GRC in Uncertain Times: 2016 and into 2017

In the past month there have been a lot of posts, articles, and discussion on the impact of Trump’s presidency on the GRC market, particularly compliance. Some fear that the need for compliance management within organizations is not going to be as strong as a Trump administration looks to deregulate. My perspective is that compliance management will continue to grow within organizations no matter who is in office. Whether conservative or liberal, regulations have grown and grown over the years. While President-Elect Trump is not your typical candidate, he is already toning down some of the rhetoric that he used during the campaign and coming to reality. There may be shifts in focus in certain areas, but ethics and compliance will remain a strong need within organizations for many years to come.

HOWEVER, the focus of the question should not be on compliance but on what the forecast looks like for risk management. While organizations will continue to need compliance processes and technologies, organizations will see a renewed focus and energy on risk management processes and related technologies.

Times are uncertain. 2016 has brought us Brexit, a forthcoming Trump administration, and turmoil politically around the world, particularly in European election possibilities. Economically things are topsy turvy with the British Pound, European Euro, caution on an outlook in China.

As I look to 2017 one word continues to come to mind: UNCERTAINTY.

If we go to ISO 31000 for a definition of risk, “risk is the effect of uncertainty on objectives.” Organizations face a world of uncertainty in 2017 and need defined risk management processes and systems in place to be able to manage risk in context of objectives. As we close 2016 and move into 2017, GRC 20/20 is seeing growing inquiries from organizations looking to improve risk management related processes and are asking questions related to risk management technologies to enable these processes.

It is interesting, the current OCEG GRC Maturity Survey, that GRC 20/20 Research collaborates on and authors, show a change in the respondents. This survey was fielded over the past two months and has 697 respondents with 578 of them in roles managing GRC internally within their organization. The past several GRC Maturity Surveys had Compliance and Ethics as the primary role responding to the survey, this year (the past few months to be specific) it is Risk Management roles that are the number one responder. Consider joining the webinar to learn more on the findings.

GRC 20/20 is seeing increased interest in enterprise and operational risk management technologies, but also increased interest in solutions for geo-political risk management, third party (vendor/supplier) risk management, IT/information security risk management, EH&S, and business continuity management.

What are your thoughts on 2017 and the outlook for GRC Related processes and systems? I look forward to hearing your thoughts.

Mistakes & Challenges in Risk Management Technologies and Strategies

Risk management is pervasive throughout organizations. There are many departments that manage risk with a variety of approaches, models, needs, and views into risk. This makes enterprise and operational risk management a challenge. Organizations often fail in enterprise risk management strategies when they force everyone into one flat view of risk, they also fail when they allow different views of risk but do not consider risk normalization and aggregation as they roll-up risk into enterprise reporting.

Organizations have adopted a wide range of technologies for risk management. There are several hundred solutions in the risk management market (a segment of the GRC market). Some are broad enterprise or operational risk platforms. Some solutions can be very narrow and limiting in which different departments lose capabilities they need, while other solutions can be very broad and adaptable. There are a variety of very focused risk solutions that excel at specific areas of risk management. These include:

  • Solutions focused on specific risks. These are solutions designed to manage and assess risk deeply on a very specific risk area. Such as, commodity risk, foreign exchange risk, privacy risk, model risk, and dozens of other risk areas.
  • Solutions focused on department/function risk management needs. These are solutions that are aimed at managing risks within a common department/functional area providing a common platform that specializes in risk within that area. Such as, information security, health & safety, corporate compliance, audit, finance, treasury, and more.
  • Solutions aimed at project risk management. These are solutions that help the organization manage risk in projects.
  • Solutions aimed at finance/treasury risk management. These are solutions aimed at managing an array of financial and treasury risks such as capital, market, liquidity, and credit risks.
  • Solutions aimed at operational risk management. These are solutions aimed at managing operational risks across departments to provide an integrated view of risk across business operations.
  • Solutions aimed at enterprise risk management. These are solutions that take an integrated view of strategic, finance/treasury, and operational risks (legal and compliance risk being part of operational risk). However, many solutions that advertise themselves as enterprise risk management really are only doing operational or department risk management.
  • Tools for risk management. Then there are a range of solutions that assist in risk management, but do not fit in one of the other areas. They are tools to do surveys/questionnaires/assessments. Or they assist in modeling risk such as monte carlo tools or Bayesian modeling.

The challenge is that there is not a one-stop solution for all of an organizations risk management needs. There is no a solution provider out there that addresses every area and need of risk management across the organization. In addressing this, many organizations look to risk management/GRC platforms to provide the range of capabilities they are looking for. This is done particularly when they have enterprise or operational risk management strategies to provide an integrated view of risk across the organization. HOWEVER, organizations are frequently failing in these implementations as they encounter the following issues in risk management:

