Governance, Risk and Compliance
When there are so many risks to consider as an organization, how do you develop a discipline to help deliver on your objectives and protect your business? How can you prepare for the unknowns in risk management in an ever-changing risk landscape?
Listen as our VP of Product, GRC, Amanda Cohen, chats with Robert McGarvey of the CU 2.0 Podcast on how organizations and risk teams can prepare for the “unknown unknowns” that are out there, but we have yet to consider or be aware of. While the focus of the podcast is on credit unions, many of Amanda’s insights apply to so many different industries we come in contact with.
“If you don’t have the ability to look outside what’s immediately in your face from a risk perspective and ask what could impact the broader organization as a whole and facilitate those discussions,” says Amanda, “You’re going to have challenges being able to have that level of confidence on your ability to execute.”
While we’re obviously a bit biased when it comes to the importance of #RegTech in helping teams have the 3,000-foot view of their overall risk profile, Amanda cautions that technology is not a magic bullet. Alignment between teams who own risk and GRC is key. “What does your control inventory look like? What are you doing from a process perspective? We’re seeing a lot more of these teams come together before they engage with vendors or as they go through a vendor program to make sure that the way that they’re capturing information is consistent.”
When we break down silos, we can be proactive about risk while also driving efficiency and business value, says Amanda. “What we think about as high risk for audit is the same level of high risk that we see in risk management. We see those conversations happen a lot earlier because people want to make use of a single tool and be able to share resources and share budgets.”
“A lot of it is assessment-based; whether you’re looking at regulatory risk, any type of regulatory requirements, or just risks in general,” explains Amanda. ”What is the risk exposure? Then we work to make it as easy as possible to engage with the business to collect that information.” Resolver is committed to make sure our solutions are easy to use, right out of the box so that new users don’t need training to get the most out of our platform. “People in the business have jobs; they don’t want to spend all their time providing you with your policy documentation or different samples for your testing. They want to be able to provide you with the information you need and then move on. And so we need to make sure that the process of engaging with the business is as seamless as possible.”
Resolver helps teams collect insights and then bring them to the business for analysis. Successful teams using Resolver understand and recognize where their highest risk areas are across their enterprise, says Amanda, “and then really work to rectify that, really highlight that through some powerful analytics and visuals.”
The challenge that a lot of people in the Risk Compliance space have had, Amanda explains, is that they typically ask questions across the organization and begin to extrapolate insights, but the context and value of what’s being asked for don’t always make it to requestees. “But if I could present that information back to you and say, ‘Look, across the business, we have people defaulting on loans in different parts. Is there a correlation?’ You could start to have much more powerful discussions.” When that kind of communication starts to happen, then the hypothetical becomes something that needs to be discussed at an executive level. “There’s a theme there. There’s data that’s pointing us at a challenge that’s occurring in our business that wasn’t otherwise recognized,” Amanda highlights.
Some good questions to ask when reviewing data and insights are:
Amanda says having the discussion is a really good first part of the conversation. “You’re bringing a risk culture to the organization and helping them think about risk. But when you can start to see the ROI on what you’re doing—that’s really when you see things like incident counts go down. Because you realized that there was a challenge or problem, and you’ve done something to rectify it.” But conversations can only take a business so far, Amanda cautions. “It’s when you take those discussions and are able to implement meaningful actions, have that follow-up, and really do something about it—that’s when you start to see the power in the Resolver system.”
When asked how much of Resolver’s offering is Business Continuity Planning, Amanda explains that it’s one portion of what could be considered your GRC portfolio. “We also spend a lot of time thinking about regulatory risk. Your regulations are changing all the time, some areas more so than others, but we’re constantly seeing regulatory change.” But keeping a pulse on what your regulatory obligations are is, again, less valuable if you’re not asking the right questions. “What are you doing about it? What controls? What policies? Are you testing against that?”
Audit is a major piece of that as well, says Amanda. “We have a program, policy, or procedure in place—how effective is that? Does it work all the time? What are the gaps or the limitations?” Amanda describes that at Resolver, “We think of GRC as this full suite. It’s really important that the people who are thinking about those activities in your business, or that are working within the second or third line, really have access to the information and can share that data because that’s what makes a powerful program.”
Many risk professionals look at regulatory obligations and do what’s expected of them, Amanda comments. “That’s certainly great because then you’re in compliance, and you can be confident there. But I think that Risk Management has the opportunity to be so much more,” she pronounces. When businesses and risk teams start to think about what risks could impact the strategic objectives, embedding a risk culture helps to see the big picture. “You can challenge that from a risk perspective and say, ‘We have these targets for the year. And in order for us to be successful, we need to achieve these.’ But if you put a risk-based lens on that, you’re going to be able to start to understand whether you’re going to be able to achieve those.”
Listen to the full episode: