View all posts | View current post
Businesses began with Enterprise Risk Management (ERM) from the dawn of civilization. The first businesses were small and therefore one person knew all their customers, suppliers and processes. They knew all the risks within their business how they were connected to affect their business goals, which made it easy to manage both the upside and downside “impact of uncertainty on objectives”.
However, as the size of organizations grew in the industrial age, everyone became a specialist and groups of specialists were organized into departments. Risk began to be managed primarily within these departments resulting in a compliance type approach of just enforcing standards or buying insurance to limit this downside. The software industry in the 1980’s produced thousands of individual software applications that focused on just one small piece of risk or compliance activity, and as a result, organizations grew increasingly complex and business processes were disconnected from each other. The concept of Enterprise Risk Management for most became ad hoc and disorganized. Very few had mature and aligned enterprise-wide risk management practices, meaning resources were allocated based on “squeaky wheel” or “ghosts of Christmas past” principals rather than “bang for the buck” of business impact priorities to corporate goals.
Technology changes everything
In 2005, a new kind of software became possible which works across departments and business silos to discover the relationships to manage the complexity and automatically reconnect people, processes, goals and assets they use. Working much like social network platforms like Facebook or LinkedIn, Enterprise Risk Management Software helps make the connection between risk in every job description and the allocation of resources to control these risks based on the priority of impact to the business goal of the organization.
This was a huge threat to the thousands of incumbent traditional software providers that were being used within businesses and they reacted by adopting the term GRC Software, without changing the core design of their products. GRC stands for Governance, Risk and Compliance but is really a disparate, disconnected and overlapping collection of 28 primary single functions (with with numerous sub-categories). Sometimes these stand-alone applications are bolted together, with each component still an isolated software module, designed to do only one type of compliance with risk as an afterthought, or yet another separate module that compounds the isolation problem. When you add up the different single function software packages (estimated to be over 400), you end up with a random collection of vendors dating back over the past 25 years of incumbent, outdated technologies now renaming themselves under a banner of GRC software\ without agreeing on any standards. No apples-to-apples comparisons can be made across modules.
How does an organization make sense of all of this? How do you know what you are buying is the right platform and right vendor for your organization?
With Enterprise Risk Management software is about using standards to bridge departmental silos to gain efficiencies and manage all risks from the mail room to the board room and everywhere in between, while linking them all to the business goals of the organization.
GRC Software is a dying platform
Industry analysts agree that titling these as “GRC software” is a myopic Band-Aid approach to putting these things under one governance umbrella, and as a result is shrinking in adoption, whereas the ERM common platform, architected from the start to take advantage of the synergies and empower collaboration across business silos, is forecasted to almost double in the next 2-3 years from 14% to 25%. Boards, regulators and shareholders understand that with GRC, you can’t see the forest through the trees, and are requiring a holistic ERM analysis and reporting approach.
ERM software adoption is rapidly increasing because, just as Facebook and LinkedIn have quickly become ubiquitous social networks, ERM software provides a corporate network to help understand and manage the complexity of organizational relationships, as well as align everyone to common goals and reduce unnecessary redundancies and overlap between activities, so resources can be better applied, with more transparent decision making, to better manage risk and achieve performance.
To learn more about how straightforward building this corporate network is for your organization and the business case for streamlining governance with ERM watch this 5 minute video.
View all posts | View current post
Federal and state regulatory compliance requirements have grown exponentially and touch all operational areas. Compliance has become very complex and expensive with extensive new regulations, multiple overlapping information sources, and operational impacts that are difficult to identify and track. Financial Institutions typically manage compliance work flows manually, which is difficult in multiple branch or interstate operations, and across multiple lines of business. As a result, compliance and operational costs are high, compliance requirements and timelines are missed, exam and audit exceptions occur and liability risk increases.
A risk-based approach to compliance involves identifying the areas of high risk within your organization's compliance universe and building and prioritizing your compliance monitoring program around these risks. Compliance risk management will focus your organization, and your compliance resources, on the areas which are most likely to cause concern. This risk based approach also re-positions compliance from a function executed in a vacuum to one that provides real value, reaches into each part of the business supported by relevant analysis, understanding, and documentation. A risk-based compliance monitoring program will assist you in identifying, managing, monitoring, and reducing the compliance risks key to your business and make board and regulatory reporting easier to conduct and maintain with less work.
