Like cars, whose investment and value we protect and preserve with regular annual maintenance at the least, your GRC and risk management processes and tools require careful regular service to preserve and extend their value and utility. Business environments are fluid. Change is a reliable variable from one year to another. Your business may have expanded, or contracted. You may be offering new products or services, or have engaged new partnerships, suppliers, or service providers. Your contract portfolio may have new obligations, performance requirements, or deadlines. Regulations may have changed, or perhaps your business has, and so now falls within scope of some regulatory oversight you were not obliged to address in the past. There may be other differences between your last fiscal year and the present. So, how do you go about performing a tune-up for your risk management practices? Let’s explore that in more detail.
Start With The Risk Register
Your risk register is at the foundational core of your program. It’s the compass and map of your program. If it’s no longer complete, nor aligned to your business, your ability to effectively manage risk across your lines of business will falter. Examine its detail. Does it still account for all the operations, services, practices, commitments and obligations the business has in place or plans to enact in the year approaching? Were there audit or regulator reviews that pointed out issues you can monitor by adjusting details in your risk register? Have you expanded the number of third parties you rely upon to deliver services and products to your customers? Have other stakeholders requested information you haven’t collected and evaluated because there’s a gap related in your register? Look back at the process you went through to create your register initially. Repeat that effort to ascertain the risk register detail is as complete as needed for your business as it stands now. Then examine your business goals for 2023. Are there any further changes needed? Keeping your risk register in top condition, and well-polished is a vital first step.
Policies and Procedures
A dynamic business and risk program needs current policies and procedures to govern its efforts. Policies take the most work to adjust, given the lengthy approval process many businesses employ. Procedures need to reflect the “how” of work to be done. Often, policies grow out of new requirements, new business obligations, or changes in laws or regulations. Procedures need to align with policy. They must also describe methods and practices crafted to deliver outcomes to achieve useful work, within the proscribed policy guidance. Too often, resistance to change, performing tasks one way because “that’s the way it’s always been done” can cause procedures to fall out of alignment with policy. Worse, that process inertia can cause issues with regulatory and contractual compliance obligations, which are likely to be more fluid and dynamic over time. Process inertia’s opposite twin, process acceleration, occurs where changes are made on the fly to address an exceptional event, and then become instantiated going forward. In these cases, they distort what the business needs and how it needs to operate. Both situations create risks. There may be metrics you normally use to measure process effectiveness. It’s useful to have threshold values associated with such metrics. Below threshold outcomes may be indicative of process inertia, while excessively high values might indicate acceleration. Look back to your risk register again. How is it incorporating process related risks into its content? It’s important to assure your register doesn’t ignore process risk opportunity.
Workflows And Risk Assessment
When you tune something, it’s important to examine your tools to make sure they are also operating correctly. This helps you prevent introducing anomalies as an outcome of their detection and correction. Examine your workflow schemes, whether manual or automated. Has your organization, reporting structure, or assigned subject matter experts changed since your last assessment? Did your escalation practices, where present, trigger in efficient timeframes to the right levels of leadership? Did you experience bottlenecks that can now be remedied by adjusting workflow configurations, timing, direction?
Also, look at your recent risk assessment and any post mortem notes you might have on process feedback. Are there refinements to participant training that you may make? Are your risk scoring methods clear to participants and providing useful information to analytics? Were communications to stakeholders specific, clear, and timed to inform the process and keep it moving effectively forward? What problems occurred along the way and what might you do to address them in your next cycle?
Gap Analyses
Gap analyses seem to be a practice analogous to a skeleton key. No matter the situation, there’s always room to evaluate where you are, compared to some target state, i.e., where you want to be. They’ve been around under many names and presented as part of many processes. Simply put they are about measuring how far away from some planned for or worked toward state your current situation may be. If you’ve developed metrics along the way to measure your risk management process effectiveness this may be a really simple and quantitative process. If you haven’t such metrics, you’ll need to be a bit more qualitative. Don’t leave your desired target state out of your review. Is it still realistic or not aggressive enough? How does it align with your company’s risk appetite, stance regarding compliance, and regulatory performance? Are there new metrics that would help you measure and monitor “gap performance” in the future? Does your current process produce the data you’ll need to calculate those metrics? So many questions to consider.
