- By Gaurav Kapoor, COO at MetricStream
Every executive hopes their company is alert to risks and that they can be resilient when hit with disaster but with the speed and ferocity of risks ever-increasing, it is not always possible. In an age where it only takes one employee – or one tweet – to smear the reputation of some of the largest organisations, efficient and effective risk responses are vital.
Risk awareness and response agility are critical when incidents occur, but reaction times can be particularly hindered when an organisation has grown too rapidly. This is because in the process of fast and disparate growth, functions can become siloed, operating autonomously using different – or non-comparable – reporting programmes. As such, they can’t be governed and reviewed by the board in the same context. This was one of the key issues that made the 2008 financial crash so severe, with no corporate oversight – and organisations’ strategies aiming for maximum growth at any cost – individual departments went rogue creating an illicit black hole in the financial system.
Since then, the focus – particularly among financial services firms – has very much been on bolstering governance, risk and compliance (GRC) capabilities. Additionally, approaches have changed somewhat in the last decade. As well as the honing of respected industry-wide defence and risk practices, new technologies, such as integrated GRC software, have arisen to help many organisations to reunify and manage multi-dimensional organizational structures with a security model and federated taxonomy that delivers flexibility to business functions, while providing the ability to correlate and report on each perspective at any level.
It has become vitally important for organisations to realise that while business performance is extremely critical, the full potential can only be achieved if they are performing with integrity. Consumers, shareholders, and regulators are demanding that companies are conducting business that is built on a strong culture of ethics, laws, regulations, the right controls and a sensitivity to their customers, employees and social responsibility.
To build a risk aware organisation, companies need to invest in risk awareness and management programmes and work toward creating a transparent corporate culture. Here are six steps to help businesses achieve this:
Centralise the compliance function
First and foremost, organisations in heavily regulated industries must unify any siloed and disparate GRC operations across multiple geographies and business units. Aligning GRC with the overall business strategy and objectives helps to create a holistic and integrated view of the risks and compliance requirements across multiple regulations that are affecting, or could affect, the entire organisation.
Assess enterprise risk management (ERM) programmes
It is important for firms to establish a consistent approach to risk management with uniform risk assessment methodologies. Ensuring all employees are risk aware will involve identifying, assessing, monitoring, and mitigating risks in a systematic manner. Companies can use advanced analytics, heat maps, reports, dashboards, and charts to gain an accurate understanding of the top risks across the organisation in order to help prioritise and manage risks effectively.
Solidify operational risk management (ORM) processes
Enabling a pervasive and streamlined approach to ORM is crucial for organisations looking to raise their risk awareness. Risk identification, assessment, monitoring, and mitigation is vital to delivering timely risk intelligence. It is this risk intelligence that can be fed back into the organisation to drive important business decisions, improve business performance, and reduce company losses.
Ensure effective business continuity management (BCM)
Another integral part of how to approach risks lies in a good business continuity management programme. Businesses should plan and execute an effective business continuity and disaster recovery (DR) programme. Good BCM programmes include risk assessments, disaster tracking, and recovery action initiation and management. Organisations should plan crisis responses – including assigning specific owners to actions – to reduce time when it needs to be enacted. It is also vital that recovery procedures are periodically tested to show any gaps in the programme before a disruptive incident occurs.
Use a top-down and bottom-up approach to establish a good culture
Good business culture relies on the message being conveyed and enforced from both the top down and bottom up. Employees should be participating and know how their role helps to achieve the business’ objectives. Yet, the system will only truly work if they believe that upper management is truly behind the new approach. Management should lead by example and act in ways deemed to be ethical and held accountable for the times when they don’t.
Adopting new technology can help employees to actively, or passively, engage with GRC processes. Increasingly, more companies are turning to tools that have been consumerised. Good risk awareness and responses requires GRC to be embedded into all processes, but employees are known to cut corners if new systems are time consuming. Technology that can enhance risk awareness and productivity, as well as create new ways of working – without impacting employees’ day-to-day responsibilities – will drive business value.
Technology plays a critical role in strengthening monitoring and management risks in the organisation. Integrated technology solutions offer a common platform to provide greater visibility into risks and compliance issues. They also automate processes, streamlining and reducing costs of admin and data heavy processes as well as storing any important or relevant information in a centralised database for easy access.
Ultimately, in today’s dynamic risk environment, businesses need to learn to swim ahead of the tide of known and unknown risks. The companies that prepare and manage risks using reliable ERM, ORM and BCM practices will be able to grow organically and sustainably while integrating GRC into the very fabric of the organisation, in its employees, values and programmes.