Below are the 3 steps you can take to implement compliance risk management at your organization:
- Prioritize activities: Identify the areas of high risk, consolidate compliance required risk assessments
Compliance required risk assessments, using common evaluation criteria, provide a score to quantify the vulnerability and business impact of non-compliance so that business activities can be prioritized. Knowing what is important makes it easier to know what to monitor and at what frequency to keep the board and regulators informed about risks that can lead to non-compliance in the enterprise. You can streamline the work involved in these risk assessments because regulations have overlapping and redundant risks that they are attempting to mitigate (i.e. fraud, consumer protection) with a consolidated assessment framework. To do this, create a common risk registry and map risks from this common registry to the applicable compliance requirements and policies, or use software that has already done this mapping exercise. With a consolidated risk assessment framework, all the separate, silo’d and often redundant risk assessments required by compliance mandates, can be covered in a single risk assessment. You can reorganize and report the same assessment information by any regulation.
- Make regulatory alerts and updates actionable
Rather than have large volumes of highly technical and obtuse regulatory documents, work towards a clear executive summary that interprets the key action items, identifies what needs to be done, the deadlines for action, impacted business areas, and those accountable in your organization, such as whether board approval is needed for changes in policies. This makes it easier to link compliance to your organization’s internal structure, roles & responsibilities and promote understanding of obligations among the key stakeholders. Because risks related to regulations are assessed, when changes occur, organizations can easily prioritize activities that need resources the most.
Moreover, instead of having this critical information, like key dates, forms, impacts, accountability, and procedures, buried within word documents or emails, make them fields in ERM software so that they are searchable and connected to task activities with automated workflows, alerts, and updates that are tracked and reported on. This makes communication and interaction, along with monitoring and response, a streamlined exercise to reduce the burden of compliance on business areas.
- Business Impact: Connect regulations with policies, impacted business processes and related resources
Internal control procedures are related to internal policies, and by integrating regulatory changes with the internal policies they impact, it is immediately clear what areas of the business are impacted and what action needs to be taken. Workflow tasks can automatically be triggered to the right people in the right business areas and risk assessments, which are also linked to internal policies, will provide prioritization of which changes are most important and what operational controls need to be updated to remain in compliance.
Organizations can no longer maintain a set of internal policies for each regulation, but rather, they need to maintain a consolidated set of internal policies that can be linked to the multiple regulations that they satisfy. Organizations that are not able to quickly determine which business areas are impacted by regulatory compliance changes, and connect those responsible for activities within a business process for implementing change, will continue to be burdened with compliance costs and will suffer higher risk of non-compliance as a result.
Success in compliance risk management begins with designing workflows that connect the relationships between compliance policies and the business processes, resources and regulatory standards. These relationships then need to be used to generate and track tasks when regulatory changes take place.
Watch this 30 minute video to see a solution for a risk based regulatory compliance approach for banks and credit unions with a case study on the consumer protection agency bureau mortgage disclosure rule change.
View all posts | View current post
What the Great Wall of China can teach us about Vendor Risk Management
An vendor risk management approach is all about creating centralized standards that transcend business silos which is very different than the approach taken in traditional vendor management software. Vendor management needs tools with a risk based approach to overcome their difficulty of objectively putting the vendor compliance pieces together across legal, purchasing , security reviews, and accounts payable silos for contract renewals and new contracts. Too many controls and oversight are dedicated to address low likelihood risks, leaving vendor management with not enough time to identify and focus resources on the risks that matter the most.
History repeats itself. The Great Wall of China itself was never breached. However, a gate at a strategic Shanhai pass was opened for the invaders as an inside job by a traitor which led to the downfall of the Ming Dynasty!
In today's terms, most companies perform rigorous vendor due diligence with penetration tests, SAEE 16 and insurance certifications, financial reviews, etc. More often then not however, the vendor breach is through employee emails, data stored at homes or other poor operational controls that are not reviewed during the vendor due diligence process. The root cause risks needs to be assessed in context of the business process that relies upon it to prioritize mitigation activities.
