Today’s world is complicated, interconnected, and rapidly changing. And with change comes both risk and opportunity. In this context, an organization’s success is dependent on its ability to leverage change and the risks that come with it to their benefit. To enable this, Risk, Compliance, and Audit teams need the mindset, tools, and data to be ahead when it comes to risk. In this webinar, you’ll learn the must-have risk reports that help you leverage risk, compliance, and audit data to build a data-backed strategy that ensures your organization can fully embrace and capitalize on the opportunities that change brings.
Watch the recording to learn:
- Challenges to identify and collect risk, compliance, and audit data to support insight generation.
- The top 10 risk reports every GRC professional should have at their fingertips.
- Best practices for visualizing your risk, compliance, and audit data to support strategic decision-making and operational efficiency.
Q&A Responses
1. What are the top 5 information fields that must be in a risk intelligence dashboard?
Though every dashboard can be different based on the data they need to show. However, there are five consistent themes that apply to risk-at-a-glance visualization needs:
- Impact on risk landscape: Displaying data such as risk scores, tolerances, or effectiveness ratings can help businesses take action on high-impact records.
- Trending over time: Data such as financial loss over the past four quarters can tell the story of how your business performs compared to historical instances.
- Priority: This can help point out areas of focus for dashboard consumers
- Due dates: Similar to priority, speaking to due dates can enable further discussion of what needs to be done and when.
- Aggregation: Being able to roll data up to different data points enables departments, processes, or jurisdictions to see how they compare to your peers.
2. Is it preferred to establish a real-time dashboard?
A real-time dashboard is not required, as you can often refer to data from previous assessment cycles. However, having a view of your live risks can ensure that your business makes decisions based on the most updated version of your risk landscape.
3. Should I use an industry-specific risk intelligence software solution?
It's not required to use an industry-specific risk intelligence software solution. There are pros and cons to both industry-specific vs. industry agnostic software, which businesses should evaluate in accordance with their objectives. For example, industry-specific software can delve really deep into an industry and create functionality that's specific to that area.
However, with that comes a narrow lens into the wider trends of the risk market, therefore missing other functionality that may be useful to your business. Investing in risk intelligence software that can scale with your business needs and maturity over time will ensure you're not having to replace systems and retrain staff as you grow.
4. What's the easiest/best message to provide an organization that is too siloed to allow for collaboration in reporting?
When communicating within a siloed organization, it helps to emphasize the benefits of collaboration. Having a centralized view of risks, controls, and evidence will help to improve control resilience across your organization.
With collaborative reporting, your risk, compliance, and audit leaders can deliver a unified recommendation to the board and gain influence. Integrated solutions can offer teams access to better information, operate more efficiently, a greater ability to complete risk-based audits, and mitigate non-constructive risks.
5. How relevant is the 3LOD model under conditions of increasing risk emergence and velocity?
The three lines of defense model (3LOD) remains relevant and important for effective risk management. As risks become more complex and dynamic, it's crucial for organizations to have a clear understanding of roles and responsibilities in managing those risks.
In a rapidly changing environment, the first line is often the first to detect emerging risks and can take action to mitigate those risks before they become major issues.
The second line can play a critical role in identifying emerging risks, regulatory requirements and implementing controls to mitigate those risks.
In high-risk environments, the third line can help identify areas where controls may need to be strengthened and improve resilience to combat future emerging risks.
Overall, the model helps with sharing accountability and prepares your organization to respond quickly and effectively to a dynamic risk landscape.
6. How frequently do organizations document their risk tolerance and properly use that for strategic planning?
It completely depends on your organization's risk maturity. With a high maturity, it will be in 75% of our implementations, which we have seen happen more in the European and APAC markets than others, perhaps to a higher regulatory focus on risk. With lower maturity, we see this in perhaps 25%, which is generally when the organization has a good risk culture with executive buy-in but low maturity processes.
7. Does Resolver work with start-ups without set risk processes?
Yes, our product works well with organizations of all sizes and risk maturities. Our highly scalable platform is no-code, offering the flexibility to configure workflows and reports to suit unique business objectives that can grow alongside your organization's needs. More importantly, our services teams help customers build a comprehensive risk register, sharing best practice recommendations at every step. Our intake portal can help quickly identify risks, and we automate wherever possible — from assessments to reporting. With our growing user community, we encourage and facilitate discussions between customers so that our users get the most development in a short time.
