Webinars & Video

Maximizing Business Value: Top 5 Risk and Compliance Dashboards for Organizational Resilience

Learn how to build operational resilience with Risk and Compliance Dashboards

March 22, 2024 · DURATION: 60 MIN

Every day, risk, audit, and compliance professionals face the daunting task of making sense of mountains of data, scattered across various systems, each pointing to different pieces of the puzzle in their organization. The frustration mounts when trying to provide a cohesive risk narrative to stakeholders, knowing that gaps in understanding can lead to missed opportunities for risk mitigation or compliance alignment. It’s a common story: the struggle to bring clarity to complexity, a fragmented view of risk information hindering cohesive decision-making, and leaving organizations vulnerable to disruption.

Watch the webinar replay of, “Maximizing Business Value: Top 5 Risk and Compliance Dashboards for Organizational Resilience”

Hosted by RIMS, learn how Dashboard Summaries of Governance, Risk and Compliance (GRC) operations can be your strategic ally in achieving operational resilience, and a synchronized and comprehensive understanding of interconnected risks. Go beyond simply visualizing data, and see how these tools transform the way companies’ approach GRC by offering a panoramic view that connects all the dots.

See how your GRC operations can serve as your strategic ally in achieving operational resilience. These dashboards go beyond mere data visualization to transform the way companies approach GRC, offering a comprehensive view that connects all the dots.

Our Risk and Compliance Dashboards webinar is designed for risk professionals, compliance officers, internal audit teams, and information security decision-makers. Ideal for those seeking to fortify their organizations against uncertainties, watch the replay and learn how to:

  • Simplify Complexity: Transform overwhelming data into clear, actionable insights, making it easier to communicate risks and compliance status across the organization.
  • Drive Strategic Decisions: Utilize real-life examples and data-driven case studies to demonstrate how a unified view of GRC can enhance decision-making and operational resilience.
  • Engage and Empower: Reflect on scenarios that mirror your day-to-day challenges, fostering a proactive approach to risk and compliance management.
  • Inspire Immediate Action: Share straightforward, implementable steps to leverage these dashboards effectively, turning risk into an opportunity for growth and innovation.

“Maximizing Business Value: Top 5 Risk and Compliance Dashboards for Organizational Resilience” webinar transcript

Justin Smulison:
Hello and welcome to today’s RIMS webinar, sponsored by Resolver Building Resilience with Dashboards. I am Justin Smulison, business content manager here at rims, the Risk and Insurance Management Society. A few notes before we begin. If you have a question for the presenters during the session, please submit them by writing in the question box.

Feel free to ask at any point during the presentation. We will answer as many as we can during the q and a portion toward the end, and for those we cannot address, the Resolver team will reply to you directly following this session. The recording will be available on the on-demand events page of rims.org, and all downloads on contact information will be accessible to the sponsor.

On with today’s presentation, we will explore how dashboard summaries of GRC operations can be your strategic ally in achieving operational resilience and a synchronized and comprehensive understanding of interconnected risks. Jeff Fall and Pooja Azhalavan will show you how these tools can transform the way companies approach GRC by offering a panoramic view that connects all the dots. RIMS is thrilled to welcome a large global audience, and now I will hand it off to Jeff Fall of Resolver.

Jeff Fall:
Hey, thanks Justin. Appreciate it. Really appreciate everybody being here today. Fuji, do you want to just jump head to our next slide? So just a little bit about myself. I’m a enterprise account manager here at Resolver. That said, I have been in the GRC space for about five years now. I’ve been fortunate enough in that time to work with many different organizations across many different verticals, but particularly enjoy working with insurance companies.

Pooja Azhalavan:
Fabulous. Thanks Justin. Thanks Jeff. Just a quick hello from my side as well and I’m in the product marketing division of Resolver. I look oversee the GRC division specifically. My background is really essentially my role demands that I have a strong understanding of our market, our bios.

I spend quite a considerable amount of my day speaking to our bios, really uncovering pain points and challenges, the trends and where we’re headed as a GRC market as a whole, and really bringing those insights back into Resolver for which I work for, which is the GRC software solution provider. And that really impacts our roadmap and the way we build and shape solutions for again, our customers and our buyers. So pleasure to be here and I’m very excited to kick this off.

I’ll quickly go through what the agenda looks like for today. We’ll start with Jeff just giving us a quick scan of the business need, the pressing business needs of today, what’s top of mind. I’ll then quickly take over and run you through a few barriers to unlocking insights, especially as the focus of today is those dashboards and what it takes to get quality dashboards built in your own organizations.

Then we’ll run this off with just a, an understanding of what the risk intelligence vision means for different companies. So I think that’s a quick rundown of what we cover today and then we’ll open the floor for questions. So I’m going to pass it over to you, Jeff.