Ask yourself, what part of your enterprise does not in some way depend upon a vendor and it's products and services to run effectively? The big loser in not having a vendor risk management approach, beyond the vendor management function, are the business stakeholders. Count the hundreds of hours lost unnecessarily by teams performing compliance activities on low risk vendors and multiple of that number lost due to the delays of getting the key high value vendors they need in place to support their business because they are caught up in a low value compliance process. When you add up these opportunity costs, the disproportionate imbalance between risk and reward is staggering for a non-risk based approach.
ERM software supporting vendor management recognizes that due diligence of a contract renewal is a risk assessment, that the contract terms are risk mitigation activities for those risks and SLA’s are just another name for risk monitoring activities. The ERM vs GRC approach uses risk assessment to tell you which clauses need to be added to your contract renewal and what monitoring activities need to go into place. A risk based vendor management approach is more strategic by connecting the touch points between vendors and the business processes, risks, controls, monitoring, incidents and reporting that takes place across the enterprise and their impact on the bottom line and corporate objectives.
By applying a common set of standards or risk assessment templates, ERM streamlines the communication, workflow, data collection and reporting on vendor management, compliance, purchasing, contracting, IT reviews and audit processes to reduce your overall time spent on these activities by 40-80% due to the unnecessary overlap and redundancies currently going on between these business silos. By collecting this information only once and using those relationships, an ERM approach turns all these activities into standardized libraries that can be used and reused over time without reinventing the wheel.
Resources should be allocated to the highest risk, not just another brick in an already overly reinforced wall.
View all posts | View current post
Risk management is not about absolutes, it is about using a consistent analysis framework for balancing risk and cost on a common basis across the enterprise. Yesterday's announcement by the Transportation Security Administration (TSA) of their adoption of a risk-based approach is a long awaited practical application of enterprise risk management to security.
As April 25, 2013, the TSA will allow small pocketknives and an array of sporting equipment -- banned from aircraft cabins in the wake of the September 11, 2001 terrorist attacks to be once again allowed in U.S. planes. This is simply a security risk assessment that has quantified the threats across all areas of air travel and concluded that an acceptable level of risks from onboard carry-ons have been achieved through mitigation efforts such as reinforced cockpit doors and better intelligence. Although these items still do present some risk, the acceptance of this risk allows TSA to focus their personnel in other areas of airport security that are more vulnerable in terms of impact, likelihood of occurrence and the effectiveness of controls.
There are always those that are against a risk based approach, in this case the Coalition of Flight Attendant Unions, but clearly they have a short-sighted backwards looking view of threats to their personnel's safety. No one is disputing that pen knives are a risk; however, there is no such thing as zero risk either. Airline personnel are at risk on every flight from higher risks such as bombs in cargo, airport intrusions, weaponized viruses and other threats. Coincidently, this news story broke on the same day of TSA announcement, “Passenger accidentally gets on airport tarmac,” emphasizing the urgent and timely need for TSA to use an ERM approach to reallocate resources according the residual risk, meaning the remaining threat after taking controls into consideration. Given two equal risks, the threat from the risk with poor controls will be higher.
Being in compliance does not necessarily bring security and safety. When technology and business processes change, compliance programs need to be risk based in their evaluation of the impact those changes bring and adjust their compliance requirements accordingly. Over allocation of resources to risks of the past that have been mitigated sufficiently explicitly leaves less resources looking forward at the next point of vulnerability. Risks assessments must be connected to goals and activities within a risk taxonomy to give purpose and measurement of effectiveness. Without it, compliance becomes a senseless box-checking exercise. With risk management, compliance becomes an effective control that delivers business value.
The TSA ERM program is a recognition that “they can’t do it all” and they have dropped traditional rigid absolutism for a balanced quantitative approach in their risk management program. According to Jeff Spivey, former President of ASIS, "So many companies are still confused by the terminology that's being used. They hear 'enterprise risk management' and say, 'Well, we have a risk manager so we're doing that already.' But in fact, they're just doing the old traditional approach—transferring of some risks by purchasing insurance. They may be involved in some risk identification at a high level or some claims analysis, but they really don't know the full scope of ERM."