  • Failing to provide top-down and bottoms up risk perspective. This is a controversial topic in the risk community, and one that I am sure I will get hammered on by opponents on either side. There are those that see that risk is all about strategy and objectives and you should do a top-down analysis of risk that starts with strategy and objectives. The other side are approaches that see risk management as a bottoms up by identifying risk at the lowest level of operations, transactions, and processes and rolling it up. My perspective is that both are needed. Risk management has to be in context of strategy and objectives, but so often something unseen down in the weeds of processes can rear its ugly head and devastate the organization. This may often have been missed in a pure top-down strategy.
  • No multi-dimensional mapping of risk relationships and impacts. A single risk can impact the organization in different ways and have exponential impact when considered in context of other risks managed in other areas but no one sees the range of related risks. Organizations fail to map risks into different hierarchies of relationships and show a multi-dimensional view of risk, impact, and relationships as it intersects with other risk categories not in the same risk hierarchy (see my post The Titanic: an Analogy of Enterprise Risk).
  • Forcing everyone into a one-size fits all risk analysis methodology. Organizations too often select risk solutions for enterprise or operational risk management that require a one-size fits all approach to risk analysis that ends up watering down risk assessments to the lowest common denominator. Well established approaches for managing risk in areas of the organization get pushed aside and the particular specialized views and details are lost leading to greater exposure. Where health & safety may have been using bow-tie risk analysis they are not forced to use heatmaps and stoplight diagrams. The organization loses depth in risk management by selecting solutions that do not have the breadth of capabilities the organization needs.
  • Lack of risk normalization and aggregation. Organizations attempt enterprise or operational risk management by utilizing solutions that lock them into a single flat view of risk scoring and appetite that creates issues when identifying and managing localized operational threats and opportunities as everything is scaled to an enterprise view. What happens when IT security’s high risk is actually lower than finance’s low risk? Either different departments have to measure all their risks in a single context that fits the entire organization, and they lose a department level perspective that is of value. Or they measure everything at a department, function, process, or project level and fail in enterprise risk reporting as they compare apples and oranges. Very few solutions on the market offer a capability to do risk normalization and aggregation. For effective risk normalization and aggregation, risks must be assessed both qualitatively and quantitatively with standardized methodologies that allow for a view of risk at an enterprise level as well as lower localized levels.
  • Overreliance on heat maps. I have written about my frustration with heat maps for the past 13 years. They provide a false view of risk. The standard two-dimensions are likelihood and impact with the upper right being perceived as the greatest risk of high-likelihood and high-impact. This is false. What organization is having billion-dollar loss events on a regular basis? They are out of business. The greatest risk exposure often is the low likelihood and high-impact events that heat maps fail to call out properly.
  • Lack of supportive risk data. Too often I see very subjective responses to risk assessments. When asked to measure risk in dimensions of likelihood and impact (there are more but we will stick to these as it is most often seen), it is often complete guess work. The organization fails to provide a history of risk events that have materialized top be an event with loss on the organization. When assessing and modeling risk, organizations need a history to mine to see how this risk has materialized in the past within their organization and with peers to be able to objectively score dimensions of likelihood and impact.

Many of these failures in enterprise and operational risk management are the result of organizations selecting GRC and risk platforms that are inadequate for the job. They rely on Gartner and Forrester reports that have a bias toward IT risk management and score and rank risk management solutions in a way that makes no sense. Gartner often only wants to see a ½ hour video demo and sends web surveys to client references. Yet organizations of all sizes are basing their enterprise and operational risk management platform purchases on analyst reports that lack depth (Forrester Waves are very broad in scope), or lack published criteria (Gartner Magic Quadrants are what they say they are, magic as the criteria, and results, are a complete mystery).

Organizations need to start thinking about risk management architecture. Organizations are often best served to take a federated approach to risk management that allows different departments some level of autonomy and supports their department level risk management strategies but also enable a common information and technology architecture to support overall enterprise and operational risk management activities and reporting.

There is no one-stop risk management solution that does everything risk management for the entire organization. Which solution can provide the best core for enterprise and operational risk management that has the right range of risk mapping, modeling, and analytic needs for the majority of the organization. But then also needs to be able to integrate with best of breed risk solutions that offer specific functionality in areas where needed.

Whether for a department risk management need, or to manage enterprise and operational risk across the organization, risk management solutions are in demand. Recent RFP and inquiry trends that GRC 20/20 is involved with show a growing demand for integrated cross-department risk management solutions. There are several hundred solutions available in risk management with varying capabilities and approaches.  Organizations need to clearly understand the breadth and depth of their requirements, map these into risk solutions capabilities, and understand that there is no one size fits all solution for risk management no matter what solution providers may say. It has become a complex segment of the GRC market to navigate, understand, and find the solution(s) that are the perfect fit for your organization.

Organizations looking for risk management solutions and intelligence can get objective insight through:

GRC 20/20’s next Research Briefing is on How to Purchase Risk Management Solutions & Platforms. Organizations looking for risk solutions should attend to help them scope their requirements and approach the market.

AGENDA . . .

  1. Defining & Understanding Risk Management
    • Definition, Drivers, Trends & Best Practices
  2. Critical Capabilities of a Risk Management Platform
    • What Differentiates Basic, Common, & Advanced Solutions
  3. Considerations in Selection of a Risk Management Platform
    • Decision Framework & Considerations to Keep in Mind
  4. Building a Business Case for Risk Management
    • Trajectory of Value in Effectiveness, Efficiency & Agility

The GRC Pundit will help organizations . . .

  • Defineand scope the risk management market
  • Understandrisk management drivers, trends, and best practices
  • Relatethe components of what makes a risk management platform
  • Identifycore features/functionality of basic, common, and advanced risk management platforms
  • Mapcritical capabilities needed in a risk management platform
  • Predictfuture directions and capabilities for risk management
  • Scopehow to purchase risk management platforms in a decision-tree framework
  • Discernconsiderations to keep in mind as you evaluate risk management solutions

[add_single_eventon id=”3028″ show_exp_evc=”yes” open_as_popup=”yes” ]