The key reason, in my estimation, is the general fuzziness around rating scales.

Rating scales are often too nebulous, not precise enough. Think about it. You’re deputizing subject-matter-expert (SME) risk owners to rate and thereby prioritize risks, but you are furnishing them with unsharpened tools.

This may be your one chance a year to connect with your risk owners. They are your ERM lifeline. Every single survey needs to work, in order for all of those surveys in your universe of risks to be viewed on a consistent basis. You may have 40 different senior-level risk owners weighing in on 60 overall risks – you need to have a level playing field.

Three suggestions to contemplate:

a) risk owners should be allowed to rate severity from a menu of different perspectives on risk impact (e.g. financial, reputational, regulatory, strategic) in order to allow each risk owner the opportunity to choose a severity rating mechanism that is most pertinent to that particular risk. What especially matters for that risk and resonates with that risk owner?

b) when risk owners are asked to give their perceptions on likelihood, they should be asked to focus on the possibility of a significant event, not the chance of every fender-bender occurring. Importantly, temporal measures should be clearly defined (e.g. once a year all the way to once every 50 years) as opposed to a bunch of murky and flimsy adjectives (e.g. unlikely vs possible) that mean something different to everyone.

Believe me, I’ve made that mistake before.

If you are using a 1-5 rating scale, therefore, a likelihood rating of 3 might be a significant event occurring once every 10 years. That significant event, in turn, comes from the severity table – perhaps 3 or higher. That focused approach – significant event instead of any old event – yields a measurement methodology that a risk owner can understand.

c) lighten up on – but don’t forego – the measurement of inherent (no controls in place) risk ratings. While those inherent ratings are a nice jumping-off spot and provide interesting context and bracketing around the impact of controls, residual risk rating perceptions are the perceptions that are actually closest to real-life over the long term, with controls that are fully in-place and effective.

A few minor tweaks like these should give risk registers the love they deserve.

About the Author:
Michael Cawley is a risk management executive with a 35-year record of broad and diversified accomplishment in the strategic and tactical elements of corporate enterprise risk management (ERM). He performed day-to-day development and execution of a risk management program that covered all elements in the identification, assessment, mitigation and monitoring of all exposures within the corporate risk universe. Specific experience involved being a corporate risk manager for a service-related conglomerate (15 years) and then a biopharmaceutical manufacturer (10 years) before assuming an ERM governance and disclosure leadership role (10 years, through 2021) for a major worldwide financial entity. Currently, Mike serves as a Subject Matter Expert (SME) in an advisory role for ERM Best Practices for the advancement of DoubleCheck’s new ERM One application.

The post Give Risk Registers More Love first appeared on DoubleCheck Software.

You are basking in the aftermath of receiving so many incredible ideas from a host of great speakers.

Great intentions abound.

One week turns into one month.

One month becomes a quarter.

You’re stuck. Nothing gets done on ERM.

To get over the hump, here are two steps that I believe are eminently doable and are common denominators of every successful ERM program:

Step 1.
Secure upper-management (and Board) support and backing for the design and implementation of an ERM Governance structure and risk management framework (RMF), including the ERM program’s agreement on risk ownership

Explanation:
I’m not suggesting this management approval is simple to attain but, without it, your ERM program is dead in the water.

Risk culture doesn’t drop miraculously out of the sky. It isn’t bought at some specialty store. It is deliberately cultivated through management support that leads to shared understanding and behavioral attitudes of the company’s employees toward risk-taking.

You need to show senior management what the end result is going to look like. You want to demonstrate how legitimate stakeholder questions around risk are going to be satisfied.

There’s no wiggle-room allowable in an ERM program. The all-or-nothing part of this may seem daunting but the critical importance of ERM, in helping to meet the company’s high-level business goals, must carry the day.

Step 2.
Install and embed an automated risk register process, centering around an efficient and configurable ERM tool, to drive your unique tactical execution of risk management.

Explanation:
ERM roles and responsibilities need to be formalized, in perfect alignment with the governance structure. Mere spreadsheets don’t cut it.

