How to Implement a Better Process When Dealing with Risk Management
People, process, and technology are three key elements when it comes to implementing risk management in any company. The challenge is how to implement these elements in a way that helps your company put an integrated approach to the process. In this article Adam Billings, Principal Consultant at Lockpath will outline the challenges companies face when it comes to applying risk management technology. He will address how companies need to take a top down approach when you’re figuring out how to apply the right risk management technology. This involves figuring out what the issues are with your team in order to help solve your problems and get your software/platform implemented the right way. In addition, it is crucial to acknowledge the importance of involving people at all levels in the process and understanding the interdependencies when it comes to executing a new risk management technology. Ultimately the end goal is you’ll have a manageable system that the team and C-level can manage and figure out and get holistic visibility that works for all those involved.
If you’re in the compliance and risk management space, you can probably guess the three key pieces required to optimize risk management initiatives. People, process, and technology — the trifecta of digital transformation. However, creating cohesion between all three is often challenging.
Most companies have reached a point where spreadsheets and emails are insufficient tools for the complex and multi-layered activities involved in risk management. This gap introduced a need for better solutions and led to the boom of governance, risk management and compliance (GRC) platforms, and enterprise risk management (ERM) systems along with other similar technologies. It’s time to leverage those solutions to streamline processes, automate tasks, and keep people accountable.
However, technology includes its own set of challenges. It won’t solve all your problems with the click of a button. But if you have a destination in mind and a roadmap in hand, it will make the journey that much faster and easier. If you don’t understand your own processes or don’t have an outline of what you need to accomplish, software will be of little help.
What gets in the way?
When choosing governance, risk management and compliance (GRC) technology, I recommend clients begin by focusing on process improvement. What are your current processes? What are your workflows? What pain points and bottlenecks need to be resolved? Answering these questions through deliberate evaluation and collaboration makes it easier to determine if a software platform — and what components, modules, or applications of that platform — will help solve specific problems, address critical risks, and streamline current and future processes.
People get so focused on the day-to-day that they struggle to see the big picture and how it’s going to affect the other teams and departments around them. Leadership should get cross-functional teams working together to identify issues, set priorities, and address process and risk management problems from a broader point of view; one that accounts for business, compliance, and security objectives.
Taking a top-down approach
As a principal consultant, I’m often asked what I recommend companies look at first to improve risk management. The first thing I ask is if they’ve implemented an enterprise risk management process. Is it a top-down or bottom-up approach? Top-down meaning, does your executive team identify critical goals and objectives for your company every year and evaluate risks by those goals? If this isn’t the approach, chances are those goals and priorities are defined by each business unit – or bottom up — which is how it works in most companies. Each segment in the business has its own spreadsheets delineating individual problems to address.
I keep clients focused on the big idea: how to look at these siloed issues together. The first step is to identify the key teams or players who are tracking risks. Then you can begin to pinpoint interdependencies or relationships in the work that they do. Ultimately, you are driving toward creating synergies and efficiencies. For instance, if multiple departments are tracking the same issues but each handles the data a bit differently, a centralized repository for sharing information keeps everyone on the same page, reduces duplicated efforts, and encourages collaboration.
This shift requires a champion, someone who will lead the charge in adopting better tools, advocate for the collaborative approach, and push reluctant teams to get with the program and really incorporate the tools. The champion also needs to listen to key players and study the big picture to gain a clear understanding of interdependencies — where do problems intersect? What are potential cascading effects? Where are the gaps and overlaps? In my experience, the most successful implementations begin with C-level champions who include process owners in the discussions. Those are the people I want to talk to first when a CISO calls to ask about technology solutions.
Cultivate visibility
Often, multiple departments are running into the same problems — one knows how to solve the problem, while the other keeps spinning its wheels because it is not aware of the solution or how to implement it. In companies where I see this dynamic, I try to convince stakeholders to open the lines of communication and air the dirty laundry. Developing higher levels of visibility across departments improves process, fosters accountability, and creates space for innovative problem-solving. Leadership is an important catalyst when shifting from siloed spreadsheets to centralized enterprise systems. While risk management technology alone cannot create this collaborative dynamic, it can certainly support it.
Risk management becomes easier and more effective when enterprise visibility is prioritized and systematized in a single platform. Consultants, risk and compliance leaders, security heads, and executives can be more efficient, accurate, and productive when they are working with harmonized, shared data. Executives and decision makers can access comprehensive reports with one click — a vast improvement over sorting through PowerPoint presentations from five different departments, each of which employs a different risk taxonomy. Most executives simply don’t have time for this, so any insights or calls to action are lost in the shuffle. In the digital era, meaningful data drives meaningful change.
All eyes on the prize
One of the primary goals of an enterprise risk management program, after all, is to provide a seamless picture of the company’s risk posture to the executive team. Without the technology platform to unify and organize the necessary activities and data components, providing such reports is a major pain point. And without high quality reports, vulnerabilities and costly inefficiencies may go undetected or unresolved. If you can’t see the big picture, you won’t figure out what’s getting in the way of achieving business objectives or what must change to clear the way. For instance, I often see companies with multiple locations waste resources testing variations of the same control (e.g., SOX) hundreds of times a year, when they should only need to test it two or three times. They’re managing all of it with siloed spreadsheets, and no one wants to delete anything, so the disharmonized data ends up feeding a circular mess. A GRC platform can manage controls like SOX at a higher level, but optimization only happens when all the relevant regulated processes and teams are included.
Many companies buy a GRC platform or risk management solution without fully understanding its purpose or capabilities. Education and evaluation are critical —stakeholders should first come to a mutual understanding of how governance, risk, and compliance activities are carried out in their organization and what isn’t working. This lays the foundation for implementing an enterprise-wide platform executives and process owners can manage, benefits all involved, and provides holistic visibility across business functions.