Only by quantifying risks and tolerances at the front line and using a common framework, can allocation of resources be applied to the controls that manage them effectively. Simply stated, money can be better spent in other areas where poor controls over risks much larger than pen knives are a disaster waiting to happen.
For more information on how to develop a quantifiable and objective ERM framework to apply in your organization, watch this free webinar, 5 Steps to Better Risk Assessments.
View all posts | View current post
Looking back over my most popular blogs, there was a lot of interest in 5 Steps for Better Risk Assessments and How to Consolidate Compliance Risk Assessments. Due to this interest I have created a complimentary 30 minute webinar on streamlining enterprise risk assessments complete with detailed "how to" examples and visuals that are not possible in a blog format.
Click here to watch this On Demand Webinar or read the full invitation below:
On-Demand Complimentary Webinar Invitation:
Organizations and risk managers are under more pressure than ever before to prove the assurance and value their ERM program is providing, yet the way risk information is collected and structured today—scattered across spreadsheets and word docs—it is nearly impossible to aggregate and analyze this information in a meaningful way. Not to mention the time it takes to compile this data. As one of our CRO friends put it recently, “It not even a labor of love at this point – it’s just labor!”
Learn how to implement a framework with your existing risk information to make your data dramatically more useable and valuable. The structure will allow you to connect the dots between business area commonalities, aggregate assessments, connect risks to the strategic goals of the organization, put in place more effective mitigation activities, and more.
The key is being able to compare enterprise risk assessment information across functions and levels while keeping one comprehensive risk picture. In this webinar each of the following top 5 best practices will be reviewed with step-by-step tutorial with risk assessment examples on how to achieve them from where most organizations are currently in order to achieve this transparency and assurance:
- Taking a root-cause approach
- Standardizing assessment scale and criteria with risk assessment templates
- Linking risks to controls
- Connecting risks to strategic goals
- Embedding risk assessments in everyday activities
Who will benefit:
Risk managers are feeling the pressure from their boards and senior leadership because the business environment as well as laws and regulations have changed. Risk assessments require much more discipline and rigor. Risk managers will learn how to adopt best practices so that risk assessments can be compared and utilized cross-functionally for more accurate and actionable risk management. You will also learn how to apply these best practices to streamline your non-ERM areas of responsibility, such as vendor management, information security or business continuity, to gain more time for expanding these best practices to other areas in your enterprise.
As the number of regulations increase and change, so do the RCSAs (Risk and Control Self-Assessments) required as part of the compliance process. All risks to compliance are not equal in terms of impact, likelihood and effectiveness of current control activities. Attendees will learn how to objectively and systematically prioritize which regulations need attention from compliance risk assessments.
Auditors need an independent guide to evaluating the effectiveness of a risk management program. Learn how to prioritize risks in a timely manner to meet the newmandatory International Professional Practices Framework (IPPF) guidelines, announced byThe Institute of Internal Auditors (IIA) effective Jan. 1, 2013.
View all posts | View current post
This week I faced the ultimate personal test of my risk management skills, where I had to soul search “do I practice what I preach as an ERM expert.”. Sunday, the night before the storm of the century Hurricane Sandy hit, I had tickets to fly to Texas as a speaker and expert on ERM. What would become of my home and family? Had I applied the same risk principles in my work as a CEO of the leading enterprise risk management software company in my personal life? Had I done put a personal business continuity plan in place for my family? Did I trust my risk assessment? I thought back over my hurricane/nor’easter weather season risk assessment, mitigation and monitoring activities. Our house is not next to the ocean and is on a hill so we didn't face the risk of flooding from Sandy. In May, I had installed a whole house back-up generator that would automatically switch over if a loss of power were to take place. Over the summer I hired an arborist to inspect all the large trees around our property. Two 120 ft pines were identified as sick and weak and the mitigation plan was executed to take them down. In September, I had the slate roof inspected and repaired to seal all cracks and possible leaks. Friday and Saturday, we followed a check-list of the usual items like water, batteries, food and stored any yard items and furniture that could become airborne. I called our neighbors to update our contact info just in case something went wrong. I was confident I had identified the key risks in my assessment and I had executed mitigation and monitoring activities to cover these key risks. So I went on my prescheduled business trip with confidence. That’s ERM upfront and personal!
