience and insight into this issue below. It is one that GRC 20/20 has encountered several times in the market. Be bold; help other organizations understand this issue and its impact if not considered up front.
If you are considering risk technology to use within your environment, click on the Ask Inquiry button to the right. GRC 20/20 offers complimentary inquiries to organizations evaluating GRC technology, solutions, and services. We are here to provide you insight into the market to make intelligent choices. GRC 20/20 can give you specific insight into what solutions do what aspects of risk management and GRC well and which do not.