This post first appeared on Risk Management Magazine. Read the original article.
Risk can span across multiple areas within the business environment, and a single risk factor can have numerous cross-organizational touch points. Vastly different business units such as information security, vendor management, compliance, business continuity, physical security and human resources are all critical aspects within an overall risk and compliance strategy. Yet these separate areas within an organization can traditionally lead to a silo-based and inefficient approach to risk management, especially with regard to the manual efforts around the measurement, management and monitoring of processes and controls. Since the required information is often widely dispersed, individuals can spend a great deal of time on routine data-collection activities, often compiling information from spreadsheets, shared drives and other disparate systems. Such an inefficient and disjointed process rapidly becomes very costly, especially when specialized and highly compensated resources are manually compiling information. Many financial institutions become reluctant to implement such time-consuming processes; however, this reluctance inherently increases their own overall risk.
As organizations search for and evaluate various governance, risk and compliance (GRC) solutions, they quickly realize that most of the current systems are built to be industry agnostic, thus providing only about 60% of what is needed “out-of-the box.” As a result, organizations need to undertake custom configurations. Many GRC system implementations fail because organizations typically align with implementation partners who are experts in the specific technology but who do not understand or have the experience with the particular industry or business. Alternatively, some organizations might attempt GRC system implementations internally, but they soon realize that their staffs do not have the necessary technological expertise or do not understand how to integrate suitable risk and compliance practices or the GRC technology successfully.
Adding to this problematic situation, many organizations typically tend to rely on end-user computing in order to manage risk and compliance activities. This inefficient approach is largely segmented and manual in nature. It can lead organizations to lack necessary visibility into their overall risks, to be unable to manage third-party relationships, and to experience difficulty measuring controls and risk-adjusted performance. Additionally, such an approach requires highly skilled—and highly paid—risk and compliance professionals to spend more time gathering data, creating reports or performing administrative duties rather than analyzing information to drive action and provide strategic insight to business leaders.
The Value of Industry-Specific Integrated Risk Management
When identifying a potential risk and compliance technology solution, an organization can run into several challenges, including how to balance a changing regulatory landscape while maintaining business as usual and, perhaps most importantly, while continuing to meet performance and profitability expectations. Implementing IT solutions to meet regulatory needs, demonstrate governance and compliance, and gain operational efficiencies can be an overwhelming task, especially with limited resources and expertise available to take on such projects. Choosing and implementing the appropriate technology solution in a phased manner can enable the organization to align limited resources within the business in order to address priority compliance and business objectives. By phasing in the solution, the organization can effectively design or implement enterprise-wide integration and properly plan for the project, ultimately creating the path for successful implementation.
An ideal solution integrates industry best practice risk and compliance processes across the various silos within the organization into the GRC technology in a more efficient and effective manner, thus enabling a much greater return on investment. By following this approach to use an industry-specific, integrated risk management and compliance technology solution, the organization can realize multiple benefits including:
- Significant reduction in implementation costs
- Faster and more efficient implementation
- Elimination of redundant or duplicative activities
- Positive impact on operations
- Improved information quality
- Driven sustainability by using process subject matter expertise
Yet, the selection of an underlying platform is only the beginning of the effort. Embarking on the journey to an integrated risk management and compliance technology solution, whether by implementing a new solution or enhancing an existing solution, can be a complex activity. Careful and accurate planning of tasks, resources, time, and post “go-live” management and governance is required to secure a successful implementation and ongoing success. Once an organization determines that it is ready, recommended best-practice next steps include the following:
- Identify the risk and compliance processes that a common platform can support.
- Determine whether internal resources, including technical resources, process subject matter experts, and other stakeholders, have the bandwidth and knowledge to assist with the project.
- Examine how risk and compliance processes interact with each other, which can help determine whether the organization is looking for a single solution or a hub and spoke solution set.
- After selecting a solution, define the business hierarchy in which identified risk and compliance processes can align to make sure the business views all processes in the same manner.
- Establish common taxonomies for products and services, business processes, risks, and controls.
- Create a phased implementation road map that enables intermediate success milestones to help establish buy-in across the organization.
- Establish a platform governance structure to assist with ongoing prioritization and changes to common or shared elements, including the taxonomies.
- Work with internal corporate communications teams to establish a communication strategy to help inform and energize stakeholders and end users of the system.
An organization can overcome challenges typically encountered during implementation by choosing a robust and quality integrated risk management and compliance platform that drives sustainability through high user adoption. In addition, it should boast features such as easy-to-follow navigation functionality; automated workflows configurable to accommodate each organization’s processes; exportable reporting and analytics; a dynamic user interface with activity-driven focus to facilitate the completion of required tasks; and comprehensive communication plans designed to accelerate task completion. Ideally, an organization should look for a solution that includes built-in product, service, process, risk, control and root-cause taxonomies designed to meet the unique needs of both the industry and the specific organization. By implementing such a platform, organizations can experience:
- Improved visibility. IT helps organizations integrate and manage data, enabling a central view of risk and compliance.
- Reduced complexity. Automation handles administrative and technology complexity so risk and compliance professionals can focus on analysis and management.
- Promotion of collaboration and sustainability. Individuals throughout an organization can see how information is being collected, stored, and disseminated, which promotes collaboration to improve efficiency and speed.
- Reduced costs. The solution can eliminate duplicative activities and drive down time spent on routine administration, data gathering, classification, and reporting.
- Improved response time. The solution can enable efficient risk response activity.
An integrated risk management and compliance technology solution can effectively align with an organization’s specific level of complexity, business opportunities and regulatory requirements. Such a solution can help an organization navigate changing and emerging market conditions, increase innovation through business insight, and offer valuable time reduction through the automation of typically tedious processes. By using built-in taxonomies and centralized views of risk and compliance activities, an organization can experience shortened time to actionable insight, which leads to more informed decision-making for the business. Ultimately, these benefits can lead to sustainability of the investments made in improving risk and compliance management programs, which in turn can directly and positively affect the overall return on investment.