Then you need to get onto the business of managing risk, eliciting perceptions from subject-matter-expert (SME) risk owners.  Get them to weigh in on identification, assessment, mitigation, monitoring….over and over again.

Two steps in sealing the deal on ERM, one foundational (governance structure and senior management support) and one tactical (automated risk owner survey and rating process, to enable risk prioritization).

About the Author:
Michael Cawley is a risk management executive with a 35-year record of broad and diversified accomplishment in the strategic and tactical elements of corporate enterprise risk management (ERM). He performed day-to-day development and execution of a risk management program that covered all elements in the identification, assessment, mitigation and monitoring of all exposures within the corporate risk universe. Specific experience involved being a corporate risk manager for a service-related conglomerate (15 years) and then a biopharmaceutical manufacturer (10 years) before assuming an ERM governance and disclosure leadership role (10 years, through 2021) for a major worldwide financial entity. Currently, Mike serves as a Subject Matter Expert (SME) in an advisory role for ERM Best Practices for the advancement of DoubleCheck’s new ERM One application.

The post Two Steps to Finalize ERM first appeared on DoubleCheck Software.

Sincere thanks to those who have read and contemplated any of those posts.

I’ve been helped by many people in my 40 year ERM journey and want to do my small part in “passing it on”.

In the November 27th ERM post, I gave my view on two tangible steps I believe are needed to finalize an ERM program, namely:

Step 1.
Secure upper-management (and Board) support and backing for the design and implementation of an ERM Governance structure and Risk Management Framework (RMF), including the ERM program’s agreement on risk ownership.

Step 2.
Install and embed an automated risk register process, centering around an efficient and configurable ERM tool, to drive your unique tactical execution of risk management.

So, now what?

As 2024 draws to a close and 2025 goals begin to be solidified, how about we consider melding together those two steps towards ERM finalization, with the following one resolution:

“I resolve to immediately investigate the possibility of implementing an automated risk register solution that is configurable, straightforward, intuitive and pragmatic.

I will consider elevating my current risk management situation, whether it consists of 1) performing ERM by hand (e.g. excel spreadsheets) or 2) making-do by utilizing an application (e.g. audit, insurance company, claims handler) that may be inflexible and ineffective.

I will emphasize the importance of the risk register to our ERM program by doubling down and securing senior management approval of the three lines of defense specifics, including establishing one risk owner for every exposure in our universe and identifying and monitoring controls for each risk, by line of defense. With this ERM governance structure in place, roles and responsibilities will be defined, accountability will be expected and ERM risk culture will benefit.”

ERM One is a viable alternative worth your consideration. Be brave. Give it a trial run. The tool was designed by a risk manager for risk managers.

About the Author:
Michael Cawley is a risk management executive with a 35-year record of broad and diversified accomplishment in the strategic and tactical elements of corporate enterprise risk management (ERM). He performed day-to-day development and execution of a risk management program that covered all elements in the identification, assessment, mitigation and monitoring of all exposures within the corporate risk universe. Specific experience involved being a corporate risk manager for a service-related conglomerate (15 years) and then a biopharmaceutical manufacturer (10 years) before assuming an ERM governance and disclosure leadership role (10 years, through 2021) for a major worldwide financial entity. Currently, Mike serves as a Subject Matter Expert (SME) in an advisory role for ERM Best Practices for the advancement of DoubleCheck’s new ERM One application.

The post The ERM Path Forward first appeared on DoubleCheck Software.

All risk rating scales are not created equal. The new year is a good time to consider critiquing yours…and honing them, as advisable.

Here are some thoughts for severity and likelihood rating scales:

1) Mere adjectival identifiers (e.g. high, rate etc.) are worthless, open to a multitude of individual interpretations. Instead, be brutally specific.

2) Consider allowing severity to be predicated on a variety of different indicators (e.g. financial impact, brand/reputation, regulatory, strategic etc.). Whatever column particularly lends itself to the risk in question – and best resonates with the risk owner – that’s how potential severity for that risk should be viewed.

3) Likelihood rating scales should not measure the chance of incurring any risk event (why worry about fender benders?) but, rather, the likelihood of a “significant” event (rated 3 or above), based upon the severity table that you formulate.