So that brings us to the RIMS ERM Conference 2012 in San Antonio, TX. What is ERM all about? Why nearly 200 executives gathered from all over the country for two days of intensive learning of ERM best practice and technology application case studies?
What is the problem: How do we know what is happening to our businesses where the rubber hits the road? For a really recent example, let’s look at what most of us did to learn about what is going on when Hurricane Sandy crashed into our lives. We first turned to the people we know and trust, our friends, colleagues, and family. But that gives us an incomplete picture, so we typically turn to the news. Generally we see a top down view from a satellite, that shows the whole of the storm, but that also does not give us an understanding of what is really going on. So we also see reporters out on the front line with windblown hair and the rage of the storm behind them to put it in perspective. In ERM terms, the view of the process owner, the person on the front line most familiar with what is going on in a particular area. Since our reporters cannot be everywhere at once, we use ireporters that send us snapshots and videos from the field where the action is to understand what is happening on the front line. This is how we get a clear picture of the storm, top down and bottom up.
Why is this important? ERM has evolved in stature from a proactive good idea and best practice to a regulatory requirement that has significant teeth for non-compliance. Since the landmark SEC ruling that made risk disclosures mandatory, boards are personally accountable for effective ERM programs or they face fraud or negligence charges if they cannot demonstrate and measure effectiveness.
What the BOD needs to know: The Board of Directors and regulators need to know their real state of ERM. How effective is their ERM program, means can they demonstrate that all material risks are identified and sufficiently mitigation and monitored. How do they do this? First they need to reach all business process owners and identify their material risks. Then for those material risks, the actual mitigation activities need to be documented and monitoring activities need to be conducted on a regular basis, typically quarterly.
How to build an effective ERM program? Get the requirements from the RIMS Risk Material Model, a comprehensive set of building blocks of what exactly needs to be done in actionable and measurable terms.
When I came home from the conference, while the neighborhood was a mess with fallen trees and a blackout for two days, everything was fine at my household. My family had electricity, heat and hot meals. Everything sounded like business as usual to an outsider, but an ERM professional knows what it takes to achieve business as usual in the face of adversity. This is what good ERM is all about.
View all posts | View current post
In my last blog and On-Demand Webinar “Presenting Risk Management to the Board,” I was asked for help in identifying government regulations that hold Boards responsible for Enterprise Risk Management (ERM) compliance.
Definition: First some background, the SEC Proxy Disclosure Enhancements rule defines ERM compliance as extending the board's role in risk oversight to the threshold of material impact of the risk regardless of the level. Boards of Directors were previously only responsible for CEO level risks, activities and decisions, but this rule extends the accountability mandate to the business process level were this material activity takes place. This includes risk management out through supply chains, as we saw with the BP oil spill in Louisiana, so private companies are not exempt.
Implementation: Sarbanes-Oxley compliance Audit Standard 5(SOX AS5) holds management and boards accountable for a subset of Enterprise Risk Management, the risk of misstatement of an organization’s financials. The SEC disclosure rule is similar in approach, in using materiality as a threshold or measure of what needs to be controlled or mitigated, rather than prescribing which risks or how to cover them; however, unlike Sarbanes-Oxley it covers all risks and there is no organizational size limitation, so small and medium sized companies are equally on the hook for ERM compliance.
Enforcement: Enforcement of this rule is simple and powerful. Lack of disclosure and an ineffective ERM information and reporting system equals negligence. Boards are explicitly given a choice between either having effective risk management in practice or disclosing their ineffectiveness in risk management to the public. If they do neither, it is considered fraud or negligence, as not knowing about a risk is no longer a defense. As a result, the number of SEC enforcement actions rose to 735 in 2011 from 677 in 2010. Moreover, the number of actions against investment advisers and investment companies rose to 146 in 2011 from 112 in 2010 (up 30%), with only 76 such actions in 2009 – just under half the number brought in 2011.
