- Corporate Security
- Governance, Risk and Compliance
- Information Security
Governance, Risk and Compliance
By Resolver Modified April 17, 2020
If you’ve found yourself in the same position as many organizations, it’s likely that you and your team are navigating a new remote-workforce reality. As organizations find their footing to ensure continued engagement, productivity and collaboration across the business, many of their in-person processes need to be reconsidered.
For risk teams, this could require significant changes in how they approach their risk process, where in-person activities, like a risk workshop, are off the table.
If there is a silver lining, it’s that this shift aligns with recent industry trends. The more mature the risk process, the better equipped your team will be to go remote. When teams return to their physical work locations, implementing the below suggestions will help to make risk process more agile and robust.
As risk professionals, you are highly dependent on the first line of defense – the business users. They have the information you need to do your job, but they do not offer this information voluntarily or communicate it an impactful way. Historically, the easiest solution to collect risk data was to sit down with individuals one at a time, asking them a series of questions to gain an understanding their business level risks. This process was not terribly efficient but, it allowed the risk team to gather the necessary information from each business unit and served as a good teaching platform.
While this could still be done via video or teleconferencing, the loss in efficiency caused by remote meetings can be used as an opportunity to drive a cultural shift to teaching rather than doing. A documented process can help facilitate this transition. By documenting the process, business units will be enabled to learn what they are required to communicate to promote a risk culture, rather than relying solely on the risk team to sit down with them individually every quarter to gather the required information. The industry has been driving towards facilitation for a long time and now it is time to go even further. There are many tools online to help deliver both real time and pre-recorded training. Or, better yet facilitate your training directly into the application where the team is doing the actual assessments.
Now that the team has a better understanding of their risks, it is time to enable them to conduct their own assessments.
The key to self-assessments is to make the process and the technology required to complete it as easy as possible. Business users are typically only interacting with the risk system periodically (once a year or once a quarter). If people are not working with something every day, they tend to forget what they are supposed to do. Use the Amazon rule. When you go to Amazon to buy a book you don’t need training to do it. Self-assessments should be the same. Spending the time upfront to make inputs intuitive may take longer to administer, but the effort will definitely pay off long-term.
A great benefit of leveraging self-assessments, if you have not already, is that by spreading this work around and allowing to business to take ownership of the risks throughout the organization. As a risk function, you will have more time to analyze the output and improve the risk culture throughout the organization, rather than collecting data. As your program matures, you maybe agile enough to shift to continuous assessments. With this approach, rather than collecting data to accommodate your reporting cycles, Risk Owners can update their risk evaluations as risk changes in your business.
Even with self-assessments running, you need information available at your fingertips to answer questions from the board, executives, or the other second and third line functions. If you are able to respond in real time while a user is working on an assessment, you will both be more effective.
Email is not the most effective for this but can still gather the information you need. A more efficient option is a real-time notification platform such as Slack or MS Teams. If you have a system in place, we recommend creating a channel for people to connect directly with the Risk team, you are always able to collect information more efficient when you can pose questions to a group of people, rather than relying on an individual contributor.
If you are using risk management software, there may be an option to use the in-application commenting feature to interact in real-time on the assessment itself. Resolver customers leverage this feature so that all interactions are documented and can be referenced.
Regardless of your method, the more responsive you can be, the more value you provide to the organization. As a function, risk has struggled to get engagement from the organization. Efforts like this can help to change that.
With all of the above in place, you will have more time to analyze. Too often risk teams spend 80% of their time chasing data and less than 20% on figuring out what the data means to the organization. Ideally with the above strategies in place, you can get that to more like 50/50, building a risk aware culture along the way.