Jeff Fall:

Perfect. Let me just go right to the next slide. Thank you. So I think we all love GRC tools, automation and things that it brings, but I think it’s important for us to not overlook the importance of reporting and what reporting means to an organization and the GRC tools themselves. So I’m just going to spend a little bit of time talking about why reporting is important and then Pooja will walk you through the good stuff and show you the dashboards. So first, hey, I want to thank everybody for joining us today. It’s a pleasure to be speaking with you folks and pleasure to be speaking with RIMS today. And I think just for our purposes to help level sets, I’m going to use a Gartner definition for operational resilience because I think reporting truly comes down to that.

The boring definition is Gartner defines operational resilience is initiatives that expand business continuity management programs to focus on the impacts connected risk, appetite and tolerance levels for disruption of product or service delivery to internal and external stakeholders.
Okay, so that’s all well and good, but to me the most important part is the next part. So these initiatives coordinate management of risk assessments, risk monitoring, and the execution of controls. So what I take away from this is that you can’t have operational resilience without data.

So I’m guessing that operational resilience is likely in play or will be in play for many of us on the call today. And that means reporting. It just can’t be a backend process anymore. It needs to be more of a strategic asset that will enable informed decision-making. Imagine having information that not only signals when things are going sideways, but also offers real time insights into operations. In turn, it’s going to enable you to steer your company proactively rather than reactively.

This is the power of reporting. So in my experience and speaking with many clients, raw data just isn’t enough. In fact, it’s not data or it’s just data until it’s transformed into something consumable that I would call information and information is what can help guide business decisions. So let’s consider a scenario quickly so you get a real time reporting to a surge in claims.

I know across North America, especially in the United States, there’s varying regulations around how quickly you need to accept and respond to claims. So actionable information is going to be crucial in this. So without consumable information, how are decision makers going to know what’s happening or how to allocate resources to manage what’s happening effectively? Understanding not just what is happening but why it is happening is going to be sort of the key to success here. In my mind, reporting is the bridge between what we know and what we need to know.

Providing critical real-time insights reporting plays an essential role in enhancing operational resilience. It empowers us to not only make informed decisions but also communicate effectively with stakeholders, which is really essential in today’s dynamic environments. As we continue our discussions, let’s keep in mind that the value of reporting is not just surviving, but more in thriving in the face of operational disruptions.

Alright, so I know operational resilience may seem like it’s a never ending quest. This really operational resilience to me is the evolution of reactive to proactive risk management. And it’s not just a strategic move, but it seems like it’s a necessary one today.

With the number of regulatory changes on the horizon, companies really need to start to be proactive. So being proactive means you’re not just waiting for the next thing to happen to you, you’re anticipating it and prepping for it with the aim of preventing any significant disruption to your operations while it happens. So I know it’s not everyone’s favorite topic, but regulatory compliance is something that seems to be top of mind in our space.

Traditionally, it’s been a reactive process with organizations scrambling to adjust to new regulations as they’re coming out. So with advanced analytics and the real-time reporting, now you’re going to be able to detect potential risks as they’re emerging sometimes before.

With all of the talk with AI, I think there’s been whispers of new AI regulations likely on the horizon. Proactive reporting is going to be used to identify if you’re in compliance with your utilization. I know a lot of insurance companies are looking at using AI or are using AI within your claims and underwriting processes. So it’s going to be really, really important to ensure that your organization’s use of AI is going to fall within the regulatory requirements as they’re being released. The information allows organizations to focus the resources more effectively and ensure that you’re in compliance with regulations before it can potentially become an issue.

In other words, to me this means that you need to continually assess your compliance posture. You need to identify gaps and address them before they can become problems. This approach not only safeguards your organization against the risks of being non-compliant, but it’s also going to position you as an industry leader within the regulatory governance landscape. In essence, proactive risk management strategy powered by real-time reporting is the backbone of operational resilience.

Alright, so now everyone here I think appreciates that the insurance organizations have to navigate through a complex world of risks. What’s important to understand is that not all risks are created equal. So this is why organizations back to the Gartner definition need a risk appetite. And a risk appetite is your organization’s unique threshold for risk taking.

Risk appetite, it’s a strategic tool, pardon me, that will guide your organization and prioritizing your actions and defining your response when it comes to risk. So this can be challenging without dynamic reporting. So dynamic reporting is a powerful tool that helps drive risk monitoring efforts. With dynamic reporting, you’re not just passively observing and managing risks, you’re actively measuring them against your risk thresholds. So this is going to allow you to maintain a clear, real-time picture of your risk landscape.

So let’s consider this. Let’s say an emerging risk is identified that could pose a threat to your organization. Compliance or otherwise. Dynamic reporting is going to enable you to quickly assess the potential impact right against your risk appetite. If it exceeds your risk tolerance, now you’re going to be able to take swift action and mitigate that risk before it becomes a larger issue.

Or hopefully if it’s within your risk tolerance, you can simply accept the risk and move on to something else. The interesting thing to me about dynamic reporting is it’s not always just about staying within your risk appetite, it’s also about recognizing opportunities. So if we’re looking through our reports and we notice that we’re operating below our risk appetite, it could be time or it could be a signal to pursue a new market or new product line that’s going to align to your executive strategic initiatives.

So really to sum it up, dynamic reporting is the ability to navigate the complexities of risk management and ensure that operational decisions are in alignment with your defined risk appetite. A dynamic and continuous reporting against your risk appetite is not just a necessity, but it also becomes a strategic advantage.

All right, so as I mentioned before, operational resilience isn’t really just about keeping the lights on, it’s about making smart strategic decisions that will hopefully prevent any setbacks in the first place. So in the last slide we talked about the importance of dynamic reporting.

While you can’t have dynamic reporting really unless it’s powered by realtime and accurate information. So realtime information is what provides us with the to enable a clear and current snapshot of where you stand at any given moment. So I like to simplify things. So for me, it’s like having a GPS for navigating the complexities of risk within, well, in this case the insurance landscape.

Think of it like in your car. So when you’re using A GPS, the car can quickly change your course, it can map out your course with precision, it can quickly change or react when things go wrong. Accidents happen, traffic emerges.

In essence, it’s really going to enable you to align your resources to the most pressing needs and the greatest opportunities within your org. Whether it’s a capital allocation or technology investment, the decisions we make are really only going to be as good as the data that they’re based on. And I know addressing risks can be challenging. It’s a balance between what needs to be done now and what can wait to be done in the future. Unfortunately, none of us, I think, have the resources to take care of all of the risks immediately. So that’s why prioritization is important. So real time accurate reporting provides the insights necessary to align your resources effectively, ensure that every dollar spent and every resource allocated is in response to actual and not perceived requirements.

Taking that back to not all risks are created equal. So data-driven decision-making really is the essence in my mind of operational resilience. It equips you not just to respond to the crises, but to anticipate them, adapt to them, and then quickly act. Next slide please, Pooja. Alright, so a critical piece of governance and risk management.

I think there’s lots of reporting that happens within organizations, but there’s a large task and that’s really building stakeholder confidence within your data and within your reporting. It’s really the cornerstone and is the transparency is what really establishes trust through the information that we’re reporting. So in the complexities of the insurance sector, stakeholders really need to be assured of the integrity and the reliability of the information that you’re presenting and that they’re receiving the transparency of reporting. It’s not merely a regulatory requirement anymore, it’s a commitment to openness that reinforces trust.

When the stakeholders have confidence in the information, they’re going to have confidence within the organization as well. Easier said than done, I know. So how do we achieve this? By reporting quickly and by reporting effectively and transparently, I think we all realize that the rate of change we see today has never been faster than it is now. That said, the unfortunate reality is it’s never going to be as slow as it is today. Again, so speed really becomes a necessity. Speed, however, without accuracy is a recipe for disaster.

So reports need to not only be prompt, but they also need to be accurate and actionable so that they can provide a clear picture of the situation at hand. So effective reporting means that you’re proactively sharing insights and information and not just raw data. It involves contextualizing the information which is key so that stakeholders will understand not just the what but the why behind your decisions and strategies. This level of communication with accurate insights that align to your risk appetite is really what fosters an environment of trust in you and your decisions. So with that, I will stop talking now so you can get to the good stuff and I’m going to turn it over to Pooja and Pooja. Go ahead and walk us through some dashboards.

Pooja:
Awesome, Jeff, that was, I would say a great rundown and a good start to really setting the stage for how we’re going to start building dashboards and what are the critical challenges you’re seeing in market.

I think what I want to highlight here when I talk about barriers to unlocking data is that, as Jeff said, we are operating in the extremely complex world and having that enhanced visibility into your risks is almost close to now having a superpower in your organization. It is becoming an essential cornerstone that will allow every organization to navigate any kind of sudden threats or incidents or risks and loss events that they’re going to face. And so with that, there are three key challenges that I want to highlight that would be a barrier to getting us to build those critical dashboards and reports. Challenge number one is incomplete and outdated information.

What that means is in this dynamic world of data that we exist in, the risk landscape is extremely complex. You’re having regulatory change happening at a very rapid pace, and the tools that we have for reporting and assessments are really not as efficient as we need them to be. Navigating through.

This requires a revaluation of how we are gathering and processing all of the data that we’re exposed to. It’s about really ensuring that our information is not just up to date, but also comprehensive and it’s aligned with that ever changing environment. And really at the end of the day, you need a robust data gathering process that includes streamlined reporting by your first line and also by your second and third line as well. So to really ensure that we’re equipped with the most relevant information and we are operating with a full hand of information at all times.

