Today’s world is complicated, interconnected, and rapidly changing. And with change comes both risk and opportunity. In this context, an organization’s success is dependent on its ability to leverage change and the risks that come with it to their benefit. To enable this, Risk, Compliance, and Audit teams need the mindset, tools, and data to be ahead when it comes to risk. In this webinar, you’ll learn the must-have risk reports that help you leverage risk, compliance, and audit data to build a data-backed strategy that ensures your organization can fully embrace and capitalize on the opportunities that change brings.
Watch the recording to learn:
- Challenges to identify and collect risk, compliance, and audit data to support insight generation.
- The top 10 risk reports every GRC professional should have at their fingertips.
- Best practices for visualizing your risk, compliance, and audit data to support strategic decision-making and operational efficiency.
Q&A Responses
1. What are the top 5 information fields that must be in a risk intelligence dashboard?
Though every dashboard can be different based on the data they need to show. However, there are five consistent themes that apply to risk-at-a-glance visualization needs:
- Impact on risk landscape: Displaying data such as risk scores, tolerances, or effectiveness ratings can help businesses take action on high-impact records.
- Trending over time: Data such as financial loss over the past four quarters can tell the story of how your business performs compared to historical instances.
- Priority: This can help point out areas of focus for dashboard consumers
- Due dates: Similar to priority, speaking to due dates can enable further discussion of what needs to be done and when.
- Aggregation: Being able to roll data up to different data points enables departments, processes, or jurisdictions to see how they compare to your peers.
2. Is it preferred to establish a real-time dashboard?
A real-time dashboard is not required, as you can often refer to data from previous assessment cycles. However, having a view of your live risks can ensure that your business makes decisions based on the most updated version of your risk landscape.
3. Should I use an industry-specific risk intelligence software solution?
It's not required to use an industry-specific risk intelligence software solution. There are pros and cons to both industry-specific vs. industry agnostic software, which businesses should evaluate in accordance with their objectives. For example, industry-specific software can delve really deep into an industry and create functionality that's specific to that area.
However, with that comes a narrow lens into the wider trends of the risk market, therefore missing other functionality that may be useful to your business. Investing in risk intelligence software that can scale with your business needs and maturity over time will ensure you're not having to replace systems and retrain staff as you grow.
4. What's the easiest/best message to provide an organization that is too siloed to allow for collaboration in reporting?
When communicating within a siloed organization, it helps to emphasize the benefits of collaboration. Having a centralized view of risks, controls, and evidence will help to improve control resilience across your organization.
With collaborative reporting, your risk, compliance, and audit leaders can deliver a unified recommendation to the board and gain influence. Integrated solutions can offer teams access to better information, operate more efficiently, a greater ability to complete risk-based audits, and mitigate non-constructive risks.
5. How relevant is the 3LOD model under conditions of increasing risk emergence and velocity?
The three lines of defense model (3LOD) remains relevant and important for effective risk management. As risks become more complex and dynamic, it's crucial for organizations to have a clear understanding of roles and responsibilities in managing those risks.
In a rapidly changing environment, the first line is often the first to detect emerging risks and can take action to mitigate those risks before they become major issues.
The second line can play a critical role in identifying emerging risks, regulatory requirements and implementing controls to mitigate those risks.
In high-risk environments, the third line can help identify areas where controls may need to be strengthened and improve resilience to combat future emerging risks.
Overall, the model helps with sharing accountability and prepares your organization to respond quickly and effectively to a dynamic risk landscape.
6. How frequently do organizations document their risk tolerance and properly use that for strategic planning?
It completely depends on your organization's risk maturity. With a high maturity, it will be in 75% of our implementations, which we have seen happen more in the European and APAC markets than others, perhaps to a higher regulatory focus on risk. With lower maturity, we see this in perhaps 25%, which is generally when the organization has a good risk culture with executive buy-in but low maturity processes.
7. Does Resolver work with start-ups without set risk processes?
Yes, our product works well with organizations of all sizes and risk maturities. Our highly scalable platform is no-code, offering the flexibility to configure workflows and reports to suit unique business objectives that can grow alongside your organization's needs. More importantly, our services teams help customers build a comprehensive risk register, sharing best practice recommendations at every step. Our intake portal can help quickly identify risks, and we automate wherever possible — from assessments to reporting. With our growing user community, we encourage and facilitate discussions between customers so that our users get the most development in a short time.
8. Does Resolver have different levels of risk intelligence solutions?
Yes, Resolver offers a risk intelligence solution that integrates enterprise risk management, compliance and ethics, internal audit, and internal controls over financial reporting. We also offer applications covering corporate security and information security needs, such as IT Risk management, IT compliance, incident management and third-party vendor risk. Built on a single core platform, all applications integrate seamlessly with each other, allowing for better information sharing and collaboration across various risk teams. The platform offers over 300+ integrations using Workato, workflow automation, advanced visuals, and reporting capabilities. Organizations can scale as required, and — being no code — we hone the flexibility to build and deliver custom applications to serve client needs. More importantly, our solution integrates with Regulatory Technologies like Ascent, Canadian Compliance Group and Lexis Nexis — this helps to notify compliance teams of regulatory changes and protect the organization from non-compliance. You can learn more on our IT Compliance frameworks here and Regulatory solution here
9. How do you keep up with integrations to get the best and most relevant data?
Resolver's Platform comes with a fully open API that allows customers, ourselves, or third-party vendors to connect Resolver to other elements within your enterprise architecture. With the help of Workato, Resolver can support over 300+ integrations to your enterprise applications, to seamlessly integrate Resolver as a part of your tech stack. This includes Resolver's BI connector add-on that allows our users to connect their existing Business Intelligence (BI) tools, such as Tableau and Power BI directly to the data warehouse.