A corporation and its corporate officers may be held criminally liable for the acts of persons, even in the absence of any wrongdoing on their part.1 For example, in the court case Stone v. Ritter2 (but also, In Re Caremark3 and In Re Disney4 ) the Delaware Supreme Court affirmed the personal liability of the members of the Board of Directors and set the precedent for board accountability for effective risk monitoring. Board of Director’s duty of care includes an obligation "… to assure that a corporate information and reporting system, which the board concludes is adequate, exists."5
Minimize Penalties: ERM programs now fall under compliance and in November 2010, new incentives to Federal Sentencing Guidelines6apply to ERM permit a substantial reduction in the penalties imposed on an organization if it has established an effective ERM information and reporting system.
Risk in itself is not to be avoided, but rather embraced, since all returns have risk as a prerequisite. Simply stated in the negative, no risk equals no reward. The key to business is taking risks that have a fair compensation in terms of reward. At the heart of fairness is disclosure, and failure to disclose risks involved, whether knowingly or unknowingly, is negligence. Therefore a large part of the penalty is around the inability to demonstrate the board and management’s extent of activity in trying to “know risk” at the front line. Organizations are thus incentivized to implement true ERM software so they can benefit from Federal Sentencing Guidelines, which offers relief for individuals and organizations from negligence claims as it provides evidence of effective risk management. Like a metal detector for a needle in a haystack, ERM Software uses a risk taxonomy to enable organizations to quickly identify and quantify the materiality of risks at the front line management level and aggregate to the board while preserving a direct connection to mitigation activities and monitoring. As a result, ERM software greatly reduces negligence penalties.
According to leading industry analysts on ERM and GRC, “Organizations are focusing on risk management as a central issue in the GRC equation. Enterprise risk management (ERM) is now a bigger driver for GRC than regulatory compliance requirements. Organizations want a top-down viewpoint on risk, whether it is resulting from non-compliance or operational issues, and want to know what is being done to mitigate it. ERM is increasingly considered as a strategic tool to support governance and improve business performance.”
Benefits of Software: Although may be little difference in where the concepts of ERM or GRC theory have evolved to today, there is a very big difference in ERM vs GRC software technology origins and the impact. GRC was born out of prescriptive regulatory compliance, meaning a specified set of procedures that must be followed by all companies in the same way as of a specific date. Whereas ERM was born out of strategic performance management, which is all about managing uncertainty in future outcomes and making cost-benefit judgments on the unique choices management makes about how to control their business. Why is this important? New software is required for major shifts in the business environment. ERM software with it's holistic approach delivers a 60-80% gain in efficiency in time and effort by consolidating existing governance risk and compliance activities currently done separately in silos and reduces total internal and external audit consultancy costs by more than 15%.
General steps for risk management personnel to take, before and during an SEC investigation:
- Make sure the organization’s risk resources are adequate, so you’re prepared for the task of meeting the SEC’s demands.
- Demonstrate that the way operational controls are documented match the way they actually conducted.
- Examine written ERM process internal standards and evaluation criteria that quantify risk materiality
- Provide evidence of risk assessments conducted over the past 12 months at the department manager level meet internal standards and cover all material business processes.
- Look for above average risks that do not have risk mitigation and risk monitoring activities corresponding to them
- Have a matching set of materials to back up documents given to the SEC.
The stronger and more effective the ERM program, the less severe the recommended penalty for non-compliance, negligence or fraud will be. Conversely, a weak ERM program or the lack of one will result in a harsher recommended penalty and criminal sentences. To self-assess the strength of your ERM program go to www.rims.org/rmm. This 20 minute exercise will both tell you the effectiveness of your ERM program and provide you a roadmap to meet regulatory requirements.
