Boards, regulators and leadership teams are demanding more and more of risk, compliance, audit, IT and security teams. They are asking them to collaboratively focus on identifying, analyzing and managing the portfolio of risks that really matter to the business.
As risk management programs evolve to more formal processes aligned with business objectives, leaders are realizing that by developing a proactive mindset in risk and compliance management, teams can provide added value to help the organization gain agility by identifying new opportunities as well as managing down-side risk. Organizations with this new perspective are more successful in orchestrating change to provide a 360-degree view of both risk and opportunity.
Risk teams that are further along on the journey of leveraging proactive approaches to risk management look not only within the organization but beyond to supplier, third party and customer ecosystems. This means developing a view across the larger enterprise infocosm, to ensure alignment of people, processes and technologies.
An essential prerequisite to proactive risk management is a shift from passive to active governance. To build an active governance competence effectively, governance needs to be “active, engaged and embedded,” rather than “passive, reactive and irrelevant.”
Active governance means being thoughtful about alignment and interlocks policy, risk, compliance, quality and operational programs. Proactive risk intelligence throughout the organization can help it advance by aligning policies, procedures, facilitating an enterprise view of issues and orchestrating change to mitigate risk.
Align Policies, Procedures and Roles
Once proactive risk intelligence is understood and embraced as a concept, the next step is to develop agile and consistent policies that truly reflect and produce desired behavior. This means aligning business strategy and appetites with prescribed behavior, which is typically described not only through policies, but also through procedures, and embedded in role descriptions. It is important to make governance traceable in this way. Likewise, it is critical to make sure roles and responsibilities are aligned with policies and procedures so that employees, partners and third parties are empowered to do the right thing.
Foundational is consistency between policies and procedures in similar roles across geographies, cultures and business units. Some key things you can do to help your organization include:
- Align Policies to Business Objectives — Ensure responsible management and oversight of resources by aligning policy to business intent. You can do this by mapping policies to risk tolerances and compliance requirements. Be explicit when defining legal and ethical boundaries.
- Resolve Global/Local Conflicts in Policies and Procedures — Improve active governance by resolving local/global dissonance—often a policy at one level can contradict a similar overlapping policy at another level—it’s important to iron out discrepancies so that people have confidence in the policy and know it stands for something the organization values.
- Engage the Right Subject Matter Experts for Policy Creation and Review — Policy life-cycle management can really help. Be sure to include alerts and intelligence to ensure policies reflect compliance to new and changing regulations and business obligations. Establish the right roles and responsibilities for creating, editing, reviewing and publishing polices. Automated workflow can help make this seemingly monumental task achievable. Empower the right decision-making processes for governance of policies and allocation of resources.
Gain an Enterprise View of Issues and Remediation
Now that your organization is looking at risks in the context of appetites, tied to policies that reinforce desired behavior, based on a common language, the next step is rapid, complete issue resolution. Mature organizations can provide a portfolio of issues and incidents, facilitating a 360 view.
By looking at all the incidents and issues tied to a risk, process or asset, your team will begin to develop a preventive capability, and be able to ‘right-size’ remediation investments. Key things you can do to help your organization include:
- Manage issues as a portfolio — Look at issues across all sources, through a common process, across all aspects of the organization. Not only issues arising from audit, risk management and privacy and compliance teams, IT and security, but also extended to research and development, quality, environmental health and safety and human resource groups.
- Develop a Proactive, preventive capability — Think in terms of future changes and what issues may arise in risk and compliance management. For example, getting teams involved early in initiatives such as mergers and acquisitions, new product or service launches or expansion into new markets.
- ‘Right-Size’ remediation investments — Optimize investments in remediation through end-end root cause analysis—when business units look at an issue in isolation, investments can be made that solve the problem locally, but push symptoms to an upstream or downstream process. Looking at issues across, down and through will help build the 360 views that get at the real root cause and appropriate remediation.
Orchestrate Change across Risk Processes
Creating proactive risk intelligence as a competency is in many ways all about orchestrating change. Continuous value creation is demanded of successful organizations in today’s dynamic world. When collaborative risk teams focus on continuous improvement, they will spot opportunities for operational efficiency and savings that can be used to fund innovations. As organizations mature, collaborative teams can be supported by risk and compliance centers of excellence, shared services and innovation labs.
- Build a community dedicated to the vision of risk intelligence — Bring people and partners on board with a proactive mindset. Make sure continuous improvement fuels and funds innovation across and within core processes of governance, risk, compliance, privacy and security.
- Continuously innovate — Manage a portfolio of innovation projects to mature centers of excellence, shared services and distinctive risk and compliance competencies. Leverage technologies to accelerate innovation and gain economies of scale.
- Continuously improve — A formal investment program identifies synergies and funds strategic initiatives, certification and training programs.
The GRC journey is about orchestrating change to gain a competency of risk intelligence. It requires a proactive mindset and anticipation of future problems needs and changes.
Active governance is the first step in supporting change and building a competency of proactive risk intelligence by planning and thinking ahead at every stage of the risk management process.
Active governance goes beyond general oversight to ensure alignment and interlock strategy, through policy, procedures and roles in the operational fabric of the organization and carries through to suppliers, customers and third parties. By starting with these core aspects of active governance, you are in your way to creating a competency of proactive risk intelligence in your organization.
Similar Posts:
- How to Leverage Risk Management to Influence Positive Business Outcomes
- The Case for Strategic Risk Management
- 4 Steps to Help Organizations Embrace Risk from Emerging Technology
- Increasing Risk Complexity Outpaces ERM Oversight
- RIMS ERM Conference 2021: IRS Receives Global Enterprise Risk Management Award of Distinction