GRC & Chill: Kickstarting Your Risk Management with Quantification
In this episode of GRC & Me, Megan Phee talks to Netflix's Senior Information Security Risk Engineer, Tony…
Every company must consider a variety of internal and external factors that affect how well it can meet or exceed its stated goals. This collective array of factors is commonly referred to as Enterprise Risk, and it’s the primary source of uncertainty in any business. Today, company leadership must grapple with an ever-increasing number of question marks prompted by unpredictable economic times and radical innovation in a rapidly changing world.
More than ever, how well a company manages its business is directly related to how effectively it manages its business risk. A comprehensive risk management program is essential for companies to reduce uncertainty, make confident decisions, and move the business forward on behalf of its shareholders, its employees, and its customers.
The most effective overall approach to identify and minimize risk is a process called Enterprise Risk Management (ERM).
Real-World Examples of Risk and Opportunity
Critical risk-related business issues discussed in boardrooms and corner offices fall into three distinct categories—macroeconomic risk, strategic risk, and operational risk.
Macroeconomic risks are those related to uncertain economic and geopolitical situations that can threaten a company’s growth or very existence. These risks are commonly seen in the news: trade wars, Brexit, interest rate hikes, and political unrest are a few examples of global macroeconomic risks in 2019. Such constantly changing macroeconomic conditions underscore the benefits of companies remaining both nimble and vigilant.
Strategic risks arise from adverse business decisions or the failure to implement appropriate business decisions in a manner that is consistent with the institution’s strategic goals. A shifting regulatory environment, advancements in technological innovation, and evolving customer demographics are among the most common strategic risks that bear constant scrutiny.
Operational risk is the prospect of loss resulting from inadequate or failed procedures, systems, or policies.Operational risks can include shifting labor markets, the changing costs of business and healthcare insurance, and wrestling with the growing importance of cybersecurity.
Regardless of the type of key risk, a successful business model should include ways to identify, monitor, and manage potentially disruptive events.
Who handles ERM?
The eventual success of any Enterprise Risk Management program depends on a company’s ability to develop a proper framework and corresponding implementation plan. This often requires a dedicated team with well-defined objectives, a clear project scope, and an agreed-upon allocation of responsibility. This team is commonly headed by the Chief Risk Officer.
The ERM team is a fundamental part of a company’s larger, overarching risk management efforts. The team must not only put best practices in place and ensure they’re followed, they must also serve as champions for risk management throughout the rest of the organization.. It’s helpful when company-wide functions such as Compliance, Incident Management, and Information Security Risk are represented in addition to Finance, Accounting, and Internal Audit. This helps to mitigate the most common threats to an effective ERM program: lack of communication and buy-in.
Assessing the Costs and Benefits of ERM
How ERM Can Benefit Your Company
Among the many benefits of having a single business unit responsible for ERM, it provides a company with a strong foundation for a successful risk-management process and culture. A centralized risk-management department can develop standard policies, measurement methodologies, and risk frameworks that can be leveraged throughout the rest of the organization. It’s an approach that gives senior management and decision-makers a clearer view of the interrelationships among existing risks and facilitates proactive thinking about potential future risks.
While departmental roles differ among businesses, most companies place ultimate responsibility for ERM with their Board of Directors. A culture of risk management, after all, must start at the top. Further, the Board's decisions are based in part on the outward perception of integrity and ethical values, which can affect brand identity.
Enterprise Risk Management Tools and Frameworks: SOX, GDPR, and COSO
Investing time and money in a strategic and properly integrated ERM system can help your firm reduce costs, improve operational performance, and remain compliant with an ever-expanding list of regulatory requirements, all of which are top of mind for any board of directors. To avoid wasting time and resources, it's critical to be aware of what those guidelines and requirements are. The following are a few important ones.
- Companies are increasingly turning to automation technology to reduce the burdensome cost of adhering to the provisions of the Sarbanes-Oxley Act (SOX), created to protect investors from fraudulent financial reporting by corporations. SOX was introduced in reaction to a number of corporate scandals in the early 2000s. It mandated strict reforms to existing securities regulations and imposed tough new penalties on lawbreakers.
- ERM can assist with compliance with the General Data Protection Regulation (GDPR), the most important change in data privacy in the 21st century. The GDPR, which took effect in 2018, is a regulation by which the European Parliament, the Council of the European Union, and the European Commission strengthen and standardize personal data protection.
- The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative dedicated to providing thought leadership through the development of integrated frameworks and guidance on ERM, internal control, and fraud deterrence. COSO’s vision is to play a leader in the global marketplace by specializing in the areas of risk and control which enable and inspire good organizational governance.
How LogicGate Can Help with ERM
A recognized leader in GRC process automation. LogicGate offers customizable apps to empower the ERM process. Our Enterprise Risk Management solution facilitates collaboration across departments in such areas as Policy Management, Process Automation, Third-Party Risk, and Vendor Management. We use state-of-the-art graph databases to define, monitor, and remediate risks as your business grows. We are passionate advocates for the important role ERM software can play in any industry, including financial services, energy, and healthcare.
For more on ERM, check out LogicGate's eBook, Assessing the Costs and Benefits of ERM: An Inquisition
