Manage Tomorrow's Surprises Today

Steven Minsky

How Risk Management Technology Projects Succeed

user-pic
Vote 0 Votes

taxonomy21CMS Wire's Norman Marks recent article, "Why Risk Management Technology Projects Fail," captures a common but limited viewpoint of Risk Management that limits its ability to succeed in any environment, whether supported by software, spreadsheets, or pen & paper.

"To be successful, a risk program has to be designed to enable managers to make intelligent, risk-informed decisions every day. The requirements have to include the perspectives of both the risk officer and of management... You need to enable managers to see both performance and risk status for each of their objectives and strategies."

A risk based program can only be successful if it applies the iterative ERM Process Steps (Identify, Assess, Evaluate, Mitigate, Monitor) to not just risk, but also performance, compliance, and every other governance function throughout the organization.

Risk Based Compliance

Risk based compliance has been interpreted many ways - with very few adding value to the compliance professionals. But if we examine Compliance in the framework of the ERM Process, it looks something like this.

Identify requirements (legal, regulatory, internal, etc.). Assess the applicability of requirements (typically Yes, No, or Not Applicable). Evaluate whether further action is necessary. Mitigate with policies & procedures (how you meet the requirement).And finally, Monitor through audit's testing of controls and your adherence to internal policies.

The same exercise can be conducted with governance processes, but why does it help to apply the ERM process to all Governance, Risk, and Compliance (GRC), functions?

Risk Based Performance

The process works equally well for performance. Objectives and goals are identified and assessed based on their positive impacts if achieved, the likelihood of achievement, and their general timeframes. They can then be supported with activities and projects (in effect, mitigating the changes they are not realized), and monitored with performance metrics and KRIs.

The same exercise can be conducted with governance processes, but why does it help to apply the ERM process to all Governance, Risk, and Compliance (GRC), functions?

Value of Risk-Based Process

By standardizing governance with a risk based process, you enable the re-use of information and relationship building that creates efficiencies throughout an enterprise. Controls used to mitigate risk might also be the same controls ensuring your organization stays compliance. Regulatory requirements have risks that should be associated with them. Metrics and testing that indicate the effectiveness of your control environment can also be used to drive audit scoping and resource allocation.

The possibilities with a Risk-Based approach are numerous, but cannot be realized without the support of an ERM Taxonomy and Risk Management Software. The reason Risk Management Technology projects fail is that they take a silo-specific view of risk management, rather than viewing risk as the common link between performance, compliance, and enterprise governance.

Read our eBook on How to Integrate Governance with Risk.

1 Comment

| Leave a comment

Risk assessment is a factor required by any business that hopes to become (or even remain) large-scale in their operations and ambitions. Thanks for the breakdown.

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at steven.minsky@logicmanager.com.

Recently Commented On

Monthly Archives

Blogs

ADVERTISEMENT