- Corporate Security Teams
- Risk & Compliance Teams
- Information Security Teams
Governance, Risk and Compliance
By Will Anderson Modified September 14, 2021
According to ISO, risk is defined as the effect of uncertainty on objectives, focusing on the effect of incomplete knowledge of events or circumstances on an organization’s decision-making. For companies that have accepted this definition and are looking to mature their risk programs and enable a risk culture, ISO 31000’s risk management framework is a great place to start. The ISO 31000 principles can help these organizations score the maturity of their risk processes and culture.
Technology is a critical element of implementing effective risk and decision-making practices because it bridges the communication gap between teams, breaks down departmental silos, facilitates collaboration and information access, and automates tedious tasks. Great technology can’t make up for bad practice but without it, no program will meet the ISO 31000 principles.
“ISO 31000 delivers a clearer, shorter and more concise guide that will help organizations use risk management principles to improve planning and make better decisions.”
To explain how Resolver believes risk technology can help organizations match ISO’s vision, we break down the 11 principles into groups and share our insight:
To establish and sustain value, risk management must be tied to objectives and focus on business value. Risk management solutions that are overly rigid often only manage risks in lists or heatmaps. A more effective approach ties risks to objectives and analyzes them in the context of decision-making where value creation happens.
Risk management technology must be embedded in the business processes where decisions are being made under uncertainty. If the technology isn’t intuitive and easy to use, you can almost guarantee that users will see it as bureaucratic and avoid it as much as possible. Provide end-users with actionable insight into risk and uncertainty, and they’ll be able to make more informed decisions.
Traditional risk solutions can be great to help organizations make risk management systematic and structured, but the information gathered becomes outdated quickly because it’s only reported annually or quarterly. As the industry moves towards more continuous monitoring of risks and key indicators, risk solutions need to be more flexible to allow users to enter risk data on their own time, ensuring that the information is always up-to-date. Great risk technology provides real-time reports to end-users based on the information they provided, rather than forcing someone in the risk function to build and disseminate them.
The way risk management works in an organization is highly dependent on a business’s structure, objectives, culture and risk maturity. This creates a lot of different variations in how technology is used. Rigid technology forces organizations to tailor their process to a system. Great technology is malleable and can be made to fit the organization’s specific needs without expensive custom coding and ongoing maintenance. Great technology can be tailored to the end-user to ensure that it feels natural to use.
As much as possible the risk system should be open to all management. This requires technology with a scalable and affordable licensing model and the ability to provide single-sign-on so that the solution is easily accessible across the organization. An integrated solution including audit, internal control, compliance and incident management will also help make risk data available to those that need it to improve processes and decision-making.
Business changes, so the technology you use needs to change with it. Even the best-tailored solution can go from value add to value drag if it can’t be easily adapted as circumstances change. Budgets for managing risk technology are stretched thin, so this great technology must as adaptable as needed by end-users.
Resolver Tip: a solution that requires custom coding or expensive vendor-led change management will decline in effectiveness and become a hassle over time.
This last point really sums up everything above. To facilitate continuous improvement, risk management needs to get out of the risk function and into the hands of end-users where it can be used in decision-making across the organization.
Technology is not the complete answer to building an effective risk management discipline in your organization, but it’s a necessary component. Resolver customer, Bangor Savings Bank, uses risk management technology to position their team as a trusted advisor in their organization.