GRC Tuesdays: Can You Fix a Broken Risk Management Process?
Recently, it seems that every time I visit companies that are in the search phase for a new risk management software solution, they believe their current process is “broken” and needs fixing.
This could be due to many causes: newly appointed Chief Risk Officer (CRO), large loss incurred, recommendations from the audit team or regulatory agencies, and so on.
I want to make it clear: I don’t believe that a risk management process can be “broken.”
Yes, it can be outdated if the risks haven’t been assessed in a long time. Yes, it can be inefficient if mitigation strategies aren’t applied. Yes, it can be biased if only the views of a few are captured… And unfortunately, there’s no such thing as a magic wand that can fix all these issues at once. But there are steps that can be taken to put this process rapidly back on track.
You just have to make the diagnostic by asking the right questions and then applying the appropriate cure! This should help you identify and treat the root causes of this negative perception.
Why Do You (or Others) Deem that the Process Is Broken?
Symptoms: the risk management process is perceived as not working because it doesn’t provide stakeholders with accurate information. Understanding this is a great step forward – it means that people are aware that the process exists but that it’s not meeting their expectations. This could be due to outdated data, the impossibility to compare period over period, missing information on the risk context, and so on.
- Remedy prescribed: Gather requirements from these stakeholders and then review your current capabilities to see how these requirements can be matched. For instance, for outdated data, you might want to consider ensuring that risk owners have been named on each risk and that they understand what is expected from them and how frequently they should review the information. Simply updating the risks already captured would take care of this root cause.
Symptoms: stakeholders are not able to pin point why, but they feel it’s not helping them understand what could go wrong in their business unit and how to prevent risks from occurring. This is very typical of a reputational damage. Most likely, the process hasn’t been applied in a long time due to its negative image, so stakeholders no longer understand how risk management can help them.
- Remedy prescribed: Offer training in small groups with real-life examples. If, at the end of the training, stakeholders still believe that there’s no use in such a process, then gather requirements on what they would need, as mentioned above. In most cases, re-explaining a process can help in raising awareness and illustrating its benefits.
There could be other symptoms of course, but these two are the most common I have encountered and I don’t believe the cures to be out of anyone’s reach.
Is There a CDC (Center for Disease Control and Prevention) for This?
Yes – you and every manager in the company! Risk management shouldn’t only be the turf of the risk management, compliance and audit teams, it should be owned by everyone.
Managers have the duty to notify relevant departments in case they don’t have appropriate information to make their decisions. Such notifications should help in quickly identifying new symptoms and reorienting the process before it derails.
As a conclusion, I would suggest to all CROs that are facing this issue to first review thoroughly what is currently in place because it has valuable information like risks already identified, assessments performed, past mitigation strategies that did or did not work, and so on.
Before replacing all and starting from scratch, ask yourself: Are you sure there’s nothing you can keep in your current approach? Are there simple steps that you can take to revive it?
Originally published on the SAP Analytics Blog