4) Customize your likelihood scales with absolute clarity. For instance an “almost certain” rating might expect a significant event once every year and, on the other end of the spectrum, a “rare” rating might project a significant event only once every 50 years. Focus on the likelihood a significant event and establish explicit temporal measures.

5) Rating scales can be equally applied to risks both before controls (inherent) and with controls in place (residual).

6) Risk results – the multiplicative product of severity and likelihood – is an eminently justifiable and understandable approach that melds together severity and likelihood, in order to put the combined ratings of all risks in your universe on an even playing field.

In summary: Break down your rating scales. Don’t be afraid to modify them. Don’t let “good enough” be good enough.

“Be Brave” Resolution #2 – Critically Evaluate Your Risk Register Reality

Immediately investigate the possibility of implementing an automated risk register solution that is customized, straightforward, intuitive and pragmatic.

Consider leaving behind your current use-case, whether it consists of merely performing ERM by hand (e.g. excel spreadsheets) or trying to make-do by utilizing someone else’s application (e.g. audit, insurance company, claims handler) that is inflexible and ineffective.

Double-down on emphasizing the importance of the risk register to your ERM program by establishing one risk owner for every exposure in our universe and identifying and monitoring controls for each risk, by line of defense. With this ERM governance structure in place, roles and responsibilities will be defined, accountability expected and ERM risk culture will benefit.”

One possibility worth consideration: ERM One is a viable alternative for those: a) without an automated tool or b) saddled with someone else’s application.

“Be Brave” Resolution #3 – Think in Terms of 60-Second Blocks of Time

Why 60 seconds? What are some actual tangible examples of why this strategy might work?

1) Develop ERM elevator speech #1 – a succinct one-minute summary of the strategic importance of ERM, an explanation that ties together the company’s key objectives to the iterative, tactical execution of risk management. You never know when you will need this. You are well served to be ready. Clear and simple, with conviction and passion.

2) Construct ERM elevator speech #2, of the same duration, encapsulating the key strategic ERM initiative of the moment (e.g. cyber risk, ESG etc.). There’s always a hot topic for ERM – that’s the beauty of the profession. Let your voice show the excitement. Revel in describing it.

3) On every single piece of written correspondence, force yourself to lead with a Summary or a Summary Recommendation paragraph that the reader can digest in one minute. No more than 225 words. Straight to the point. Make your best case. Don’t bury your key points at the end of a meandering e-mail. Captivate the audience up-front.

4) Use the entreaty “can I have one minute of your time on the phone?” via e-mail or text. If you have built a reasonable reputation, the person being beseeched will have a tough time refusing this request…do so judiciously and respectfully. Stick precisely to a minute – be uber-prepared as to what you are looking for.

Think 60 seconds.

Be Brave Resolution #4 – Focus on “Words Matter” and Actions Count” to Achieve GRC/ERM Excellence

Two (2) maxims for ERM/GRC excellence – 1. “Words Matter” and 2. “Actions Count”. Hand-in-hand, this pair of principles drives ERM/GRC performance.

Here’s the reasoning:

” Words Matter” – The disciplines of ERM and GRC demand precision. There is no room for inaccurate, nebulous, or empty wording. Ditto for jargon or obscure acronyms. Less is more. Get and give everything in writing. Record the chronology. Be explicit and date-specific in expectations. Hold to your deadlines. When in doubt, ask questions. Don’t assume anything. This world (of ERM/GRC) is far too important to merely guess. There is no place for the esoteric, academic or hypothetical. Total clarity is the byword, whether in establishing ERM/GRC context, laying down its foundational elements such as governance or culture or explicitly detailing the steps in tactical execution. Rating scales must have exact and rigorous definitions so there is no confusion. Language should be energetic and convincing. There’s a whole lot at stake, each and every single day.

