Some time has passed since the last blog in our IRM series as summer vacation period hit and our team was called away to focus on several major initiatives, but we are back in time for cooler Fall weather and to close out the series. Throughout this series we have covered a range of considerations and key ingredients across the dimensions of people, processes, technology, and data. In our last post, we discussed “great user experience” as a differentiating critical factor in the success of an IRM program. To properly organize, implement and maintain all these elements of IRM, however, organizations need an effective operating model.

Our view of a Future IRM Operating Model incorporates a high-speed, iterative approach to development and ongoing management, engaging both Risk (business) and Technology functions in services-based delivery. The Operating Model includes four key elements:

  1. Accelerated, iterative delivery. Using Agile software development as opposed to more traditional development methodology can help accelerate delivery of IRM capabilities. When executed properly, Agile can also facilitate better collaboration between risk (business) and technology teams. Using SAFe (scaled agile framework) or some variant of agile can drive faster time to market, increase in productivity and quality, and greater business engagement. A core benefit of SAFe, for example, is that it provides alignment between teams, at all levels of the organization involved in solution development. On some IRM programs, an Enterprise Project Management Office (EPMO) or Delivery PMO (DPMO) oversees and governs the portfolio of IRM domains which manifest themselves as individual Agile epics. The EPMO or DPMO on such programs provides the standards, processes, and templates to establish consistent project management, status reporting and delivery across the program. If the IRM program is regulatory-driven or has a regulatory mandate associated with it, the PMO function may also operate as a conduit or liaison with Regulatory Affairs, Compliance, Legal and other teams to coordinate and track required deliverables and milestones. 
  1. Convergence of risk (business) and technology. Enabled by an Accelerated Delivery Model (as discussed above) risk management and Technology teams are working more closely together than ever before, which calls for a Governance model that accounts for this and helps to ensure objectives and performance goals are met. Within this partnership, risk management has the responsibility of conveying their needs and vision and technology has the responsibility of delivering practical, sustainable solutions that support this vision.
  1. Shared services-based execution and support. Most organizations today are being asked to do “more with less”. IT is certainly not immune to this with teams increasingly being stretched to simultaneously develop or configure new capabilities, maintain current systems and tools, and respond flexibly with business partners to keep up with frequently changing priorities. This nonstop evolution is challenging to keep up with, both from a skills and cost standpoint, driving a need for more efficient and effective deployment. As a result, shared services-based models are increasingly being used to optimally leverage and apply available resources across IRM functions. This model allows resources to be cross trained on the various IRM technologies being deployed, providing upskilling opportunities and keeping them fully engaged and feeling like valued partners. 
  1. Talent ecosystem. A liquid, flexible workforce is essential to any successful IRM strategy and has the mandate of finding and providing top talent and highly skilled IRM resources for both business and technology roles. IRM technology solutions often require unique, specialized skills that are specific to the platforms, systems and tools that are increasingly being leveraged. Ideally, a talent ecosystem could include diverse sourcing models that are tailored based on the business and technology needs. In many cases, The IT team serves as the talent orchestrator and forges connections with risk functions and other IRM groups needing new skills and expertise. In this model, consolidated outsourcing shifts to ecosystem outsourcing, blurring the lines the between the organization and its ecosystem partners.

The four elements above are not exhaustive but represent a view that is based on experience. Other factors ranging from regulatory scrutiny to faster pace of change could put more pressure on organizations to integrate risk and technology and deliver more robust risk monitoring and measurement, controls testing, reporting and analytics capabilities. We believe that Integrated Risk Management – with its focus on data integration leading to better visibility and improved decision-making – is the right approach for such an environment.

Throughout this blog series, we have talked about important ingredients to achieving Integrated Risk Management, including data as the cornerstone, the right tools and technology as enablers, processes as keystones and exceptional user experience as the differentiating key to success. It takes a solid governance framework to bring all these components together and help an organization sustain robust IRM. Regardless of where your organization might be in the journey to achieving IRM, it never hurts to take a moment to assess your capabilities, identify strengths and weaknesses, and look for opportunities to improve. We hope this series has been helpful, but feel free to contact us to learn more.

Submit a Comment

Your email address will not be published.