Challenge number two really is understanding that data that you’ve collected in context of your business. So when you work off spreadsheets, which is typically what we see across different organizations, data is not really centralized, it’s quite disparate and quite siloed.

Additionally it’s not integrated, meaning your risk data is not connected to your compliance requirements and you’re not unable to sort of share that even with your audit team in a position where they’re not able to access risk information to improve their own efficiencies and their own focus. This also kind of leads to the challenge of having duplicate data sets, especially when it comes to duplicate controls. Ultimately it all needs to be easily accessible too, so you get that bird’s eye view and that holistic view when you’re trying to make those informed decisions. And then the last, but most important probably the challenge that we face is turning that risk data into opportunity.

Visualizing data can be a very significant hurdle, but it’s a hurdle that can really transform the way that we perceive and we’re leveraging the data, all the risk information when it’s presented in a way to your stakeholders where they can very quickly and easily understand the state of play and derive those critical insights will really drive value and get you seat at the table. It’s also going to help turn risk into an actual business opportunity. And with that, I’m just going to probably put this back to the audience, like a quick poll.

What would be your biggest challenge to effective reporting today based on all the challenges that be identified? Is it the collection and identification of the data? Would that be a data integration challenge where you have to centralize your data and create accessibility across all your risk functions? Or are you struggling with the data visualizations part of things where you need that to be aggregated and easy to analyze for better informed decision making? And additionally, you’re unaware you can also choose the, I dunno option, I’m just going to give a minute, sorry.

Justin:

Yeah, yeah, we’re getting some great engagement there and I just want to remind everybody before we close the poll that you can enter any questions in the q and a box and we’ll try to get to them as we reach the conclusion of the session. Pooja, you ready? I’m going to close it out now. You ready?

Pooja:

Amazing. Okay. Almost an equal challenge between collecting that data and integrating it. I think that’s great insight as we sort of walk through each of these dashboards and we show you that end value that you get from using systems and software that help you easily report on these risks and easily integrate and centralize those risks. So nice to see. Alright, with that I’m going to move into risk intelligence dashboards. Really the meat of this presentation today. Why dashboards really we have reporting, we do it in a very siloed way today.

Dashboards take that a notch further where it gives you those strategic overviews, an operational summary that you can easily present to your board on a quarterly basis or more frequently. And it’s an opportunity where you can really dive into the data, you’re able to understand trends, identify any outliers if there’s patterns in the data that point to certain decisions, resource allocation discussions that you might have or discussions around your audit budgets. So dashboards are really an empowering way to analyze the state of of your organization and also communicate that effectively and more visually to key stakeholders across the board.

What do those top GRC dashboards look like to really deliver value? So I’m going to kick this off with our first dashboard, which is also quite a sought after one. The risk committee dashboard, most of you are from this space, but risk committees I reiterate anyways, the risk committees are the independent panel or team appointed by your board and they are really there to practice oversight.

They’re overseeing the strategy, the effectiveness of your program, your frameworks, and making sure that there are guardrails in place to mitigate any kind of losses. One of the fundamental challenges of presenting and consuming a risk committee dashboard with the data that you have at hand is that you oftentimes end up really getting to the symptom of the risk but not really to its root cause. And this really happens because you’re reporting on the risk, but you’re doing so more individually, it’s in a more siloed way and therefore you’re unable to understand that data and its collective impact across the entire organization, how it’s impacting your business objectives as well.

So it is really helpful to have a holistic way to see the depth and impact of these individual risks and determine if you are on track to meet those business goals, are your controls effective? Identifying those out of tolerance KRI and making sure that you’re staying within that risk appetite and risk tolerance level within the company.

Let’s break down the dashboard to see what reports can deliver a few different critical insights here. The first report is the average re risk score by risk category. This gives you the ability to view how different risk categories line up against your risk level.

And, as Jeff mentioned, it is a critical element of decision making is to really be able to identify what that risk appetite level looks for each of your organizations. Now, some may be outliers here that cause a higher risk risk in certain risk categories, but eventually even those can in fact help us reveal any systemic failures that might exist overall in the organization. And then as you sort of further drill through each into one of these risk categories, and by the way, this is not a dynamic report, not a real demo, so I’m going to do my best to show you what that looks like.

But if you were to further drill through into each risk category, that’s going to reveal the list of individual risks by each business unit. And so for example, here we see that the information technology risk risk category has crossed that acceptable risk threshold of the organization. You can investigate that further. As you drill down, you start to see that the business unit that is the most high risk area for that is your corporate division for example.

