It can be said with a great level of confidence that all enterprises are aware of the increasing risk environment, both internal and external, that they are operating in today as a recent survey of some 735 global board members from the North Carolina Enterprise Risk Management has confirmed.
Most enterprise risk and GRC specialists would also agree that a move to a less siloed approach to risk management and an embracing of integrated risk management at an enterprise level is the way ahead. However, despite the obvious need, there seems to be a lack of ability for organisations to achieve enterprise wide outcomes and perhaps for good reason?
Enterprise wide initiatives often take on a life of their own and lose sight of the objectives for a need for rapid change. What is required is agile, expert, flexible solutions that can adapt and scale to any situation.
So, in 2017 we see some common trends emerging to meet these needs:
- A direction of integrating risk management into different business processes — rather than integrating enterprise wide risk management processes
Although valuable management insight into risk management can be achieved through dedicated risk management processes engagement levels amongst the business units themselves can be lower with this approach leading to less effective outcomes. Operating risk management processes that are independent of an organisation's business processes will often result in management underplaying both inherent and residual risk positions.
Risk management systems and processes should be as simple and low impact as possible to enable individuals to intelligently consider and respond to risks in their area of responsibility, optimising risk management as an integrated component of each different business process.
Smart design and the right tools will enable this more localised and “owned” approach to yield a consistent management dashboard where necessary. Gathering risk indicators from the day to day operation of business processes also results in a more accurate understanding of the true risk position.
- Full utilisation of the increasingly sophisticated software tools
Many organisations are still not unlocking the full value of their investment in GRC software. We see an increasing trend of enterprises seeking greater value from what they already have.
Although there may be many organisational challenges to overcome in order to improve effective risk management, often the software tools to support these changes are already part of an organisations existing investment. This can only present opportunity for smart and agile acceleration of capability.
Extracting the value from these tools often requires specialist knowledge over and above that available internally but remains a cost-effective way of evolving and enhancing protection in an environment of increasing risk.
- Using monitoring as a control
The traditional approach to controls has typically been to design processes meant to minimise risks (segregation of duties, reviews and approvals) and embed these controls in the ERP system. However, controls are never perfect, and breakdowns and workarounds occur.
Instead of exclusively using data analysis to monitor transactions and determine whether controls are working, analytics will increasingly be used as the means of control. Immediate analysis of data relating to each transaction will provide far more timely notification of risks and problems and be used to stop high-risk activities from moving forward. Increasingly sophisticated monitoring capabilities mean that detective controls, once considered weak, are now able to detect issues in 'real-time', allowing the appropriate preventative action to be taken before any resulting consequences have occurred.
2017 is simply another year in a rapidly changing world, however the winners will be enterprises who act by responding to the obvious strategic drivers with smart, agile and expert solutions.