If your answer is yes to these questions - you’re not alone. I recently read two articles that I found particularly interesting, as they expressed our thoughts on risk management processes here at Alyne very well, while coming from very different perspectives and addressing the need for some new thinking in IT governance and risk management.
The first article was written by two of my former Deloitte colleagues, Romana and Tahlia on enabling agile governance and risk management and the second article was a blog post by one of Gartner’s GRC leaders, John Wheeler on moving from traditional GRC to Integrated Risk Management - or IRM.
I would like to explore some of the implications of these articles for typical risk management processes:
1. Risk Identification
I’ve experienced risk meetings too often, in which stakeholders try to gather possible risks in the project’s risk register. Romana and Tahlia argue that agile risk management should not focus on what could go wrong, but more on what must go right. This needs to be a continuous process, not a one off exercise. In Gartner’s view of IRM, strategy and risk assessment processes take governing frameworks and risk context into account.
Alyned Thinking: Leverage smart solutions to rapidly identify what must go right and risks that may be threatening these objectives. Alyne’s integrated libraries, linked to governance standards, risk graphs and regulatory requirements enable just that. Keep risk identification agile through easily accessible tools and a risk culture encouraging risk transparency.
2. Risk Treatment
Many processes for enterprise risk management are driven through hierarchies, restricted access and many layers of escalation. This is, of course driven by the inevitable politics involved in large corporations. John Wheeler also points out that today’s GRC processes are often also shaped by their origin in meeting SOX requirements. If your entire risk management is focused on maintaining SOX compliance rather than evaluating risk exposure against risk tolerance, rigid and non-inclusive processes remain after more than a decade of living this kind of risk culture.
Alyned Thinking: Provide a toolset to your teams and stakeholders that make interacting with risk data as easy as possible. Our mission is to make gaining risk insights as easy as browsing your social media feed. Be agile in the sense of validating and adapting your assumptions influencing your risks as frequently as possible.
3. Risk Reporting
Risk reporting is commonly driven by regulatory requirements and follows cycles of three to six months. Formal review, sign-off and aggregation processes make developing these risk reports a laborious and manual process. I have experienced both highly restrictive reporting processes implemented in traditional GRC solutions as well as complicated spreadsheet based risk consolidation. For purely fulfilling regulatory reporting requirements, this approach is sufficient. For making informed and risk based decisions as advocated by Gartner’s integrated risk management or rapidly learn and adapt in an agile way, rigid reporting processes do not suffice.
Alyned Thinking: We believe in enabling real time risk insights for stakeholders, rather than periodic updates. Reporting requirements are fulfilled by taking a real time snapshot of a defined subset of managed risks, while decisions are supported through ongoing risk insights.
In exploring the concepts of agile and integrated risk management, I recognise challenges many businesses face in their approach to managing risk. Taking a more agile approach to identifying risk, breaking down rigidity in favour of continuous interaction and moving from risk reporting to real time risk insights is where risk management needs to evolve to. I believe there are three prerequisites required for this:
The cost for risk management needs to be significantly reduced through smart solutions
Organisations must embrace the value of risk management in enabling risk aware decisions beyond meeting the minimum regulatory obligation
Risk culture has to shift from the politics of the “ivory tower” to a continuous discussion of risk information across the organisation