As you further drill through that, it will review the list of individual risks within that category and each of its impacts your risk rating as well. Ultimately at this point, leadership in the risk team, your CRO for example, is able to really understand the overall risk posture of their organization and be able to tell a clear story on where resources and mitigation efforts will be prioritized, which is likely in these high risk areas so as to proactively manage their risks.

So if cybersecurity or say data quality risk is the highest, as we can see here, it is an opportunity to share in their quarterly risk committee reports how it’s causing operational inefficiencies or how a cyber incident or unauthorized attack by say some malicious external third party is driving that impact here. And then you’re able to also support this by stating all the mitigation efforts that are in place.

Say you’ve implemented ongoing testing of your cyber risk control specifically or conducting regular system monitoring active maintenance or for any kind of disaster recovery and so on. So these are good insights to kind of add to that risk committee report and present it to the board. Then you have the move on to the next report in here. So you have the top 10 risks, aggregated risks where you’re able to compare the average residual risk scores to inherent risk scores, which is aggregated across all your business units.

If that gap is quite large, that’s good, but take the case of say here again the data security risk, we haven’t quite reduced the risk impact and if the average risk score of a particular risk is increasing over time, it may indicate that the controls that you have in place are no longer effective or that further action needs to be taken to mitigate that risk specifically. Executives at this point can also focus on the risks that have been poorly rated across multiple business units and also use this as an opportunity to dig deeper into that and this way it can then help to prioritize any kind of mitigation efforts and allocate more resources to those areas that would require this the most.

Then if you take the KRI ratings by business unit report, which can be classified by on target out of tolerance or within tolerance. So assuming if the out of tolerance KRI ratings of particular business unit is high, which is the case here for the corporate division, that might indicate that the controls that you have in place are no longer effective and potentially further action has to be taken to mitigate that risk. It’s also an opportunity to provide an early signal of increasing risk exposures in various areas of the enterprise making us more resilient and proactive.

When you look at the issue state report fairly straightforward, you’re tracking the state of issues that are open, maybe outstanding or could be in review. These are issues that have been identified through your risk program, things like control deficiencies or any kind of risks that require remediation or compliance violations. With this status report, it helps to quickly identify which of these issues require immediate attention and which are being actively addressed. If the number of high priority issues and total overdue actions, for example, which is one in this case is constantly increasing, then as A CRO you may need to reassess the risk process and allocate resources or identify ways to improve the overall efficiency and effectiveness.

Whether that is to say more frequent notifications or say you’re sharing issue status more transparently, making sure people know who can log issues and you ensure that they do. On the other hand, you can also check if the issue has been resolved, but resources are still working on it unnecessarily. So that’s again, that leads to being a whole other issue as well to dive into. In essence, the data is compelling you to investigate it deeper and to really get to that root cause.

When we look at the severity of loss events by month classified as critical, high, medium to low, that can offer insight into not just the volume and frequency but also the magnitude of loss events over time. Loss events can be of any type, say fraud or cyber attack or any kind of operational failures and its severity can be ranked based on the amount of financial loss that you would incur. Its level of disruption to the operations or potentially its reputational impact, but any which way that makes sense for the business. And by drilling through this, you can assess whether certain types of events are more common during certain months and develop certain strategies to reduce its frequency and severity. When you combine this with the dollar value, total net loss of loss events, you can also gauge the potential financial impact of loss events on the organization.

Here you can see it’s about close to 2.5 million and that could be a significant number for different companies of different sizes and gives you a good insight into should we be allocating resources accordingly and improving the effectiveness in these areas. Overall, you’re able to, at the end of this confidently state, if all the risks that are managed across multiple domains of your business, are they in line with the risk appetite tolerances that are set by a board even to the extent of will our internal controls and risk program help us achieve those strategic objectives.

Say, for example, you’re trying to be a market leader in a particular region or you’re maintaining the number one status of financial integrity within your industry. A handy dashboard summary like this can help you communicate those unique business insights. The board regularly take actionable suggestions on prioritizing risks and how to actually create savings for the overall business as well.

Moving on to our compliance management dashboard. We all know we are in a very volatile, changing regulatory environment. The need for a reliable way to meet compliance initiatives is very much top of mind for both, but unfortunately this is also one of the hardest things to satisfy. Keeping a constant tab on those shifting regulations like we recently saw on either the resiliency factor like the Dora mandate or changes in SOCs, your updates to a ML across different jurisdictions, especially if you’re a global company, can get very, very complicated and very time consuming to manage. And so having a compliance dashboard is going to help give us a summary of that performance. But not only that, it also helps you reveal any kind of gaps you’re having in your compliance program. Also uncover that deeper meaning and impact it has on your business and track essentially the effectiveness of the controls that you have in place.

So we dive into the dashboard here first, compliance level by regulator reports, which is based on really a total number of requirements of each regulator and it’s categorized as from partially compliant, not compliant to compliant. This is a really good way to assess the overall compliance posture and identify those main areas of noncompliance in the business.

