Risk management is pervasive throughout organizations. There are many departments that manage risk with a variety of approaches, models, needs, and views into risk. This makes enterprise and operational risk management a challenge. Organizations often fail in enterprise risk management strategies when they force everyone into one flat view of risk, they also fail when they allow different views of risk but do not consider risk normalization and aggregation as they roll-up risk into enterprise reporting.
Organizations have adopted a wide range of technologies for risk management. There are several hundred solutions in the risk management market (a segment of the GRC market). Some are broad enterprise or operational risk platforms. Some solutions can be very narrow and limiting in which different departments lose capabilities they need, while other solutions can be very broad and adaptable. There are a variety of very focused risk solutions that excel at specific areas of risk management. These include:
- Solutions focused on specific risks. These are solutions designed to manage and assess risk deeply on a very specific risk area. Such as, commodity risk, foreign exchange risk, privacy risk, model risk, and dozens of other risk areas.
- Solutions focused on department/function risk management needs. These are solutions that are aimed at managing risks within a common department/functional area providing a common platform that specializes in risk within that area. Such as, information security, health & safety, corporate compliance, audit, finance, treasury, and more.
- Solutions aimed at project risk management. These are solutions that help the organization manage risk in projects.
- Solutions aimed at finance/treasury risk management. These are solutions aimed at managing an array of financial and treasury risks such as capital, market, liquidity, and credit risks.
- Solutions aimed at operational risk management. These are solutions aimed at managing operational risks across departments to provide an integrated view of risk across business operations.
- Solutions aimed at enterprise risk management. These are solutions that take an integrated view of strategic, finance/treasury, and operational risks (legal and compliance risk being part of operational risk). However, many solutions that advertise themselves as enterprise risk management really are only doing operational or department risk management.
- Tools for risk management. Then there are a range of solutions that assist in risk management, but do not fit in one of the other areas. They are tools to do surveys/questionnaires/assessments. Or they assist in modeling risk such as monte carlo tools or Bayesian modeling.
The challenge is that there is not a one-stop solution for all of an organizations risk management needs. There is no a solution provider out there that addresses every area and need of risk management across the organization. In addressing this, many organizations look to risk management/GRC platforms to provide the range of capabilities they are looking for. This is done particularly when they have enterprise or operational risk management strategies to provide an integrated view of risk across the organization. HOWEVER, organizations are frequently failing in these implementations as they encounter the following issues in risk management:
- Failing to provide top-down and bottoms up risk perspective. This is a controversial topic in the risk community, and one that I am sure I will get hammered on by opponents on either side. There are those that see that risk is all about strategy and objectives and you should do a top-down analysis of risk that starts with strategy and objectives. The other side are approaches that see risk management as a bottoms up by identifying risk at the lowest level of operations, transactions, and processes and rolling it up. My perspective is that both are needed. Risk management has to be in context of strategy and objectives, but so often something unseen down in the weeds of processes can rear its ugly head and devastate the organization. This may often have been missed in a pure top-down strategy.
- No multi-dimensional mapping of risk relationships and impacts. A single risk can impact the organization in different ways and have exponential impact when considered in context of other risks managed in other areas but no one sees the range of related risks. Organizations fail to map risks into different hierarchies of relationships and show a multi-dimensional view of risk, impact, and relationships as it intersects with other risk categories not in the same risk hierarchy (see my post The Titanic: an Analogy of Enterprise Risk).
- Forcing everyone into a one-size fits all risk analysis methodology. Organizations too often select risk solutions for enterprise or operational risk management that require a one-size fits all approach to risk analysis that ends up watering down risk assessments to the lowest common denominator. Well established approaches for managing risk in areas of the organization get pushed aside and the particular specialized views and details are lost leading to greater exposure. Where health & safety may have been using bow-tie risk analysis they are not forced to use heatmaps and stoplight diagrams. The organization loses depth in risk management by selecting solutions that do not have the breadth of capabilities the organization needs.
- Lack of risk normalization and aggregation. Organizations attempt enterprise or operational risk management by utilizing solutions that lock them into a single flat view of risk scoring and appetite that creates issues when identifying and managing localized operational threats and opportunities as everything is scaled to an enterprise view. What happens when IT security’s high risk is actually lower than finance’s low risk? Either different departments have to measure all their risks in a single context that fits the entire organization, and they lose a department level perspective that is of value. Or they measure everything at a department, function, process, or project level and fail in enterprise risk reporting as they compare apples and oranges. Very few solutions on the market offer a capability to do risk normalization and aggregation. For effective risk normalization and aggregation, risks must be assessed both qualitatively and quantitatively with standardized methodologies that allow for a view of risk at an enterprise level as well as lower localized levels.
