Other parts of this series:
In the previous blog in this series, we looked at the important roles that data, tools, and innovation play within Integrated Risk Management (IRM). Today we focus on the need for good risk management processes that would make use of all that quality data we spoke about previously. If data is the cornerstone of IRM, then streamlined processes that produce or consume it are its keystones, without which risk management programs do not work effectively. Furthermore, many companies have sought to bring disparate risk management processes together across organizational silos. But even streamlined processes alone are not enough, as an appropriate operating model is required to govern these processes and the IRM program overall.
As a result, many organizations that have taken the first steps to integrate risk management capabilities but have not adjusted or enhanced risk management processes and their supporting operations to optimally work together, mistakenly think that IRM is not achievable. This is unfortunate as many organizations on the right path simply need to take a few additional steps to start realizing the benefits of IRM:
1) Simplify and standardize integrated risk processes: Organizations should take stock of their current processes and analyze them at the activity level to identify opportunities for elimination, simplification, enhancement, or automation using technology. The output of this exercise should represent a streamlined workflow that can be understood, standardized, and configured more easily. This step is also an opportunity to align processes with IRM technology to take full advantage of functionality or capabilities that it can provide. While process refinement typically should not be based on the abilities of a system or tool, it would be short-sighted to ignore the features and functions of IRM systems and tools currently in the market that make use of the latest trends and technology, including A.I. and Machine Learning. Appropriately integrating such capabilities into IRM processes and leveraging out-of-the-box technology capabilities and low-code or minimally customized workflow tools can make it easier than ever to implement IRM, provide flexibility, and allow for changes in the business environment and processes over time.
2) Mature integrated risk management processes: Once the process environment has been simplified, organizations should examine risk management activities to identify opportunities to further mature them. This can be achieved by focusing on identifying only those activities that provide value in identifying and managing risk, leveraging available data and information to glean insights and promote a greater level of data-driven decision making (e.g., risk identification, risk assessment) and leveraging Robotic Process Automation (RPA) and continuous monitoring. By evolving risk processes, organizations can improve their efficiency and focus efforts on improving the outcomes of the highest-value risk management processes.
3) Align risk functions and technology: In order to capture a holistic picture of risk, a greater partnership between risk management functions (i.e., the business) and IT functions that support them is required. Too often IRM is seen predominantly as a “business” problem. However, not only does IT represent another source of risk (e.g., cyber, operational, technology), they also play the critical role of enabling IRM. As previously mentioned, process re-engineering is a natural opportunity to align IRM processes with available technology capabilities to gain full benefit of your IRM system or platform. While the principles of holistic risk management are generally business-driven, it is technology that provides the hallmark features of IRM, including configurable entitlements and automated workflows, data aggregation and reporting capabilities. Many IRM programs are delivered using agile methodology, which offers a natural way for business and IT to partner. By aligning risk functions and technology, organizations can benefit from a more standardized and harmonized view of the risk environment.
Every organization presents a unique set of circumstances that may or may not require all the capabilities referenced above, however those organizations that do undertake such initiatives can realize a broad range of benefits, including:
- Acceleration of the organization’s speed to implementation by identifying, evolving, and streamlining risk management processes
- Standardization of risk management capabilities to facilitate consistency and respond to the ever-changing business environment
- Harmonization across business lines to reduce variation in risk management activities across the organization
- Establishment of consistent methodologies by leveraging data inputs driving repeatable, transparent outcomes and decisions
- Implementation of easily duplicated processes based on data inputs and unlocking opportunities for automation and machine learning
- Connecting different risk types that are identified throughout risk identification and assessment processes
- Detailed and high-quality aggregated data and metrics to allow for sound governance by oversight functions
The scope of IRM may differ across organizations, but fundamentally many programs anchor their IRM around a core set of risk management related functions, including but not limited to: issue management, risk identification, risk assessment, loss data capture, regulatory change management, policy management, scenario analysis, control testing, compliance risk assessment, audit management, third party risk management, and KRIs or risk appetite metrics.
In the end, IRM programs are defined by what is most relevant and meaningful to each organization. In the next blog of this series, we will look at how Integrated Risk Management influences and reflects the experience of its stakeholders.