Frameworks marked as partially compliant could indicate that the program is set up well, but controls may not be documented and limited action is really being taken on it. So the organization is failing to meet a specific requirement like in the case of say here, ministry of labors as a regulator where the non-compliant rating is higher. As a compliance leader, you can allocate your resources or implement new processes to help improve and close that compliance gap.

As you drill through each of these regulators, you can view compliance level by each business unit and this allows executives to really identify which business units have higher compliance risks and which ones are performing well. That helps you focus your efforts more closely as well. And in this case it’s really the corporate and the operational business units that are highlighted as being high risk problem areas.

As you drill through a little bit deeper, you’d reveal which specific frameworks and risk scores of that regulator that are causing that non-compliance. And now this information is pretty handy because it can be used to develop targeted programs, training for those business units and prioritizing any kind of other compliance efforts and resources and making sure that as you’re allocating resources, you’re doing it those high risk areas, making things a lot more efficient for yourselves and the team. And of course we know that a lot of compliance teams work in conjunction with the risk team or they’re pretty short staffed and handling quite a bit with regulatory changes. So definitely having a way to focus efforts really makes a big difference.

The second report here is your average re risk score by business unit similar to what we saw before in the risk committee dashboard. This reveals the residual risk scores by associated compliance frameworks and how they measure up against the risk appetite score of the organization. You can again drill through to understand which frameworks lack compliance within shared services.

For example, as you can see that’s kind of breaking that threshold, that the risk appetite level. And so you can drill through to see what controls need to be enforced or fixed in terms of design and efficiency to be able to reduce that risk score with that residual risk score. Then when you look at the controls operating effectiveness, which is categorized as not tested, not effective, too effective, that provides you a bit of a snapshot on how well the controls that have been put in place are addressing regulatory compliance requirements in the company.

By drilling through that, compliance executives can really view those controls by business unit and its self-assessment breeding as well, which you can’t see here on the screen, but this really allows you to address the not so effective key controls that have been tested, but they’ve been found to be quite ineffective effective in addressing the risk that they were designed to sort of mitigate.

In fact, recently at Resolver we did an independent study with for the analyst organization to determine how these reports are really helping our compliance users and what we found was there was a 75% uptick in compliance testing efficiency, not just through of course the automation and eliminating redundancies through a platform, but by really being able to look at these kinds of reports to understand what areas of business are lacking control, effectiveness, and immediately adding resources and improving the design or enforcing implementation of it.

These insights are really driving value for businesses and it’s improving efficiency, but it’s also helping achieve business objectives overall. And with this dashboard compliance officers, compliance leaders be able to monitor the posture, the compliance posture of your company and identify potential areas of weakness before they can become significant issues.

Next, I’ll just touch on this lightly, but having a report to measure your average risk scores by frameworks is also good to read, but we also saw this in our risk committee dashboard and so just making sure that able to look like for example, the anti-money laundering framework, how does that measure up in terms of the difference between when you originally identified your inherent risk score to your residual risk score? Gives you some idea about maybe diving into that and seeing what, sorry, what area of that requires additional input and effective control measures? Okay, our third dashboard audit committee, more so the internal audit committee dashboard. So audit committees always have a lot going on. Top priorities for them would be to focus on issues, of course the risk profile, any trends, any themes, issue remediation efforts that are being put in place so that they can support oversight responsibilities.

When we dive into the dashboard, the first thing that’s really top of mind is how do we prioritize our audits for greater efficiency, right? So for that, we take a look at our audit rating by audit type report. So ranked from unsatisfactory to good. We see here that at said company operational audits are a challenge with high unsatisfactory rates.

When you deep dive into this, you can uncover what projects which auditable entity and it’s risk rating as well. You can also go deeper into looking at what issues are driving this, who’s in charge? Can we define a better audit questionnaire or improve the frequency of our audits, making sure that the objectives of an operational audit is understood by the organization. And so just to give you a real world example, assuming you have, you’re part of say f and b company objective is you want to maintain food and hygiene standards for a better experience. We can talk through what are the recurring issues that we are seeing here and what needs to be done to be able to improve that.

Additionally, I also want to touch on this report here, decide recent audit results. You have your last audit date and results can help identify entities that have not been audited recently or areas where audit findings have consistently reoccurred, which will prompt much closer examination of it.

The next thing we’re looking to improve is of course audit effectiveness. So it helps to see the status of corrective actions report. The dashboard provides visibility into the status of corrective action taken by the various business units in response to your audit findings. This allows the committee to assess the progress of those remediation efforts and ensure that corrective actions are being appropriately implemented across the company. The dashboards displays the priority levels of the identified issues along with their current status. This helps the audit focus on high priority issues that would require immediate attention and it also allows them to track the resolution of these issues over time and evaluate the effectiveness of the organization’s efforts to be able to address these.