- Overreliance on heat maps. I have written about my frustration with heat maps for the past 13 years. They provide a false view of risk. The standard two-dimensions are likelihood and impact with the upper right being perceived as the greatest risk of high-likelihood and high-impact. This is false. What organization is having billion-dollar loss events on a regular basis? They are out of business. The greatest risk exposure often is the low likelihood and high-impact events that heat maps fail to call out properly.
- Lack of supportive risk data. Too often I see very subjective responses to risk assessments. When asked to measure risk in dimensions of likelihood and impact (there are more but we will stick to these as it is most often seen), it is often complete guess work. The organization fails to provide a history of risk events that have materialized top be an event with loss on the organization. When assessing and modeling risk, organizations need a history to mine to see how this risk has materialized in the past within their organization and with peers to be able to objectively score dimensions of likelihood and impact.
Many of these failures in enterprise and operational risk management are the result of organizations selecting GRC and risk platforms that are inadequate for the job. They rely on Gartner and Forrester reports that have a bias toward IT risk management and score and rank risk management solutions in a way that makes no sense. Gartner often only wants to see a ½ hour video demo and sends web surveys to client references. Yet organizations of all sizes are basing their enterprise and operational risk management platform purchases on analyst reports that lack depth (Forrester Waves are very broad in scope), or lack published criteria (Gartner Magic Quadrants are what they say they are, magic as the criteria, and results, are a complete mystery).
Organizations need to start thinking about risk management architecture. Organizations are often best served to take a federated approach to risk management that allows different departments some level of autonomy and supports their department level risk management strategies but also enable a common information and technology architecture to support overall enterprise and operational risk management activities and reporting.
There is no one-stop risk management solution that does everything risk management for the entire organization. Which solution can provide the best core for enterprise and operational risk management that has the right range of risk mapping, modeling, and analytic needs for the majority of the organization. But then also needs to be able to integrate with best of breed risk solutions that offer specific functionality in areas where needed.
Whether for a department risk management need, or to manage enterprise and operational risk across the organization, risk management solutions are in demand. Recent RFP and inquiry trends that GRC 20/20 is involved with show a growing demand for integrated cross-department risk management solutions. There are several hundred solutions available in risk management with varying capabilities and approaches. Organizations need to clearly understand the breadth and depth of their requirements, map these into risk solutions capabilities, and understand that there is no one size fits all solution for risk management no matter what solution providers may say. It has become a complex segment of the GRC market to navigate, understand, and find the solution(s) that are the perfect fit for your organization.
Organizations looking for risk management solutions and intelligence can get objective insight through:
- Research Briefing: How to Purchase Risk Management Solutions & Platforms
- Inquiry: Organizations looking for solutions can ask GRC 20/20 questions via inquiry or phone to get our insight (request inquiry via web or email [email protected])
- Workshops: host or attend GRC 20/20’s Risk Management by Design Workshop (email [email protected])
- RFP Development & Support: engage GRC 20/20’s research and compendium of hundreds of risk management solution requirements into an RFP that is crafted to meet your organizations specific requirements (email [email protected])
GRC 20/20’s next Research Briefing is on How to Purchase Risk Management Solutions & Platforms. Organizations looking for risk solutions should attend to help them scope their requirements and approach the market.
AGENDA . . .
- Defining & Understanding Risk Management
- Definition, Drivers, Trends & Best Practices
- Critical Capabilities of a Risk Management Platform
- What Differentiates Basic, Common, & Advanced Solutions
- Considerations in Selection of a Risk Management Platform
- Decision Framework & Considerations to Keep in Mind
- Building a Business Case for Risk Management
- Trajectory of Value in Effectiveness, Efficiency & Agility
The GRC Pundit will help organizations . . .
- Defineand scope the risk management market
- Understandrisk management drivers, trends, and best practices
- Relatethe components of what makes a risk management platform
- Identifycore features/functionality of basic, common, and advanced risk management platforms
- Mapcritical capabilities needed in a risk management platform
- Predictfuture directions and capabilities for risk management
- Scopehow to purchase risk management platforms in a decision-tree framework
- Discernconsiderations to keep in mind as you evaluate risk management solutions
[add_single_eventon id=”3028″ show_exp_evc=”yes” open_as_popup=”yes” ]