Integration With Audit, Compliance, Operations And More…
Quality risk management programs do not exist in a vacuum! As part of your tune-up, take a look at how well your risk program incorporates data from other processes, while delivering information to inform the efforts of other disciplines throughout your company. Meeting contractual compliance and regulatory obligations can have a financial, operational, and reputational impact. Does your risk program contribute to understanding and measuring these risks? Have internal and external audit findings been used as a data validation for your risk scores where findings and remediation were reported? You’re your risk program inform audit processes of areas for scrutiny? From a leadership perspective have your program leaders from risk management met with peers in audit, legal, operations, and regulatory compliance to discuss what can be done to leverage your combined efforts to the greatest value for your company, while working to reduce overlapping or redundant efforts that pose unnecessary demands upon participants and other stakeholders? While it’s useful to have such meetings on a regular basis, at least quarterly reviews should pay a dividend in efficiency while maximizing data value and process refinements.
Reporting
Good reports answer specific questions with clarity. Great ones also do so, while inspiring additional questions whose answers provide useful, actionable direction and deeper understanding for executive leadership. Do you have good reports? What would make them great? What questions have your leaders asked that current reports do not answer? What answers do you provide now to questions nobody asks? Too much reporting is not good reporting. When someone tells you they need to “know everything” it’s a sign of poor leadership. They do not understand the key drivers of their business, and mask that by asking for “everything” in the hopes such volumes of reporting will provide answers to any question or circumstance that may occur. It’s inefficient, wasteful of resources, and ineffective. One of the great values a risk management program can offer is guidance on what matters, and what does not. Pointing out key metrics, and demonstrating why they are important to monitor, within a proscribed range of values, can help leadership learn to use risk management data effectively. Doing so can cascade over to other management practices and lead to more efficient data gathering and reporting practices companywide.
Tuning While Operating
This is a great time of year to begin the process of performing your tune-up. Business is focused upon a new calendar year, new goals, new initiatives, and eyes and minds are focused upon the horizon ahead. Factor the tune-up tasks into your risk management calendar. Take advantage of low hanging fruit, tasks easily accomplished quickly and with minimal resources. Identify ones you can do on the fly as you prep for an assessment or other activity. These will be less disruptive than other larger ones. And finally, plan for changes that are larger, require more resources, and commitments from others outside your own domain of control. By planning and distributing your tune-up tasks across your program calendar, you make the changes easier for participants to adapt and make the appearance of the volume of change seem lighter and simpler than if they were all gathered together into a single mass to be absorbed and understood by all affected. This approach may also make the cooperation of other areas easier to gain, both for simple requests and ones requiring larger commitments of resources if and when necessary.
When Your Tune-Up Efforts Say It’s Time For Something New
Many years ago, I worked with another manager who performed a study about maintaining corporate vehicle fleets. The task was to understand when it was optimal to stop repairing vehicles as they aged, and simply replace them instead. His exploration was exhaustive, and the results, at first glance, surprising. From a purely financial viewpoint the answer was “never.” It was always cheaper to fix than replace. But his analysis did not stop there. When downtime, repair frequency, process, and transportation disruptions, among other features were taken into consideration, a very different answer, a more definitive duration, became clear. This study is now over 30 years old, and the result then was, as my dimming long term memory recalls it, about 8 years. But that’s not the point. Taken wholistically, there comes a time when things, processes, machines, and such, no matter how well maintained, are better replaced than continuing to band-aid them together for “one more round.” Once you’ve done noting all the things needed for your tune-up of your risk management process, it’s also time to take an objective look at how much work it needs to continue to provide the services and value expected from risk management. Change is more than time and materials for a discreet few doing the work. It may also incorporate re-education, work arounds to accomplish tasks that cannot be supported directly. Deferring very useful processes or steps because your current system can’t support them, or requiring participants in assessments or other stakeholders to do more manually, or worse, just “do without” because of limitations in your tools or technology is not an effective risk management strategy.
If your tune-up needs are becoming more of an overhaul than refinement, you may be reaching that place where something new is the more effective, efficient, and over time more cost effective approach to extensive repair and shouldering increasingly complex burdens to keep the old systems functional. Looking back to that fleet replacement study, you may find yourself in a place where continued extensive repair may no longer be the best approach for your business or your risk management program. Taking that long hard look is an important aspect of the tune-up process. As your new year begins, look well upon the vehicles you’ll ride into the year, and choose wisely!
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.