The control operating effectiveness. So the operating effectiveness controls across your various process report is also a neat report to gauge the organization’s control environment and identify areas where control weaknesses might be existing today. Say with IT controls are significantly ineffective as it shows, and this also ties back into this larger story that we had where we saw the data or cyber risk that were breaking our risk appetite. This is where you start seeing value in the audit team and the risk team speaking the same language and working towards common organizational objectives and goals. And possibly this also helps in evaluating the control maturity across these units. So ultimately you’re in a position where you can make informed decisions regarding control enhancements or remediation efforts or resource allocation to those high risk areas. Of course, no audit dashboard is complete without insights on issue resolution.

So tracking the average issue age or for example, the number of overdue urgent actions, it’s a good data card that you can quickly as you glance over it, quickly pick up those values. Values, gives you a good insight and helps you prompt those valuable questions on the why. What is the extent of these overdue actions, what caused it? And when you combine that with an understanding of the percentage of the budget that’s been used to date can also point to significant deviations from the plan budget. And again, prompt more valuable discussions around resource allocation or budgeting for your future periods with your audits and investigate those reasons for delays or even any systemic issues that might hinder timely issue resolution.

Okay, quickly moving on to your third party risk dashboard. We know that most organizations have increased their dependency on third parties since the pandemic. Of course we’ve gone virtual in our operations, it’s now includes not just supplier of goods and services but also affiliates, joint venture partners, and the ever going tech stack that we’re seeing across different companies. So since we’re going with the whole theme of the information security team here, let’s look at it from the lens of our IT vendor ecosystem and how this dashboard can really help improve those relationships, improve our safety, and also strengthen compliance across the entire chain.

So the first step is taking a more informed approach to the vendor selection process and being able to manage those portfolios effectively. So whether that is utilizing the average risk rating by contract size or spend report to be able to align vendor risk exposure with our business value and then gain a detailed understanding of how the average risk screening of said vendors for example, changes across different spending levels is a very valuable thing to see.

Can also aid with negotiations as you’re onboarding these vendors and also by categorizing vendors into these spend ranges that you have, you can one discern whether is there a trend of increased or decreased risk as the contract spend is increasing. It can also help you see if there’s a relationship between the size of vendor contracts and the level of risk that they pose to your organization. And then this sort of leads to being able to answer questions like do vendors with higher spending generally have a higher risk or lower risk rating or their spending thresholds? Where ratings are there, those spending thresholds where this ratings notably change?

And then for more on the strategic vendor engagement, you want to be able to consider your vendor risk ratings and asset criticality when engaging with your vendors. So we shouldn’t be using names but say for example, one of our vendors has a higher criticality score, it’s going to tell us what is the level of due diligence that we need to conduct here and what is expected as far as monitoring and the frequency of risk reviews and assessment goes. All of this to improve collaboration but also be able to balance the risk value and relationship more effectively.

This also translates into risk prioritization of course, that’s another big important aspect of decision-making is where do we prioritize efforts? So when we look at the heat map here of criticality to risk grading can identify and prioritize vendors with a high risk and criticality for immediate mitigation.

And then lastly, I’ll quickly touch on strengthening compliance through that vendor supply chain. So you can monitor your vendor assessments that are completed by quarter against assessment targets, ensuring that there’s compliance with assessment timelines. You can also use the monthly average vendor assessments length for example by criticality tier here, whether it’s low medium to significant or critical, and this can help optimize assessment processes for efficiency and more accuracy. Last but not least, you comparing the total contract amount spent versus the budget that can help drive decisions to manage your costs while also of course maintaining our vendor relationships.

I know I’m breezing through some of this, but it risk dashboard cyber risk is a huge thing today. Core aspect of moving to a more cybersecurity, mature cybersecurity program is to be able to formalize your ability to measure and report cybersecurity performance, but measuring that is not an easy task, especially with an ever expanding attack surface that we see at the very same time.

Security leaders today are under an immense amount of pressure to demonstrate that value beyond just reducing risks. They also need to demonstrate how their security plans align with the overall goals of the organization, which the right metrics can help them achieve. And that leads to the importance of this IT or cyber risk dashboard. Being able to measure your org wide risk response plans for example, can help your chief information security officer really understand the organization’s level of risk management maturity and if there is a proactive approach to managing those risks to understand response plans that have been implemented, whether it’s after treatment refers to risks that have been mitigated through controls or other kind of risk treatment strategies that have been implemented.