8. Does Resolver have different levels of risk intelligence solutions?
Yes, Resolver offers a risk intelligence solution that integrates enterprise risk management, compliance and ethics, internal audit, and internal controls over financial reporting. We also offer applications covering corporate security and information security needs, such as IT Risk management, IT compliance, incident management and third-party vendor risk. Built on a single core platform, all applications integrate seamlessly with each other, allowing for better information sharing and collaboration across various risk teams. The platform offers over 300+ integrations using Workato, workflow automation, advanced visuals, and reporting capabilities. Organizations can scale as required, and — being no code — we hone the flexibility to build and deliver custom applications to serve client needs. More importantly, our solution integrates with Regulatory Technologies like Ascent, Canadian Compliance Group and Lexis Nexis — this helps to notify compliance teams of regulatory changes and protect the organization from non-compliance. You can learn more on our IT Compliance frameworks here and Regulatory solution here
9. How do you keep up with integrations to get the best and most relevant data?
Resolver's Platform comes with a fully open API that allows customers, ourselves, or third-party vendors to connect Resolver to other elements within your enterprise architecture. With the help of Workato, Resolver can support over 300+ integrations to your enterprise applications, to seamlessly integrate Resolver as a part of your tech stack. This includes Resolver's BI connector add-on that allows our users to connect their existing Business Intelligence (BI) tools, such as Tableau and Power BI directly to the data warehouse.
All changes made in Resolver Core are pushed to the data warehouse. Any updates will be captured and tagged with a timestamp, allowing you to build reports based on historical changes. If you make changes multiple times within a few seconds, those will be aggregated in Resolver's data warehouse.
10. How do you normalize risk across different parts of the business to help best understand priorities?
Normalizing risk is great for prioritizing risk management efforts. It involves identifying and establishing a common language and framework for evaluating and prioritizing those risks by:
- Identifying and categorizing risks across the organization This can involve conducting a risk assessment for each department or business unit and mapping risks to specific objectives, such as financial, operational, or legal.
- Define risk metrics to be used to compare and evaluate risks across the organization. This can include factors such as likelihood, impact, severity, and velocity of risk.
- Establish risk tolerance levels for each risk category, based on your organization's overall risk appetite and business objectives. This can help prioritize risks and guide decisions.
- Create a risk dashboard that aggregates risk metrics and provides a unified view of risks across the organization. This can help identify trends, outliers, and areas of concern.
- Conduct scenario analysis to model the potential impact of different risks on the business. This can help evaluate the relative importance of different risks and inform strategy.
- Communicate and collaborate with stakeholders across your organization to ensure a shared understanding of priorities and encourage a culture of risk awareness.
11. Risk intelligence assumes a centralized data set. What has been your experience in overcoming data gaps in organizations that lack this kind of data structure and IT architecture? Any best practices?
Some best practices for overcoming data gaps and the lack of a centralized data structure include:
- Conducting an inventory of all data sources and assessing their quality and relevance. This will help identify gaps and redundancies and help prioritize data collection efforts.
- Creating a data strategy to store and analyze data. This can be done by identifying key metrics and data points needed to support risk teams and even define a clear risk taxonomy.
- Establishing a data governance structure that outlines roles, responsibilities, and processes for collecting, managing, and sharing data.
- Leveraging technology with integrated risk intelligence solutions like Resolver to help automate data collection and analysis wherever possible.
- Building a culture by communicating the value of data. Engage the first line by showcasing the impact of data collection, and promote the benefits data-driven decision making. Getting everyone together to recognize the benefits can achieve buy-in.
12. What is the relationship between the organizational culture and governance, risk, and compliance (GRC)?
An organization's culture sets the tone for how employees perceive and respond to risks and influences their attitudes toward compliance and governance. A stronger culture of risk awareness encourages employees to report issues or potential violations of compliance requirements. Strong leadership and ongoing training can also help keep employees informed about policies, regulations, and risk management practices.
Overall, a strong GRC framework requires a culture that supports and reinfor