“Actions Count” – Thrive on the adjective “actionable” and the noun “deliverable”. How are you converting context, philosophy and strategy into tangible and decisive action? Does your ERM/GRC program stop at the ivory-tower, risk appetite level (e.g. high, medium, low) or does it drill down and manage to explicit tolerances, through the establishment of key risk indicators (KRIs)? What is the escalation provision associated with every exceedance of risk tolerance? Is the three lines of defense a conceptual diagram or an embedded, day-in-and-day-out demonstration of risk culture? Are risk ratings from deputized risk owners appropriately critiqued and challenged in order to ensure the validity of risk priority rankings?

Two ideas worth remembering on ERM/GRC – “Words Matter” and “Actions Count”.

About the Author:
Michael Cawley is a risk management executive with a 35-year record of broad and diversified accomplishment in the strategic and tactical elements of corporate enterprise risk management (ERM). He performed day-to-day development and execution of a risk management program that covered all elements in the identification, assessment, mitigation and monitoring of all exposures within the corporate risk universe. Specific experience involved being a corporate risk manager for a service-related conglomerate (15 years) and then a biopharmaceutical manufacturer (10 years) before assuming an ERM governance and disclosure leadership role (10 years, through 2021) for a major worldwide financial entity. Currently, Mike serves as a Subject Matter Expert (SME) in an advisory role for ERM Best Practices for the advancement of DoubleCheck’s new ERM One application.

The post Four “Be Brave” Resolutions for GRC and ERM Programs in 2024 first appeared on DoubleCheck Software.

1. Mission Statement

• Purposeful connection of strategy and tactics

2. Framework – Part A

• Strategic context (“Who are you and what are you trying to achieve?”)
• Without this, there is no reason for ERM or GRC

3. Framework – Part B

• Foundational underpinning (Culture and Governance)
• Connective tissue existing between strategy and tactics
• Underlying essence; these foundations are in place at all times

4. Framework – Part C

• Tactical Execution (4-Step iterative process: identify, assess, mitigate and monitor)

5. Governance Structure

• Clear-cut roles and responsibilities
• Best portrayal: Three lines of defense

6. Universe

• 4 categories – 3 common (“Finance”, “Operational” and “Strategic”) and 1 unique (“Core Business”)
• Dynamic; encompasses emerging risks
• Aligns with always-changing nature of risks themselves

7. Rating Scales

• Understandable
• Severity, likelihood, direction and velocity
• Inherent and residual

8. Policies

• Major risks (dozen or so)
• Each comprised of: definition; goal; roles and responsibilities (1st/2nd/3rd lines); appetite; tolerances

9. Language

• Succinct; simpler is better
• Don’t throw in unnecessary phrases (“I was able to…”)
• Precise; exact
• Iterative; over and over
• Powerful
• One shot; on the mark; needs to resonate
• Use present tense whenever possible (alive, here and now)
• Pragmatic (understands dynamics, keeps big picture in mind)
• Embedded and actionable
• Positive (figure out a way, convince)
• Purposeful and insistent
• Rigorous and disciplined
• Not merely esoteric, hypothetical or academic
• Put away the pom-poms; self-praise is no praise

10. Reporting

• Risk arrow heat map
• Risk owner report

11. Overall Cultural Model

• Code of ethics
• What do your people do when no one is watching?
• Behaviors you expect and tolerate

12. Risk Culture

• Shared understanding towards risk

13. Deputized Risk Owners

• Subject matter experts
• Hold them accountable
• Don’t be afraid to critique or challenge
• Ensure that people are not just going through the motions (e.g. no changes year-to-year)
• Educate them; understand this is not their day job
• Depend upon them, and their perceptions, heavily
• You are only as good as what they provide
• Be respectful of their time

14. Risk Owner Surveys

• Take the opportunity to ask special, “hot-button” questions each year
• Don’t overdo it

15. Risk Appetite

• High, medium, low
• Tolerances – exact point at which appetite exceeded

16. Configurability

• Collaborate with a vendor having a matching mindset

17. The Fuel of Passion Fuel

• Get excited and stay excited
• How many people have this opportunity?
• Keep turning insights into actions
• Don’t be dragged down by leanness of resources, staggering workload, sometimes-mundane nature of work or undervalued role by others

