According to Gartner’s yearly CIO Survey, digitalization is not only creating new and higher levels of risk; it is creating completely new types of risk – all of which have to be managed, making risk management more important than ever.
From speaking to the many senior leaders in organizations that we do business with it becomes clear that there is a real need for greater and better risk-related information to help drive the business. And this is not just my own observation.
In a survey conducted earlier this year by the Risk & Insurance Management Society, over 500 risk executives across the globe were asked: “Do you expect in the next 3 years it will become easier for you to forecast critical risks?” An alarming 74% said no!
They face an enormous challenge. The number of risks, the complexity, the intersection of risks from a global and organizational standpoint, and from a technology standpoint, is driving the rapid escalation of risks in an organization. The complexity makes it very difficult for them to get their arms around the entire risk profile.
But, even more importantly, RIMS noted in the survey that due to a continued lack of cross-organizational collaboration, firms cannot get at the root of the current risk issues or the true emerging risks that will impact them in the future.
According to Gartner Research Director John Wheeler, this continued lack of cross-organizational collaboration is very closely related to the siloed nature of most governance, risk and compliance (GRC) software solution implementations today and I fully agree on that. Although there is a growing consensus that breaking through the traditional silos and integrating the different GRC domains is the right way forward this remains a huge challenge in many organizations.
More and more organizations are trying to break through these siloes by integrating the typical GRC domains such as operational risk, IT risk, compliance, audit, business continuity, etc. Collaboration between these domains is a step forward but it is not even close to what I believe is needed to be successful in the digital age. What is needed is collaboration across the various GRC domains AND the people responsible for business process design, business process execution and last but not least: business process outcomes /performance.
In my experience, executive management teams make much more effective use of risk management if they better understand the relationship between business outcomes, business processes and the associated risks. Organizations need to get risk-related information into the hands of business managers. Risks should not be addressed externally by a set of separate organizational entities called “risk management” that cover risk-related issues for the business.
Business owners need to understand that they “own” the risks related to their processes and they need to manage these risks collaboratively with all involved stakeholders in order to achieve business performance. So a process-driven approach to GRC is needed to establish a comprehensive and enterprise-wide risk and control governance model, ensuring that the risk strategy is balanced and responsibilities and ownership is properly defined. It’s about collaboration across all lines of defenses and making sure involved people can leverage consistent methods, practices and infrastructure.
The use of GRC technology can be a key enabler for this type of collaboration but it’s crucial that it facilitates collaboration that goes beyond the traditional GRC silos and is an integrated element of how you run your business.