In our last article, we discussed the value and contribution of the risk register, and how it played into the offering of a pre-populated, fully-integrated enterprise risk management (ERM) solution. We noted that three attributes of a GRC platform (Process, Product, and Content) are essential to delivering the critical services, tools, and capabilities that companies require to tactically execute upon the four elements of day-to-day risk management (Identify, Assess, Mitigate, and Monitor) with efficiency and effectiveness. In a fully integrated ERM solution, services and features are highly integrated into one package. Reporting is embedded, making the risk management practice a seamless effort rather than a disjointed one. Of course, many offerings promote these capabilities, but very few offer an actual out-of-the-box (OOB), “install and run” capability. I know of one offer that does, but I’ll talk more about that later.
So, where and how can you best apply such capabilities to their maximum benefit? Let’s explore a pair of use cases. Perhaps, within those, you may find a scenario, currently close to your own, that will benefit from what the DoubleCheck OOB solution can provide.
Two Unique Use Cases For A Fully Integrated ERM OOB Solution
Case 1: No ERM Platform Is In Place
Of course, this seems at first glance to be a no-brainer situation. If you have no real integrated platform system in place, any offering might seem like it would be an upgrade. But that’s not exactly so. Part of the backstory for “no ERM is in place” is that its absence implies a lack of management concern over risk and perhaps a lack of understanding on how impactful ignoring risk management can be. In addition, there may be a real shortage of resources to address risk management, even if your executive team has concerns. Citing examples of catastrophe is probably not the best route. It might be viewed as a position founded in hysteria and is likely to be ignored. Instead, look at the operational processes that are critical to the organization. In fact, from a positive perspective, it’s likely there are already “Plan B’s” in place for some of the most critical operations, to assure some level of business continuity in the event of some disruption or incident. Use these as examples of risk management already in place. This list of recognized risks and actions is the germ of your first enterprise risk register. Offer that these discrete actions add value to the business, but would be more efficient, avoid duplication of effort and leverage overall efforts across the enterprise if a more centralized, managed approach were implemented. Point out that there’s likely no consolidated risk register, no standardized means of assessing risk and evaluating priorities, leading to ineffective allocation of remediation resources. Controls, even when in place, may not be identified nor aligned to the processes where they interact. There may be no way of tracking exceptions or evaluating requests for them. And of course, much of any activity may be siloed within specific functions or departments and not offer benefit to the enterprise overall. In short, nobody is truly managing risk from a 40,000 foot level. It may be that regulatory and compliance obligations are difficult to meet in the absence of these risk management basics. This is a more powerful way to make a compelling argument from a business impact perspective to help explain and support the need for establishing an enterprise risk management practice. From there the issue of resources may well fall into place.
Desktop tools like spreadsheets, small databases, and other office automation tools assembled in parts can offer some beginning steps to risk management, but fall far short of delivering the services needed to truly run an efficient, comprehensive program. These rudimentary tools rely upon specific expertise and execution by someone who put it all together on his/her own. Even if done with skill, and well documented, they do not scale well, support facile shared input, secure sensitive data stored, and assure straightforward methods for identifying and gathering, assessing, mitigating, and monitoring risk. They just aren’t up to the task. Instead, there needs to be powerful, but simple-to-use tools to portray risk data in a business context for management to understand, address, and assign resources to appropriately mitigate the identified risks to an acceptable residual level. Also, users and program administrators need training to use the features of whatever ERM processes are put in place. And of course, it all needs to be maintained and updated, both in process and content, as the business environment and risk profile of the enterprise changes.
The best approach to this problem is to find a fully bundled OOB ERM environment providing Product, Process & Content. Product, in terms of the tools and automated services necessary to operate an ERM; Process, to enable easy implementation, configuration and operation to work within your operating culture; and Content to include controls and framework standards, a basic risk register, and more. Such a solution needs to offer a way to deliver implementation into an environment where it’s dependent upon little to support its presence, a “greenfield” kind of implementation. And, to be effective, this solution needs robust reporting, business intelligence (BI) and information management tools embedded within itself. No peripheral add-ons here. It needs to be a self-contained, all-in-one solution! This allows a firm to rapidly implement a complete ERM solution that will be operational in a matter of weeks and deliver actionable results quickly. It will provide a business with every core feature needed to establish all the basics of enterprise risk management, while laying a foundation upon which it can grow in sophistication and scope as the needs and capabilities of the organization require. It will do this without wasteful “throw-away” or redevelopment work so often associated with upgrades and extensions.