18. The Importance of Pride

• No slouching
• Do not accept a back seat
• No sloppiness or mistakes should be tolerated; prompts the question – what else is wrong? How can I have confidence in anything?
• It’s a huge job; don’t ever forget that
• Keep the mission statement in mind
• Cognizant of the overall framework that melds together strategic context and tactical execution

19. Transferability to Other Risk-Related Areas

• Every single risk-related area could benefit by adhering to these 20 elements

20. Risk Register

• Organizational (“tree”) view as well as workbench view
• workbench for risk owners
• doesn’t need to be exorbitant $
• seemingly fashionable these days to downplay or disparage importance of the risk register
• ERM One – a viable alternative to:
  • doing without an automated tool or
  • tolerating someone else’s system

Closing Thoughts:

• Get ready for the elevator speech
• Trapped in the elevator with CEO and asked to give him/her your impressions of GRC/ERM priorities in 30 seconds
• No excuses – take the time to do the dirty work beforehand
• Connect the dots, dot by dot
• Build the program, brick by brick
• Bold, presumptuous goal (“World-Class”)?
• Shoot for the moon; even if you miss, you’ll land among the stars
• Common denominators
• Better every day; better than yesterday
• Incremental improvements
• Keep attacking
• Heed the children book classic – “Little Engine That Could”
• Mission: reach the boys and girls on the other side of the mountain
• When it found itself in trouble in trouble, neither a shiny new passenger engine, with all sorts of compartments, or a big strong engine was necessary
• All that was needed was a little blue engine who “tugged and pulled”, “pulled and tugged”
• “I think I can” was converted into “I thought I could”

About the Author:
Michael Cawley is a risk management executive with a 35-year record of broad and diversified accomplishment in the strategic and tactical elements of corporate enterprise risk management (ERM). He performed day-to-day development and execution of a risk management program that covered all elements in the identification, assessment, mitigation and monitoring of all exposures within the corporate risk universe. Specific experience involved being a corporate risk manager for a service-related conglomerate (15 years) and then a biopharmaceutical manufacturer (10 years) before assuming an ERM governance and disclosure leadership role (10 years, through 2021) for a major worldwide financial entity. Currently, Mike serves as a Subject Matter Expert (SME) in an advisory role for ERM Best Practices for the advancement of DoubleCheck’s new ERM One application.

The post Why Settle For Less? Twenty (20) Elements in a World-Class ERM or GRC Program first appeared on DoubleCheck Software.

An ice cream headache, for sure, trying to understand the similarities, differences and connectivity between all these terms.

You need to do it, however.

Simplify, simplify, simplify.

Break it down and truly comprehend everything.

Get ready for the proverbial elevator speech, if the need for one materializes.

Toward that goal, here are several recommendations:

1. Establish Enterprise Risk Management (ERM) as Your North Star

• • This is not meant to diminish or disparage other acronyms but merely to state an undeniable fact that needs to be accepted.
  • ERM is the granddaddy of them all.
  • Every component of all other risk-related acronyms or topics emanates from ERM or the framework established around ERM (Risk Management Framework).
  • In other words, the world revolves around ERM.
  • If you don’t like that fact, get over it.
  • Get on with the business of managing risk.

2. Don’t: Quibble, Be Smarter by Half, or Get Hypothetical, Esoteric or Academic with your Language

• • Every word matters.
  • Take no chances.
  • Leave nothing up in the air.
  • Use precision in all matters in such an important discipline.
  • Several useless debates, for example:

1. 1. 1. Three Lines of Defense vs Three Lines of Responsibility. Use the former.
      2. ERM vs Integrated Risk Management (IRM). Use the former.
      3. ERM vs Strategic Risk Management. Use the former.

3. It’s All About the Risks, Stupid

• • I say this with affection, and as a reminder to myself, as much as to others.
  • Easy to lose sight of.
  • Treat risks as if you are bare-naked; do not rely on the safety blanket of insurance.
  • Remember: in the long-term, you will pay all your losses.
  • Another way of saying this: if a company had the financial wherewithal, it could (and should) self-insure all risks. No insurers, no brokers – just risk managers.
  • Imagine that.
  • GULP! 