When you see after transfer, as you explored that, it really refers to the risks that have been transferred to a third party, for example, through insurance or other contractual agreements. The accepted risk bucket refers to your risk that your organization has decided to tolerate either because the cost of mitigating the risk is too high or because the risk is deemed to be within the organization’s risk appetite. And so there’s a plethora of different risks that you’re looking at. You’re also, it also helps to see that control effectiveness by business unit. You can also track issues by business unit. We’ve seen a few of these before in the other dashboards, but this is relevant to your IT risk category of risks. And also measuring asset criticality versus your residual risk score can help you really know where you should be focusing efforts on which vendors or which tools that are causing the greatest impact.

I also want to very quickly showcase that there are several different types of dashboards you can build based on your need. There is an IT compliance task if you’re in the process of making sure you’re doing an ISO certification, SOX compliance. So it’s a good opportunity to kind of showcase how that’s progressing along, where the challenges are to meet those goals. There’s also an internal control dashboard, so you’re centralizing your issues now you’re tracking control effectiveness, design performance, and all the corrective actions that are being taken. So this is another valuable report for different teams. Also by the risk team and compliance team and audit can use this as well, but if you have an independent internal controls division, this is a fantastic way for them to track impact.

So to really summarize, I know we went through quite a bit there of data, different types of reports can be quite a bit to digest, but at the end of the day what our biggest takeaway is there’s so much value, especially business value and the benefits that you can take away from these summarized aggregated reports that give you a great visual snapshot into the performance of the different initiatives you’re taking across your GRC divisions. You’re able to track gaps in compliance, how are you responding to risks, what plans and mitigation actions are in place, are there open issues? What’s our audit coverage and where our failed controls lie and getting to that root cause.

As I mentioned before, it’s an opportunity to really kick open discussions on budgets and more monetary things that are impacting bottom line of the organization and larger business objectives that you have in place. More than anything, I would say it’s also an opportunity to improve efficiency, which is again, at the core of it what we all aspire to do. I’m going to kick another poll. I know we’re almost end of time, so would be nice to get an idea for the audience here today, which of those dashboards really resonated with you? What would you think in your company is the most impactful? If you have anything else in mind, we can always click on those.

Justin:
All right. And while we get your poll answers, just want to let you know we will make a couple of extra minutes to answer some of the questions and keep submitting your questions If we don’t answer ’em live. The Resolver team Pooja and Jeff will reply to you directly. Wait another five seconds here and then we will wrap it up. We’ve got some great engagement on this polling question. Here we go.

Pooja:
Whoa, nice. Okay. Not surprising, definitely. It certainly is a very valuable dashboard, as I mentioned, quite sought after as well summarizes the risks across the entire organization. So great to see. And this is also a testament to see how third party is now a critical aspect of business operations. So surely that is also an indication to why those dashboards would be proved to be quite valuable. Okay, I’m going to quickly round this off our presentation today.

What is that risk intelligence vision that you should aim and strive for and makes the greatest impact? The mission is really simple. You’re taking disparate systems that are siloed. Leadership visibility is obscured on those because your true impact of your risk is quite hidden. You take that, you integrate it, centralize your data and you able to visualize it so that you can really reveal the true potential of risks and look at it in a more positive light where you’re taking the opportunity out of it.

And really at the end of all this, the risk teams that are in play here, what challenged for time resources, they are able to free up some of that time plan more strategically on driving the business forward, making a true impact at the table. When you’re looking for software and tools, typically some of the GRC integrated GRC solutions out there offer quite a few different options.

Your general reports could be basic roll-ups of your data grids and tables, heat maps, things like that. You also could use a BI connector if you’re using your own tools like Tableau and Power BI today. You can create that one source of truth by using an API and a BI connector to pull that data into that software that you use for GRC functions or you have out of the box rich interactive dashboards offered within these tools that give you good sense of trend analysis.

You can drill through it, get really to the bottom of that just from Jeff and I’S side Resolver is an all-in-one solution. It’s an integrated software for GRC needs, but we also cover physical security. Today’s world, the dark web is quite a scary place to be. So brand reputation and risk monitoring is critical. And so we have solutions to protect brand equity and trust and safety apart from all the different regulatory compliance applications, be it IT compliance or your general regulatory compliance, pharmaceutical and healthcare compliance, third party risk.

And of course you also have BCP, which is disaster and recovery planning. So a plethora of different solutions. And so with that, I will conclude this presentation. I did quite a bit of talking, but if you had any questions, I’d love to see it in the chat or we’ll connect back with you since we are top of the, and we can always take your questions and respond back in due time.

Justin:
Okay, so we’re just about out of time, so we’re going to have the questions answered directly. So we’ll take this moment now, folks out there to drop them in the Q&A box and I am going to get ready to close this out.

Special thanks to Jeff Fall and Pooja Azhalavan for their time and expertise. The Resolver team has your questions. Keep putting ’em in the box though for the next 60 seconds and they will reply to you directly afterward as long as you put ’em in there.