Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
27 July 2016

How to change the cost ownership of your business risk management



Who owns your risk management function?

For many companies this seemingly simple question is difficult to answer. For those lucky enough to have an enterprise risk management function, the answer would seem obvious, but for others this is a key challenge. Once the question of corporate governance is clarified, there is still the issue of operational delivery ownership. In many companies, the overall delivery of risk management is scattered across the entity.

Corporate and strategic risks may be centralised within the senior management and executives of the company, but tactical and operational risks may be delegated into the different business units where specific expertise of that particular product or service is required. Access Risk is often deemed to be a problem for the IT team, but should normally be owned by the business units.

With risk information being captured in different ways depending upon the different risks or teams managing them, there is a requirement for a risk repository and the associated data management and reporting processes alongside it. So who pays for that? In my experience, although the ownership may be a risk management team, the operational costs are still born by IT and support teams.

Regardless, there is likely to be a capital expenditure cost of implementation to be factored into the cost model for this. While it is an important point on the corporate governance agenda, it would have to work hard to stand up to an investment board against conflicting front-office proposals. Endorsement of the risk management solution would need to be advocated from all sides to gain approval, making it a far harder decision to influence.

As well as this, there are the operational risk management process activities to be considered, including the impact validation, assessments, reporting and response management; all of which take significant amounts of time and effort to realise.

With more solutions being made available as a cloud or managed service, there is a significant opportunity to change the way in which software is deployed. Rather than having to fight for capital investment, there are more opportunities to use operational budgets for technology solutions. This could significantly transform the business cost ownership of risk. If risk management teams were able to invest in a solution as a service through their own operational budgets, they may be able to avoid the costly capital investment processes and implementation efforts as well as simplifying the ownership model.

For those companies that do not have central risk teams or where there is no central sponsorship for a central risk management solution, operational budgets become an increasingly appropriate mechanism. Business teams can use their op-ex budgets to take control of key risk management activities, therefore applying the ownership of risk to the business units which require it.