Case 2: An Organization With An Existing ERM Infrastructure…But Too Complex and Inflexible
This case is almost the polar opposite of the one above. Here, there is an enterprise solution in place, if you can manage to understand it and put it to use. In this case, your only offered option is a “nuclear submarine”, when all you need is a reliable sailing craft to cross the waters before you. Sometimes, centrally developed and implemented ERM solutions grow to be so complex, inflexible, and difficult to operate without extensive support and training that they tie an organization up in knots and impede an organizational unit’s ability to operate them effectively. Further, they may be built upon a large, centralized and technologically complex foundation with powerful capabilities than rely upon dedicated expertise from IT resources outside the organization. Often, these systems have been implemented at great institutional expense, and they consequently represent an accepted “standard” that everyone within the organization is expected to use. Adding other solutions may be viewed as unnecessary and wasteful.
In this complex and inflexible environment, the product may be in place, but its processes and content may not always meet the unit’s needs. Timely delivery of risk data, assessment reports, mitigating and remediation project status updates, and management of a specific risk register and related controls effectiveness may not be easily possible with the resources assigned within operating units. Inability to operate in a timely fashion, to deliver accurate assessments dependent upon centralized IT resources that may or may not be able to make the changes needed in one area due to conflicts or processes in force elsewhere, may constrict or prevent timely risk assessment, and defeat the ability of an organization to meet its “identify, assess, mitigate, and monitor” tasks. What local ERM resources really need is a solution that supports their reliable delivery of risk management practices upward to the larger enterprise, and they need to be able to operate without reliance upon centralized IT resource out of their control. In those rigid environments, any specific configuration needed to address a specific need, or even the basic operation of these systems, often requires the intervention of, and coordination with, a centralized IT department. The central IT schedule and resource priorities may not match your business’ risk management obligations. Regardless, when you need specific reports, modifications to workflow parameters or escalations, email routing, or any other automated provisions of this ERM system, a request into a centralized IT department is necessary. And then you wait.
But risk doesn’t wait. Risk management is essential and, in some instances may be existential to company achievement of its goals and obligations to investors, clients, customers, and other stakeholders. Local organizations often have risk expertise to manage processes and specify content, but lack the tools to effectively deliver a comprehensive ERM program. In order to be most effective, risk management needs to be embedded into the organization with deputized risk program participants who are local to the business unit, and understand its specific needs, methods, and operating style. They need to have the capability to manage and specify configuration changes to workflows, design reports, manage a risk register, align controls, and report on mitigation efforts. Timely ERM program delivery is crucial. Participants cannot rely upon spreadsheets or other desktop productivity tools to support input to a complex, inflexible system they are unable to modify or reconfigure to enable their management of processes and content. They need a solution that’s simple to use, manage, and implement independently, yet one that will deliver the content, results and process support necessary to operate an effective risk management program.
What’s needed here is a streamlined, cohesive ERM solution, managed by its users, that delivers all the essential product, processes, and content needed to proactively identify, assess, mitigate and monitor risk. This solution should have embedded reporting, BI and ERM-specific project and workflow management features to support local management and facilitate any reporting or compliance obligations present at a higher organizational level. To do this, a “stand alone” out-of-the-box solution enables local risk managers to set risk priorities and allocate actionable resources, expose hidden, value-add opportunities to exploit, and uncover organizational weaknesses. Such a solution should ideally offer a largely pre-populated risk register and align with leading controls standards and best practices as presented by ISO, COSO, NIST, and others. And, as a final ask, it should enable the timely flow of risk information to company stakeholders who need to make informed risk management decisions, set priorities, and allocate resources at the enterprise level.
Sourcing a solution that fits these requirements, one that is straightforward to implement and without great reliance upon centralized IT resources, becomes the task to pursue. Proceeding from there will enable a localized solution, one that can expand easily in scope or scale as need arises, without re-implementation or wasteful re-work to operate an efficient and effective enterprise risk management program for an “enterprise” of any size or organizational relationship to an overarching entity.
The DoubleCheck Solution
DoubleCheck’s out-of-the-box (OOB) solution meets or exceeds all the requirements set forth in these two cases. It’s a solution-oriented offering, largely pre-populated with robust, “head-start” content, and configurable templates. It supports a core set of features; causes, consequences, controls and key risk indicators (KRIs) as well as metrics (severity, likelihood, direction and velocity). The OOB offering aligns with ERM best practices guidance from COSO, ISO and others. It employs an implementation approach reliant upon configuration options that allow you to tailor the way features work to suit your internal style without reliance upon extensive central IT support or costly customization of core software and the complexities that approach entails. It is cloud based and secure, easy to operate, and offers optional modules that can extend functionality beyond core ERM services to engage audit, compliance, and more, as the need for such services grows. All of this can be easily accomplished through an expansion of base OOB services that add functionality, content, and processes, without requiring retooling of any setup or configurations already in place. The DoubleCheck Out of the Box (OOB) solution is truly a cost effective, user-validated, and action-oriented tool that can meet all your ERM needs now and expand with your organization to be your ERM tool-of-choice into the future.
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.