And How an Automated Solution Can Help You Overcome Them
In 2017, it’s time for many organizations to stop viewing risk management in silos and begin implementing a comprehensive enterprise risk management (ERM) program. Adoption is slow, however, due to some common challenges, especially when it comes to finding a consistent method of defining, assessing and reporting risk. A good automated ERM solution can help lessen the burden.
With 2017 in full swing, companies are finally beginning to abandon the historical practice of approaching risk management in silos. Many are beginning the migration to a more integrated and consolidated enterprise-wide approach. The justification for this movement is clear: each area of risk management generates information that supplies insight to the other areas, and they have a collective impact on the technology, processes and people of an organization. Tackled individually, the requirements become unmanageable. But when carried out on a common platform, a company gains valuable perspective — the viewpoints of the board of directors and executive management become one and the same.
Despite the inefficiency of the siloed approach, many organizations have been slow to adopt a comprehensive enterprise risk management (ERM) program because of the challenges they face in doing so. When enterprise risk management is carried out manually or even with software that isn’t efficient, the current workload consumes vast resources and time and energy. Often, because of this, a transition to an automated system is resisted by management because it is viewed as being more difficult than simply keeping up with the current workload. Companies must change how they view the potential of their ERM and GRC systems.
Here are three of the most common challenges for chief risk officers and ERM teams, along with explanations for how an automated software solution can help your team overcome them:
#1: Defining Risk Consistently
What your vendor management department considers a risk might be different from what your IT department does. A consistent definition of risk is imperative to your ERM program’s success. A good automated ERM solution will provide you with a pre-built framework for your enterprise risk, including consistent definitions and terminology, along with a laws and regulations library to show auditors and examiners that your definition of risk is supported by the regulatory guidance. Once you’ve established a consistent definition of risk, you’re ready to assess it.
#2: Assessing Risk Consistently
How does an organization establish a consistent and repeatable process for assessing risk across all of its departments and business processes? Traditionally, this task would be carried out in a variety of ways by each area individually, making it difficult to track, report and follow up on. With a good automated ERM solution, your team will be equipped with pre-built risk assessment templates for every kind of risk — whether it’s inherent, likelihood, control effectiveness or residual risk — that can be used across every department. This dramatically simplifies the assessment process and enables a more productive workflow with consistent enterprise reporting.
#3: Reporting Risk Across the Enterprise
So now we know that an automated ERM system can help us define and assess our enterprise risk, but it’s not enough to simply manage it. Organizations need to be able to visualize and report that risk to management, the board of directors, regulators and auditors. What information should be shared with whom? And how should it be communicated? Done manually, it can be extremely time consuming for an ERM team to replicate different aspects of a report for different audiences, using different mediums. However, a good automated ERM solution will be able to provide you with powerful enterprise-, department-, business process-, risk level- and audit-based reporting with visual scorecards so you don’t have to worry about giving incomplete — or too much — information to any of your audiences. Roll-up reporting is easy. It will also allow integration to your reporting requirements with exports to Excel, Word or PDF file in just a few clicks, saving you time that can be allocated to growing other areas of your organization.
Continuing to use old methods and approaching your enterprise risk in silos as your organization grows just because you don’t want to go through the growing pains of transitioning to a new ERM system is like sitting tight and watching the water pour over the gunwales of a sinking ship instead of swimming to the tropical island 50 yards ahead. There is no glory in going down with the ship.
What’s our advice? Get out of the boat. Find an automated ERM solution that combines sophistication with simplicity to help you accomplish more. And while they’re not one-size-fits all and it’s important to choose the right solution for your organization, making sure your potential solution checks the boxes above is a good start to your search.
Grant Karnes co-founded CMPG consulting solutions in 1998 and serves as the CEO of CMPG, LLC and its VendorInsight®, BCPInsight™ and Procipient® GRC businesses, which lead the industry in risk management solutions. Mr. Karnes has extensive background in organizational development and change management consulting and has led numerous process improvement initiatives within the banking industry. He also oversees CMPG’s alliance and business development initiatives, strategic growth and software development, in addition to being the practice lead for traditional management consulting engagements in areas ranging from process improvement to profitability improvement, strategic sourcing, vendor management, risk management and organizational development. Mr. Karnes has spoken at various banking conferences and forums including the BAI Retail Delivery Conference and various industry supplier conferences. 
