Many promising enterprise risk management (ERM) programs are launched as a disciplined process for an organization to understand and address critical exposures. However, they often become difficult to maintain beyond the initial phases as key team members need to focus attention on their primary job responsibilities.
The right technology can help sustain ERM initiatives by automating much of the data-gathering and reporting aspects that are critical for ongoing decision-making. Nonetheless, technology-based solutions can only be as effective as an organization’s internal culture and established ERM processes.
The following are some key considerations for organizations involved in various stages of their ERM initiatives to get the best results from risk management technology:
Risk Management Framework
Organizations typically have different expectations for their ERM initiatives based on their level of risk maturity, industry sector, internal and external resources, business model, organizational complexity, and other factors. For instance, those in the early stages of risk maturity may be looking initially to capture and analyze data on their most significant exposures to establish baselines, set priorities for treating risks, and monitor progress.
Meanwhile, organizations with more advanced risk maturity may want to leverage ERM to support strategic decision-making and meet specific internal and external reporting requirements.
Less-mature risk functions may simply need the basic capabilities of risk systems or be able to accomplish many data gathering, reporting and analytical tasks manually; however, advanced programs typically will call for more sophisticated applications for data capture/sharing, workflow management, analytics and multi-level reporting.
Today, although most risk information technology systems perform well in facilitating risk assessments and allowing users to input and retrieve data to address specific requirement, they differ in the versatility they offer to configure workflows based on the needs of individual business units or to facilitate reporting to accommodate both low- and high-maturity clients. As a result, organizations need to evaluate systems and technology vendors carefully to determine whether a provider’s functions and capabilities are aligned with their enterprise-wide risk management needs.
Those launching new ERM initiatives often start with specific goals and document an overall vision for ERM that aligns with the expectations and priorities of the board and senior leadership. The vision describes what they ultimately expect to achieve and how they plan to get there, including milestones and what it will take in terms of leadership commitment, internal and external resources.
This involves determining what will be needed with respect to engagement and participation by individuals at various business units, departments, and functions within the organization. By establishing guiding principles for the ERM initiative and mapping out a plan, risk managers will be in the best position for evaluating how technology can help their drive success both in the initial phase and subsequent expansion.
For instance, as an ERM initiative develops over time to encompass more business functions and units, diverse risks and an increasing number of participants throughout the organization, technology will have to be scalable to accommodate increasing volumes of data and offer the versatility to accomplish more complex analytical and reporting requirements.
In evaluating technology systems and vendors, consider not only how you see your ERM program today, but also how you see it evolving in the future. If you change some elements of your risk management methodology, can your technology solution readily support that transition?
Organizations typically use two different approaches for implementing risk management technology. Some select a risk technology system and vendor and build their ERM process around those capabilities, while others choose their technology after they have established a process.
In the former case, when selecting technology is the starting point, if risk management wants to make adjustments in its data capture, workflows, analytics and reporting processes at some point in the future, it can find itself boxed in by their technology and it may be difficult and costly to make the necessary changes. These situations typically surface later in the ERM lifecycle and often result in inefficiencies and significant costs to make adjustments to the system to accommodate the changes.
So, in selecting a technology vendor, it is often prudent to start with your process and try to project how it might evolve over time. Then, you can ask: “Is this a technology solution that works for us today, and will it also work for us three to five years from now? And how does the technology vendor demonstrate that?”
ERM Roll-Out Process
Risk managers launching or revitalizing an ERM process may begin by assessing their resources and then developing a process that will generate desired results, both in the initial phase and in later stages. For example, an incremental approach might be to conduct a limited initial roll-out to specific business units and expand it to encompass other functions or operations across the organization on a scheduled basis over time.
On the other hand, risk management departments with greater resources or established internal networks of managers with risk-related responsibilities may be in position to launch or reintroduce their ERM initiative on an organization-wide basis. It is worth pointing out, however, that even those organizations with extensive resources may face obstacles with a full-scale approach, which still must be conducted in a scheduled, prescribed manner with proof of concepts and a series of quick wins.
In any case, whether the ERM process is rolled out incrementally or full-scale, risk managers will have to collaborate with individual business units, functions and operations to identify individual contacts and delineate their responsibilities for gathering or reporting information from their respective areas.
Consider what efficiencies might be achieved by leveraging information already being captured and used for discrete purposes by individual units, as well as what workflows might be streamlined through automation. In some cases, there may be a need to import data from spreadsheets or discrete systems used by individual business operations into the enterprise system. Ultimately, any manual information gathering, reporting and analytical activities might be automated to streamline workflows and free up individuals throughout the organization to focus more on their primary roles.