All changes made in Resolver Core are pushed to the data warehouse. Any updates will be captured and tagged with a timestamp, allowing you to build reports based on historical changes. If you make changes multiple times within a few seconds, those will be aggregated in Resolver's data warehouse.
10. How do you normalize risk across different parts of the business to help best understand priorities?
Normalizing risk is great for prioritizing risk management efforts. It involves identifying and establishing a common language and framework for evaluating and prioritizing those risks by:
- Identifying and categorizing risks across the organization This can involve conducting a risk assessment for each department or business unit and mapping risks to specific objectives, such as financial, operational, or legal.
- Define risk metrics to be used to compare and evaluate risks across the organization. This can include factors such as likelihood, impact, severity, and velocity of risk.
- Establish risk tolerance levels for each risk category, based on your organization's overall risk appetite and business objectives. This can help prioritize risks and guide decisions.
- Create a risk dashboard that aggregates risk metrics and provides a unified view of risks across the organization. This can help identify trends, outliers, and areas of concern.
- Conduct scenario analysis to model the potential impact of different risks on the business. This can help evaluate the relative importance of different risks and inform strategy.
- Communicate and collaborate with stakeholders across your organization to ensure a shared understanding of priorities and encourage a culture of risk awareness.
11. Risk intelligence assumes a centralized data set. What has been your experience in overcoming data gaps in organizations that lack this kind of data structure and IT architecture? Any best practices?
Some best practices for overcoming data gaps and the lack of a centralized data structure include:
- Conducting an inventory of all data sources and assessing their quality and relevance. This will help identify gaps and redundancies and help prioritize data collection efforts.
- Creating a data strategy to store and analyze data. This can be done by identifying key metrics and data points needed to support risk teams and even define a clear risk taxonomy.
- Establishing a data governance structure that outlines roles, responsibilities, and processes for collecting, managing, and sharing data.
- Leveraging technology with integrated risk intelligence solutions like Resolver to help automate data collection and analysis wherever possible.
- Building a culture by communicating the value of data. Engage the first line by showcasing the impact of data collection, and promote the benefits data-driven decision making. Getting everyone together to recognize the benefits can achieve buy-in.
12. What is the relationship between the organizational culture and governance, risk, and compliance (GRC)?
An organization's culture sets the tone for how employees perceive and respond to risks and influences their attitudes toward compliance and governance. A stronger culture of risk awareness encourages employees to report issues or potential violations of compliance requirements. Strong leadership and ongoing training can also help keep employees informed about policies, regulations, and risk management practices.
Overall, a strong GRC framework requires a culture that supports and reinforces good governance practices, encourages risk awareness, and emphasizes the importance of compliance with policies and regulations.
13. Is it possible to integrate your risk intelligence software with an XDR + SOC solution used by the first line considering the sheer volume of telemetry?
It's possible to integrate a SOC (Security Operations Center) solution used by the first line with Resolver's Cyber Incident Management application (Cyber IM) — even with the high volume of telemetry generated by these tools — through:
- Incident detection and response: SOC solutions can monitor network traffic and detect security incidents in real time. It can then trigger an incident response process using Resolver's Cyber IM application. This helps ensure the incident is handled promptly and efficiently.
- Incident investigation and analysis: Resolver's Cyber IM platform can be used to investigate and analyze security incidents with detailed information collected on the incident. The SOC can then use this information to refine its detection and response processes, as well as identify and mitigate any underlying vulnerabilities.
- Incident reporting and communication: Resolver's Cyber IM platform can be used to generate incident reports and communicate with stakeholders, and report the incident to regulatory bodies. The SOC can then use this information to improve its incident reporting and communication.
- Incident recovery and remediation: together, SOC and Resolver's Incident application can improve incident recovery and remediation processes by tracking the progress of recovery efforts, and verifying the effectiveness of security controls.
- Integrating with XDR is possible through simple configuration. The component of incident response, can be built out for threats.
- Integrating with an XDR is possible. However, consideration would have to be put into what is pulled over to ensure that the telemetry that is pulled over is actionable and reportable.
14. How often are risk assessments undertaken in the changing dynamic external environment?
The frequency of risk assessments depends on various factors, such as the industry, the size of your organization, the nature of your business, and the level of regulatory compliance required. It's best to continuously increase the frequency of assessments whenever there are significant changes in your organization's business processes, technology infrastructure, regulatory environment, or external threat landscape. This helps ensure that your organization's risk management strategies remain effective and relevant in a changing dynamic external environment. (Pooja Azhalvan)