Risk management is a hot topic and focus within organizations. We are surrounded with acronyms of GRC (governance, risk management, and compliance), ERM (enterprise risk management), ORM (operational risk management), and now IRM (Gartner’s integrated risk management). We hear other terms like operational resilience, strategic risk management, and more.
Risk management strategies (pick your favorite acronym or buzzword) lead to RFPs for technology to support the risk management strategy and processes. HOWEVER, not all risk technology is created equally. Organizations need to get beyond the marketing hype of buzzwords and misleading analyst rankings to really understand if the technology can deliver on the requirements of their risk management maturity journey. This involves a clear understanding of where you are now with risk management and where you want to be. The current pandemic is demanding attention to this, which I also wrote about before the pandemic.
The problem with many risk management programs is that they struggle with documents, spreadsheets, and emails. I talked to one organization that was spending over 200 hours to build a report for the board of directors because it required them to go through hundreds to thousands of documents, spreadsheets, and emails to aggregate and report on risks and risk events. In an RFP I advised on for a mid-sized bank, they did an internal study that found that 80% of their risk management resources was nothing more than document/data reconcilers and aggregators and only 20% of the time was managing risk, they wanted to change that with a solution and did. This recent article in the BBC caught my attention in the limitations and risk exposure in using spreadsheets: Excel: Why using Microsoft’s tool caused Covid-19 results to be lost.
So organizations look for risk management solutions and get sucked in by marketing and sales hyperbole. There are basic risk management solutions that do ease the pain of human capital efficiency (e.g., time) in not having to manage documents, spreadsheets, and emails. But these are basic and typically aimed at tick-box exercise for risk management that is more of a qualitative compliance exercise and not true risk management. Mature and valuable risk management is more than forms, surveys, workflow, and tasks and requires risk quantification, modeling, analytics, and reporting that is aligned with business objectives and in the context of business objectives. It requires seeing the complex interrelationships and interdependencies of risk. The market is an interesting time right now as older solutions rearchitect to meet the demands of Agile GRC 4.0, while newer solutions are already there.
My question to you: Can your risk management technology you have (or are considering) truly deliver on the needs and concerns of risk management.
There was a ton of interest in my recent article on the Role of Business Process Modeling in GRC Requirements. This week I turn my attention to risk management requirements. In 2020 I have interacted on several RFPs for enterprise and operational risk management solutions and engaged to advise on several more as we enter 2021. In addition to these formal engagements, I answer inquiry questions from organizations looking at solutions throughout every week. I am seeing a lot of activity for risk management in North America, Europe, the Middle East, and Australia right now.
In these interactions, I have found that the following requirements/functional areas for GRC, ERM, ORM, IRM RFPs are core to maturing a risk management function within an organization. If you want to build a true risk management program that goes beyond tick-box compliance exercises, then you should strongly consider:
- Performance/Objective-View of Risk. This is where risk management should start. ISO 31000 states that ‘risk is the effect of uncertainty on OBJECTIVES.’ So good risk management STARTS with performance and objective management. These can be entity-level, division, department, process, project, or even asset level objectives. Risk needs to be understood in the context of objective. I recently finished advising on an RFP for a global European firm that this became the deciding factor in their choice of a solution, and am and starting another RFP that is centered on this. It comes up regularly, but in these two situations, it was table stakes.
- Front Office Engagement. Organizations desire the depth and breadth of capabilities and complexity of risk analytics for the back-office (2nd and 3rd line) risk functions for risk modeling, analysis, mapping, and monitoring. But I am seeing increased requirements for front-office (1st line) engagement on risk ownership, accountability, and reporting. These interfaces for back-office and front-office are not the same and need to be very role/context-specific so it does not overwhelm front-office operations. I am interacting with a financial services firm right now looking specifically for this dichotomy of simple and intuitive front-office engagement on risk with the depth and analytics for the back-office.
- Risk Interrelationships. Risks cannot be understood and managed in isolation. I wrote about this last year in my article in Enterprise Risk magazine. 2020 proves this point with COVID-19. What is a health and safety risk that has an interrelated impact on performance, resiliency, third-party/supply-chain, IT security, human resources, fraud & corruption, and even social accountability and human rights risks? Organizations need to be able to map and understand risk relationships and interrelationships/dependencies. Measuring a risk exposure also requires understanding the exposures and impacts with related risks.
- Risk Aggregation & Normalization. This is a critical factor, particularly for large organization.s One department’s high-risk might be another department’s low-risk in quantifiable exposure. Departments, projects, functions want a legitimate view of risk at their operational level. Within their view of the world, they need to know what is high-risk to low-risk. But as this gets rolled into enterprise risk reporting they strong risk normalization and aggregation that is meaningful. This is one key requirement I am seeing in Germany in the context of the IDW PS 340 audit standard driving enterprise risk reporting. I had a corporate secretary for a global brand on a panel I was moderating at a conference who stated their board of directors never wants to see a heatmap from their leading IRM solution ever again because it lacked risk normalization and aggregation (don’t get me started on the issues of heatmaps, that is another blog in itself).
- Risk Frequency & Distribution. I am seeing more and more risk management programs mature to want risk frequency and distribution models, like Monte Carlo simulations. An immature approach to risk might plot risk as a point on a heat map (which has many issues), but real risk has a range of scenarios, frequencies, and impacts that need more complex modeling to analyze and understand. Organizations are looking for more advanced ways to do risk quantification and modeling. Monte Carlo simulations, Bayesian modeling, and more are becoming more frequent in RFPs.
- Risk Visualization. There is a growing demand for greater risk visualization and analytic techniques. Organizations want fresh and modern user interfaces (UX). I am seeing an increased demand for bow-tie risk analysis across industries. RISK VISUALIZATION IS MUCH MORE THAN HEATMAPS!!! This also ties back into the point above on risk interrelationships as well as risk quantification and using risk visualization to communicate and analyze.
- Cost of Ownership. Organizations are looking for Agile GRC 4.0 solutions that deliver solutions in rapid timeframes and value to the organization. They are tired of dated solutions (10 to 20-year-old code) that take a year or more to role out. For example, I am interacting with one organization looking to replace a Gartner IRM Leader that they purchased 3 years ago and still have no users on the platform. Modern solutions should be agile and have a low cost of ownership to implement and maintain.
Can your risk management technology deliver on these broader risk management capabilities? These are just some buckets of functionality that I get much more specific with in my risk management RFP requirements library.
What do you see as critical in technology to deliver on maturing your risk management strategy?