The roll-out activities should include a focus on preparing individuals throughout the organization for change. Often overlooked and underestimated is helping people understand their roles in risk assessment and risk management and their value to their department or business unit, as well as to the entire organization. The deployment of centralized risk technology can help facilitate this by enabling individual business units to compare their risk analytics, progress and results to peer operations as well as to the overall organization.
In this context, the transparency of your data is key, along with the ability to slice and dice assessment results to provide ready access to critical data across various business units. This should also be able to accommodate dynamic reporting requirements that may change over time. Effective ERM and GRC programs typically require the ability to examine data from multiple angles, choose discrete data to analyze and report, as well as to determine frequency of reporting, the recipients and format. Thus, from the outset, it is important to identify vendors and systems that enable you to access data in multiple ways for use by management at various levels within the organizations. Otherwise, any efficiencies achieved in the data collection process may be lost to reporting issues.
A cornerstone of an effective and sustainable ERM initiative is for leadership to define an aggregated level of risk or volatility acceptable across the organization. That establishes a critical benchmark for assessing how effectively the organization’s current risk management program is helping to meet that objective and to determine where specific improvements in risk management assessment and remediation activities may be needed.
This is typically a dynamic process. Organizational risk appetites may evolve over time, depending on performance; changes in corporate structure, such as through a merger, acquisition, divestiture or reorganization; operating environment; economic and regulatory conditions, among other variables. Accordingly, risk management needs to maintain an ongoing dialogue with senior leadership and board members to recalibrate an organization’s risk appetite and tolerance over time, as well as to make corresponding adjustments to its ERM initiative.
At the same time, risk management activities of individual business units or operations need to be brought into alignment with organizational priorities, even as they may have relatively higher or lower risk tolerance levels, depending on their business activity, exposures, and their potential impact on the organization’s overall risk profile.
Risk managers at dynamic organizations whose priorities might need to be adjusted will need to make sure that any risk technology they choose to support their ERM initiatives give them the flexibility to make periodic or more frequent adjustments to address evolving needs and priorities.
In effect, the technology must be able to support dynamic assessments of an organization’s risk profile, including reconciling risk assessment data with the organization’s risk appetite. This allows leadership to compare their current risk profile against their objectives and determine whether they are over- or under-investing in their controls and risk mitigation plans relative to their risk appetite. They then can pivot quickly (or on period-over-period basis) to adjust their investment in controls or reevaluate their means for mitigating risk.
Various disciplines and functions within any organization often have different ways of defining and describing risk. Effective and sustainable ERM initiatives call for developing and implementing common language, terminology and measurements that will be readily understood by participants across all functions and disciplines across the organization.
This work should include implementing a standard risk taxonomy and scoring methodology, so data can be captured, analyzed, shared and acted upon as appropriate by participants in all areas of the organization. Getting this right—and having the technology in place to enable users in various functions to input and access the information and analytics they need on a timely basis—will enable the ERM program to interact seamlessly with other risk assurance functions and help drive value throughout the organization.
In practice, different governance functions within an organization view risk differently for different purposes. Thus, technology needs to be able to standardize the view for each of the governance purposes, but also must be flexible enough to allow for different methodologies across those governance functions.
For instance, an ERM group, internal audit and compliance group, each might rely on the risk register built to conduct risk assessments for their own centralized purposes. But they may view and rate those risks differently based on their individual requirements. So, if the technology does not allow for different governance groups to evaluate risk and report related data in different ways based on their needs, then the technology is not supporting them and it will not be used.
A sustainable ERM initiative will have continuous improvement built into its vision and DNA. Over time, effective ERM initiatives facilitate steady improvements in overall risk management practices and results. There also should be anticipated process improvements in the ERM initiative that come from finding better and faster ways to gather the right data, perform analytics and prepare and disseminate reports with findings tailored to specific audiences at all levels in the organization. Of course, those transitioning from spreadsheets and shared drives to various software tools will invariably see dramatic improvements in workflow and efficiency.
With ready access to vast amounts of data and analytics facilitated by their deployment of technology, risk managers will be better positioned to make critical decisions to scale or expand their ERM program to correspond with any adjustments to their organization’s risk appetite. At the same time, they can gauge how well their ERM program is aligned with their organization’s strategic objectives and make any necessary adjustments to keep them in sync.
Over time, risk leaders will need the versatility to adopt their ERM initiatives to the dynamic requirements of their organizations as well as to evolving frameworks, such as ISO and COSO. By having a sound vision for ERM backed by leadership, embraced by engaged participants throughout the organization and supported with technology-based systems that help drive results, risk managers will be able to deliver the value organizations need to navigate critical exposures and achieve their strategic objectives.