1 United States v. Park, 421 U.S. 658 (1975)
2 911 A.2d 362 (Del. 2006)
3 698 A. 2d 959 - Del: Court of Chancery, 1996
4 906 A. 2d 27 - Del: Supreme Court, 2006
5 698 A.2d at 970 - Del: Court of Chancery, 1996
6 2011 Federal Sentencing Guidelines Manual, Chapter Eight
View all posts | View current post
The first shoe to drop was government regulations holding the Board of Directors personally responsible for the effectiveness of enterprise risk management programs at their organizations. Boards are given a choice between proving their risk management programs are effective or disclosing their ineffectiveness in risk management to the public. If they do neither, it is considered fraud, as not knowing about a risk is no longer a defense.
What does enterprise risk management effectiveness mean? Not being involved in the day-to-day running of the company where most operational risks actually occur means Boards of Directors must, through their risk oversight role, satisfy themselves that the risk management policies and procedures designed and implemented by the company’s senior executives and risk managers are effective at identifying all risks and demonstrating assurance over the most material ones.
Risk is viewed at its highest level by the board. Some people make the mistake of inferring that this risk information should then also be collected at only this high level, but this is ineffective because of the gap between senior management and the front line activity level where risks first arise. The key to determining the effectiveness of a risk management program is the ability to collect risk information from the business process-level and aggregate this information, while preserving the effects of related upstream and downstream dependencies.
Since the liability for error is so high, Internal Audit has now been tasked to do the fact-checking on the risk management information being presented to the board to ensure its integrity at the front line business process level. The Institute of Internal Auditors (IIA) announced this week it has revised its International Professional Practices Framework (IPPF), effective Jan. 1, 2013. These mandated changes require auditors to validate the most timely and most significant risks, especially those that impact the achieving of the organization’s strategic objectives.
The role of the enterprise risk manager has now finally become clear to close the gap between strategic level risk and all the operational risks at the activity level at the front line of organizations. The risk manager is responsible for setting the standards, practices and procedures for effective risk management and embedding them in all existing business processes. The risk manager is now accountable risk metrics. This requires putting a mechanism in place to collect this risk information at level where most operational risks materialize and aggregate this risk information to a level the Board cares about, while preserving the links to the front line and the resources involved and then tie together the risks in related business processes—all at the activity level so an audit trail is clear for internal audit to follow.
Organizations have realized that their board level attestations on the effectiveness of risk identification and assessment can no longer just be a facilitated interview at the senior management level; instead, there needs to be a rigorous process at the activity level through the lens of what is material, not just in isolation of a single business silo, but overall as all the pieces come together at the top. The goal is to identify and objectively assess operational risks and ensure risk mitigation is in place at the activity level independently and then collectively. This integrity of this risk information needs to be preserved when aggregating and summarizing by the strategic goals of the organization.
A ERM Software or GRC Software with a risk based approach is the only way this process will work effectively and the RIMS Risk Maturity Model spells out each of the 25 requirements that must be met to put a risk taxonomy in place for an effective and efficient enterprise risk management program that meets the rigor of compliance and now internal auditors review.
Click here to watch a free On Demand Webinar, “Presenting Risk Management to the Board”.
View all posts | View current post
A chemical plant explosion in Japan on Sunday shows the consequences of poor risk management in a really personal way. The Nippon Shokubai Co. produces a chemical that is a critical link in the supply chain for one-fifth of all the world’s diapers. A diaper shortage is expected.
One, where was the risk management program to prevent the explosion? As is always with these things, in the next 6 weeks, evidence of an employee warning their management about conditions that could result in an explosion will be uncovered. It is always the front line that detects the vulnerability, but too often organization’s Enterprise Risk Management (ERM) programs do not reach the front line; and therefore, there is no effective systematic risk assessment and control evaluation mechanism in place to evaluate and allocate resources properly.
Two, how can one fifth of all the world’s diaper manufacturering rely on a single factory for a core ingredient? Again, poor vendor risk management. Most organizations manage vendors from a compliance standpoint and request documentation on business continuity plans but rarely do they require these plans to be tested or validated. They are typically just nice looking gibberish documented to meet a vendor compliance regulatory requirement.
Corporate vendor managers often do not incorporate ERM in their vendor management programs so that vendors can be risk assessed from various points of view for their criticality to prioritize the level of examination beyond just checking a box. In this specific case, a risk assessment would have identified that this particular supplier is extremely risky in terms of reliance and ease substitution, perhaps among other things, and thus can be identified as a critical vendor which demands more scrutiny than the standard documentation acquired through meeting compliance requirements.
