This is the final blog of a four-part series on ERM from guest blogger Michael Rasmussen of GRC 20/20 Research.
Risk management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a collective whole. The risk management information architecture supports the process architecture and overall risk management strategy. With processes defined and structured the organization can now define the information architecture needed to support risk management processes. The risk management information architecture involves the structural design, labeling, use, flow, processing, and reporting of risk management information to support risk management processes.
Successful risk management information architecture will be able to integrate information across risk management systems and business systems. This requires a robust and adaptable information architecture that can model the complexity of risk information, transactions, interactions, relationship, cause and effect, and analysis of information that integrates and manages with a range of business systems and external data.
The risk management technology architecture operationalizes the information and process architecture to support the overall risk management strategy. The right technology architecture enables the organization to effectively manage risk and facilitate the ability to document, communicate, report, and monitor the range of risk assessments, documents, tasks, responsibilities, and action plans.
There can and should be a central core technology platform for risk management that connects the fabric of the risk management processes, information, and other technologies together across the organization. Many organizations see risk management initiatives fail when they purchase technology before understanding their process and information architecture and requirements. Organizations have the following technology architecture choices before them:
- Documents, spreadsheets, and email. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active risk monitoring.
- Point solutions. Implementation of a number of point solutions that are deployed and purpose built for very specific risk and regulatory issues. The challenge here is that the organization ends up maintaining a wide array of solutions that do very similar things but for different purposes. This introduces a lot of redundancy in information gathering and communications that taxes the organization in managing risk holistically.
- Risk management/GRC platforms. These are solutions built specifically for risk management and often have the broadest array of built-in (versus built-out) features to support the breadth of risk management processes. In this context they take a balanced view of risk management that includes performance as well as risk and compliance needs. These solutions allow an organization to govern risk throughout the lifecycle and enable enterprise risk reporting.
The right risk management technology architecture choice for an organization often involves integration of several components into a core risk management platform solution to facilitate the integration and correlation of risk information, analytics, and reporting. Organizations suffer when they take a myopic view of risk management technology that fails to connect all the dots and provide context to business analytics, performance, objectives, and strategy in the real-time business operates in.
Some of the core capabilities organizations should consider in a risk management platform are:
- Internal integration. Risk management is not a single isolated competency or technology within a company. It needs to integrate well with other technologies and competencies that already exist in the organization. So the ability to pull and push data through integration is critical.
- Content, workflow, and task management. Content should be able to be tagged so it can be properly routed to the right subject matter expert to establish workflow and tasks for review and analysis. Standardized formats for measuring business impact, risk, and compliance.
- 360° contextual awareness. The organization should have a complete view of what is happening with risk in context of performance, risk, and compliance. Contextual awareness requires that risk management have a central nervous system to capture signals found in processes, data, and transactions as well as changing risks and regulations for interpretation, analysis, and holistic awareness of risk in the context of risk and performance.
- Support for multiple risk frameworks. The risk management technology architecture should allow the organization to harmonize risk management across the organization. The business can use different risk management frameworks in different parts of the organization and still integrate risk data and reporting with an enterprise perspective.
- Define and map objectives and controls to risk. Controls are used to mitigate and monitor risk. Every control in the environment maps to the risks addressed, using an integrated risk and control framework. Risk technology should allow for complete integration and reporting on objectives and controls in the context of their relationship to risk across the enterprise.
- Establish and communicate risk policy. Risk technology should allow the organization to develop, approve, and communicate policies to address risk. This establishes expectations and a culture around risk, including risk capacity, tolerance, appetite, accountability, and controls.
- Manage loss and incidents. Loss represents the materialization of risk and must be documented and fed into risk models. Risk technology enables the management of incidents and records loss as an integrated component of a risk management process.
- Allocate risk accountability. Risk management requires that someone is responsible for risk. Risk without an owner is like a leaf blowing in the wind. Risk technology tracks accountability and ownership through its risk taxonomy, and enforces accountability through task management, workflow, and escalation. Through reporting and metrics, owners see risk from different perspectives and understand the risks they are responsible for.
- Advanced risk reporting and trending. Risk technology manages and monitors risk at the enterprise level and within individual departments. This permits detailed reporting, dashboards, trending, and analytics that scale to the needs of the department or enterprise. Organizations can establish and monitor risk metrics through KRIs and map them to objectives and processes. Reporting is customizable and scalable to context and level of detail appropriate to the audience — whether process owner, manager, executive, or board member.
- Risk analytics and modeling. Mature risk technology should support a breadth of risk analytics and modeling to meet the diverse needs of groups across the business. The solution can track and model spending to treat risk in the context of exposure.
- Understand the interrelationship of risk. Risk technology provides for identification and categorization of risk into hierarchical structures to effectively manage and assign accountability. However, individual risks can also relate to risk outside of a hierarchical model. The risk information architecture allows for hierarchical categorization of risk, as well as mapping and relationship of risk that does not always fit into neat hierarchies.
Providing 360° Contextual Awareness of Risk
Risk is pervasive; there are a variety of departments that manage risk with varying approaches, models, needs, and views on what risk is and how it should be measured and managed. These challenges come at department and process levels and build as organizations develop operational and enterprise risk management strategies.
Risk management silos — where distributed business units and processes maintain their own data, spreadsheets, analytics, modeling, frameworks, and assumptions — pose a major challenge. Documents and spreadsheets are not equipped to capture the complex interrelationships that span global operations, business relationships, lines of business, and processes. Individual business areas focus on their view of risk and not the aggregate picture, unable to recognize substantial and preventable losses. When an organization approaches risk in scattered silos that do not collaborate, there is no opportunity to be intelligent about risk as risk intersects, compounds, and interrelates to create a larger risk exposure than each silo is independently aware of. A siloed approach fails to deliver insight and context and renders it nearly impossible to make a connection between risk management and business strategy, objectives, and performance.
Organizations are best served to take a federated approach to risk management that allows different projects, processes, and departments to have their view of risk that can roll into enterprise and operational risk management and reporting. This is done through a common risk management strategy, process, information, and technology architecture to support overall risk management activities from the process level up through an enterprise view. Organizations need to clearly understand the breadth and depth of their risk management strategy and process requirements and select the right information and technology architecture that is agile and flexible to meet the range of risk management needs today and into tomorrow.