The increased complexity and stakes of risk and compliance have resulted in strengthened demand for an understanding of the risks that face an organization. While this raises the profile of compliance and risk management with corporate leadership, it also presents new challenges. Few directors or senior executives outside of risk and compliance management have in-depth exposure to the methods and measurements used by practitioners. As a result, they are often unable to engage in detailed discussion of risk data. Combined with lingering perceptions regarding the lack of active business contribution by risk and compliance management, this creates obstacles to meaningful discussion of risk that highlights the business consequences without providing excessive detail. To this end, Blue Hill’s research interviews identified three crucial aspects of the board of directors’ engagement with enterprise risk and compliance activities:
- Set risk appetite or tolerance
- Risk prioritization
- High-level management of risk and compliance management operations
Attention to these responsibilities leads research participants to focus on limiting the kind of information they provide to directors. The top concerns cited include:
- Identification of current exposure
- Performance tracking of risk appetite or tolerance
- Top risks facing the organization
- Identification of emergent risks
- Demonstration of remediation action or organizational preparedness
- The cost of operations to the organization
- Impact on business operations
“I always present enterprise risk with a heat map. Directors look for something they can use and wrap their heads around. When there’s just lists of risks, they get frustrated. You need to funnel down to say ‘Here’s your heat map breakdown between the cyber threats, the financial risks, etc.’ Here’s how all those elements compare, what to worry about. From there, you can get to proposed actions without wasting any time.”
– Head of Operational Risk
Midsize European Bank
In all of these areas, participants highlighted the demand to avoid providing overly detailed or drill-down data. Rather, organizations emphasized a focus on overall enterprise trends and “peaks and valleys” changes in the organization’s portfolio that required action or attention.
The Role of GRC: Facilitating the Board View
There are a number of ways that GRC can assist organizations in presenting risk and compliance management performance in a meaningful context for compliance and risk management. In particular, the core capabilities of GRC in its evolution to an enterprise solution offer:
- Aggregation of how risks and activities impact the organization’s risk profile
- Cross-enterprise and cross-functional view of risk and compliance
- Insight into risk interdependencies
- Insight into relationships between key risk indicators and key performance indicators
- High-level progression of activities and performance of risk and compliance staff
In addition, the four themes described above closely relate to the provision of board-level reporting as well. In effect, a board of directors represents its own “use case” for GRC that requires high-level enterprise views information, rather than complex data resources. The configurability of a system’s workflows assist in the adaption of information delivery to board needs.
In keeping with directors’ information needs, however, the larger value follows the use of analytics and visualization to assist comprehension of risk and compliance. In fact, both the lack of sophisticated risk and compliance background of directors, and their need for the presentation of compliance data as it relates to business operations, create a need for an added layer of presentation and analysis that are very well-suited for the application of visualization and analytics. These capabilities serve to provide directors with the “end result” of analysis, facilitating their interrogation of compliance and risk data based on real enterprise performance.
For example, organizations often identify “top risks” by those with the highest value at risk. While this offers an important view of risk, without additional context, it does not necessarily provide a board member with the insight needed to prioritize attention. In fact, this sort of identification would typically lead to inquiries regarding into the organization’s mitigation activities and no further.
DoubleCheck takes a more flexible and nuanced approach to enterprise deployment than other GRC providers, who largely tailor their solutions by function rather than individual stakeholder needs.
The result is a workflow management framework that leads the industry in terms of its sophistication and ability to adapt to customer needs.
Compare the potential impact of analytics to facilitate board comprehension of issues. Consider the impact of an algorithm that identifies “top risks” based on the size of the differential between inherent risk (the exposure in the normal course of operations) and residual risk (the exposure following mitigation efforts) to isolate where mitigation efforts make the least impact.
Similarly, effective use of visualization can facilitate board members’ interrogation of data and recognition of patterns in compliance changes. Data visualization by colors, heat maps, and other visual signals help to make the meaning of data apparent to stakeholders without the background of a compliance practitioner. Here, as with analytics, the ultimate impact lies in the opportunity to remove interpretation steps and improve directors’ engagement with compliance and risk issues.
While largely available in GRC solutions, the application of these capabilities to director and other senior business leaders is largely absent. Even far-reaching enterprise risk management (ERM) suites largely focus on the needs of practitioners and functional-owners, such as Chief Risk Officers (CROs) or Chief Compliance Officers (CCOs). While reasonable given the primary focus of GRC solutions, the increasing demand and need for director insight into compliance and risk creates a unique and largely unmet need for the evolution of GRC in the delivery of this information.