- Corporate Security
- Governance, Risk & Compliance
- Information Security
Governance, Risk and Compliance
Published October 27, 2015
Take a look at today’s headlines and you’ll see a nearly endless collection of stories about companies impacted by risks—everything from weather events to the simple inability to hang on to their best employees.
If you’ve found yourself looking to strengthen your enterprise risk management processes to meet these challenges head-on, take heart: You’re not alone.
One survey found that 52% of respondents felt ERM was not viewed in their organization as a strategic tool that provided unique competitive advantage. Only 25% reported that their company had a formal enterprise-risk management process in place.
Yet it could be considered common knowledge that the companies who are best able to respond to a pending crisis are the ones who were able to integrate risk management and strategy.
Making those two meet is important, because the longer you’re in business, the more likely it is that you’ll bump up against serious risks.
The imperative is clear—the better you get at operationally and strategically managing risks, the more adaptable and resilient your company will be.
If you’re considering using risk management software to help you do that… Read on.
For most executives, risk assessment is not a “natural” behavior. Even those with years of experience often have blind spots and biases they need to force themselves to overlook.
Harvard Business Review identifies six mistakes executives often make when assessing risk, including:
The biggest risk, the article says, “lies within us: We overestimate our abilities and underestimate what can go wrong.”
One Corporate Executive Board study bears this out. It looked at market losses in survey respondents’ companies, and found that fully 86% of those losses resulted from strategic risks. The proportion of time those companies spent on looking at strategy risks? Just 6%.
That’s a shocking mismatch, and one that points to the need for software that transforms data into insights. When risk management is aligned with strategic objectives and embedded into the organization across levels and processes, you’ll be better able to assess and mitigate risk.
As both the velocity and the volume of regulatory change increase, companies are struggling to stay current. Meeting expanding legal obligations with limited internal resources gets harder and harder.
At the same time, stakeholders are demanding more and more from organizations. Boards and managementneed to meet those demands head-on.
Unfortunately, that’s not always what happens. A landmark 2006 McKinsey study laid out some sobering facts around gaps in risk management capabilities at the Board of Directors level—gaps that still exist today:
Clearly it’s important to arm directors and management with the information they can use to understand the full breadth of legal, financial, operational and reputational risk in the organization—and manage the organization accordingly.
An enterprise-wide approach to governance and compliance, supported by intelligent software, prioritizes compliance issues that may not necessarily be project-based, in order to minimize the risk of noncompliance… So that your board and management can focus on what really matters.
Internal Audit is increasingly called upon to provide assurance around strategic, stakeholder- facing risks—what was once a cost center now helps tell the organization what really matters.
And yet, for those doing the auditing, there’s a tense balance between doing “what you’re best at” and trying to get better at everything else.
One study focusing on the public sector found that while 92% of organizations surveyed were involved in at least one type of compliance audit activity, just 53% were performing audits of ERM processes, and only 40% were doing corporate governance reviews.
There’s good news, though. Technology can help internal audit spend less time on the basics and more time and effort where it counts—implementing more effective internal audit governance practices.
Risk management software, in particular, can help you view risk data in a way that is relevant and valuable for strategic decision-making. And when you can read your data to uncover threats and opportunities, of course, you’re more able to offer the best insight to management.
With the right tool, interactive visualizations of both entity-level data and high-detail information are just a few clicks away.
When asked “Please indicate whether your internal audit activity performs (or is anticipated to perform) the following,” survey respondents answered as below:
Operational risk is a serious challenge. And until the mythical day when people, processes and systems don’t break down—and external pressures suddenly fail to threaten—it will remain so.
Yet according to Risk.net’s 2014 OnRisk Benchmarking survey of global financial leaders, there is little consensus in business about what operational risk actually is.
Nearly a quarter of those surveyed reported they were only informally involved in activities like regulatory compliance or disaster recovery planning. And though a third reported formal involvement in, say, new product development, only about 10% were as involved in fraud prevention.
“There is no consistent pattern,” the survey said, “from one company to the next, with some institutions giving operational risk a leadership role in an area from which another will exclude the function entirely.”
That’s concerning. But regardless of what operational risk managers do, how they do it is important.
By leveraging GRC software to improve organizational capability to assess, measure and manage operational risks—no matter whether they stem from people, processes, systems or external events—any business can better deal with threats and capitalize on opportunities.
Below are percentages of institutions surveyed with comprehensive reporting of operational risk and its impact on business strategy, performance, risk appetite and varying level of the organization (multiple responses allowed).
As web-based attacks become more commonplace—there are many who call 2014 “The Year of the Data Breach”—more and more companies and their customers are compromised.
37 million users were affected in the highprofile Ashley Madison hack; US healthcare provider Anthem’s data breach flew comparatively under the radar at the beginning of 2015 but exposed more than twice as many records. The United States Office of Personnel Management and the Internal Revenue Service also suffered massive—and massively embarrassing—breaches.
Yet information security is only one facet of IT risk management. The “sexiest” or most publicized, yes—but still only a single piece of a larger puzzle that encompasses all the ways IT is used and operated in an organization. Information security may be only one aspect of IT risk, but it’s a big one.
A risk-based approach to IT security can help you align all your IT risks—threats to your operations, assets or staff—and uncover your biggest threats and deficiencies… Meaning you’ll focus on what’s most important.
Infrastructure has simply grown too complex to protect everything you own or manage; consider using software to help you decide where to focus your attention.
Incidents often don’t “just happen;” they’re frequently driven by underlying issues. Failing to connect the two can lead to a misplaced focus on the symptoms of a problem—not the cure.
When they are connected, good things happen. Auditors can identify and report audit findings. Compliance officers can identify issues for failed control tests and ensure that appropriate follow-up plans are in place. Operational risk managers can log and track loss events and support regulatory investigations.
If your incident recording isn’t what it should be, or improperly tied to issue management (if at all), it becomes harder for areas of the business—such as Audit, Compliance, Risk Management and IT—to coordinate and collaborate on gathering and assessing issues.
But with a proper union of the two, you’ll be able to integrate the proactive planning, identification, assessment, and review functions with reactive monitoring, mitigation and reporting.
Software that integrates incident management and issue tracking can help you manage incidents and identify and follow-up on issues in real-time… You’ll prevent more problems from happening, make smarter decisions, and more easily capitalize on opportunities you might have missed.
Thirteen years on, you’d be forgiven for assuming most companies had SOX under control. Yet Sarbanes-Oxley still poses challenges—not the least of which concern reporting.
And with an SEC survey estimating the average total cost of Section 404 compliance at $1.21 million, it’s safe to say that making sound accounting and reporting judgments has become more important than ever.
Data consistency is paramount if your business is to keep pace with best practices. However, that’s easier said than done when different collection systems exist in multiple business groups. Without an accurate top-level view of your compliance activities, you’re courting disaster. But what if there were an easy way to generate reports to support proof of your organization’s compliance? If you could get real-time access to data with user-configurable, drill-down reports, you could more confidently sign off on 302 and 404 certifications. And by seeing the root causes of deficiencies early in the process, you could better plan for success.
Next-level reporting software can dramatically reduce the time your organization spends generating reports and determining the status of processes, risks, controls, tests and remediation. Better still; the right software can go beyond enabling compliance—to ensuring peace of mind.