Both scenarios one and two above are easily addressed by extending ERM out to the front line with an automated ERM Software that is integrated in the functional operations and governance, risk, and compliance (GRC) areas of their institutions. It typically takes only 90 days and US$15,000 to save millions or more. ERM programs are jokingly underfunded, so when you are making your next business case for automating your ERM program, help illustrate the operational consequences on business performance, and not just compliance, to get your business case approved, as you do not want your organization to be in the news for having caused a major operational risk due to negligence—or worse be shopping your resume with the equivalent of dirty diapers on your hands!
View all posts | View current post
The National Credit Union Administration (NCUA) by mandate has added Enterprise Risk Management (ERM) and Sarbanes-Oxley (SOX) like financial reporting attestation compliance to the list of required activities for credit unions. Why has the NCUA put SOX, or financial reporting attestation, and ERM in the same ruling?
The NCUA has recognized that all regulatory compliance guidelines have required a risk assessment component, so it is only natural to require an Enterprise Risk Management (ERM) program to standardize all these different risk assessments to make it easier for them to supervise these institutions. What is good for the goose is good for the gander. It is no surprise that 91% of banks and credit unions in a recent survey plan to restructure, reorganize, and reprioritize their organization's approach to risk management to standardize and consolidate compliance risk assessment activities.
Here are the 5 Steps to Apply a Consolidated Compliance Risk Assessment approach to your organization:
- Standardize your risk assessment templates: The key is to standardize a root-cause based risk library, or risk register, which will allow you to assess once and meet your multiple regulatory requirements. Nearly all regulations require a risk assessment so regulators, and therefore auditors, ERM committees and shareholder disclosures, are now checking up on the performance of these. Currently risk assessments are often not being done formally, meaning in a standardized manner, resulting in inconsistent quality and subjectivity.
- Consolidate risk and control self assessments (RCSAs): Next is to create a risk taxonomy that records or stores the linkage between any compliance risk assessment information to any commonly identified root cause risk, so you can see which risks meet multiple regulatory requirements. Different areas across the organization are collecting the same information for resources, they just don’t know it and they are not connected to each other or the requirements as a whole for the corporation. Different areas across the organization are collecting the same information for multiple regulations.
- Structure reporting for flexibility and efficiency: Since everything is in one place, standardized and connected through a risk taxonomy, you can serve a variety of stakeholders by re-grouping the subsets of risks and their connected controls in different ways to meet the requirements of different stakeholders without repeating the work. This approach will also reveal systemic risks by tracking the number of times the same risk is independently assessed and where these risks occur to see their cumulative strategic impact and monitor risk and compliance over time.
- Verify links between the controls to the regulations they serve: There are so many regulations with seemingly overlapping guidelines, but it is hard to understand specifically how they are connected. The key to find that connection is to identify the underlying risks that the regulation is trying to address There is no linkage between a control and a regulation - the risk provides this linkage, and risks are mitigated by a control. Since everything is in one place, standardized and connected through a risk taxonomy, you can easily determine the completeness of your control activities. This tells you exactly where you are vulnerable and provides a game plan with a priority to do something about it.
- Link resources to controls: All compliance requirements involve resources such as vendors, technology, physical assets or people. Business impact cannot be determined in isolation of the business process that relies upon them. Therefore the key is prioritizing and linking these resources to the compliance controls for each business area. The result is the connection of these key supply chain and infrastructure dependencies to the mitigation and control activities organized within the business processes in which they operate so you can allocate resources to most important areas.
Using governance risk and compliance (GRC) software helps you standardize all your risk assessments across all your regulatory, operational and strategic needs. When regulations change, you can even automate notifications to appropriate areas that are involved or effected by this change. So stop spending all your time chasing and reminding people to get their compliance requirements done and spend the time instead on saving 60-80% of time enterprise-wide resources currently waste on unnecessarily redundant compliance risk assessments with a Consolidated Compliance Risk Assessment framework.
Download a detailed whitepaper with examples that will show you how to consolidate compliance risk assessments.