4. The Risk Register

• • It can also be termed a Risk Universe; that’s OK
  • It’s not, however, a Risk Taxonomy (ouch, that sounds painful) or a Risk Catalog (when did we end up in the library?)
  • Call it Severity, not Impact, so that everyone in the organization is on the same page.
  • Define Severity in multiple ways, Using a 1-5 Rating Scale (e.g. Financial (% of Capital), Brand/Reputation, Regulatory Intervention, Strategic)
  • For the same reason, call it Likelihood, not Frequency.
  • Define Likelihood in a temporal manner, using a 1-5 Rating Scale (e.g. significant event happening every one, 5, 10, 25 and 50 years)
  • Bottom line: the fewer terms you use and the more rock solid certain those terms and definitions are, the better

5. ERM vs GRC

• • GRC is a well-accepted, more bite-sized, subset of ERM, plain and simple.
  • The R (Risk) in both acronyms is identical – refers to ERM
  • The C in GRC is Compliance, an operational risk in the ERM risk register as well as one of the foundational components (Culture and Ethics) of ERM
  • Finally, G refers to both Corporate Governance, an ERM Operational risk, as well as to another ERM Foundational component, namely Governance. There, the various roles and responsibilities in the ERM equation are definitively laid out (e.g. Three Lines of Defense)

6. ERM vs Compliance

• • As stated above, the C refers to Compliance, an operational risk in the ERM risk register
  • There is nothing to prevent the Compliance function from deciding to further break down that exposure into sub-risks, in order to better delineate and manage on a more granular basis. (The last company I worked for broke down Compliance into 62 such sub-risks)

7. ERM vs Internal Audit

• • Internal Audit plays a vital 3^rd Line of Defense role in all risk matters
  • Audit Planning should align with risk priorities
  • Certain risks on the ERM risk register are more logically tied to Audit (e.g. Fraud); Head of Internal Audit could, in fact, be risk owner for those exposures

8. ERM vs ESG

• • The G (Governance) in ESG has already been covered, within ERM.
  • The S (Social) in ESG can be tracked to the ERM foundational component of Culture (Overall Cultural Model, Ethics and Compliance).
  • E, for Environmental, will align with the Climate Risk particulars enumerated on the ERM risk register.

9. ERM vs DEI

• • There is not a more important risk related acronym on the horizon today than DEI (Diversity, Equity and Inclusiveness)
  • Start before you are ready on this – just get going.
  • If it needs improving, do so tomorrow from the base of today.
  • All of these items (DEI) need to be embedded in your Cultural Model, a vital ERM foundational component.
  • A crucial ERM risk like Human Resources – Management Development needs to be appropriately expanded and honed to yield the type of organization you want. How do you develop diverse talent, then grow and mentor them?
  • You need to operationalize DEI throughout the culture of the organization.
  • Set up key risk indicators (KRIs) in your ERM risk register to allow you to monitor – and constantly improve – your controls.
  • Like ERM, DEI is an iterative, evergreen process.

About the Author:
Michael Cawley is a risk management executive with a 35-year record of broad and diversified accomplishment in the strategic and tactical elements of corporate enterprise risk management (ERM). He performed day-to-day development and execution of a risk management program that covered all elements in the identification, assessment, mitigation and monitoring of all exposures within the corporate risk universe. Specific experience involved being a corporate risk manager for a service-related conglomerate (15 years) and then a biopharmaceutical manufacturer (10 years) before assuming an ERM governance and disclosure leadership role (10 years, through 2021) for a major worldwide financial entity. Currently, Mike serves as a Subject Matter Expert (SME) in an advisory role for ERM Best Practices for the advancement of DoubleCheck’s new ERM One application.

The post De-Mystifying (and Explaining the Connection Between) Risk-Related Acronyms and Phrases first appeared on DoubleCheck Software.

From a vendor’s perspective, GRC refers to an automated suite of capabilities designed to address a broad range of challenges associated with critical disciplines managed by the client (e.g. compliance, risk management, audit, corporate governance etc.), allowing that same company to reduce uncertainty, achieve the entity’s key strategic objectives and meet its stakeholder obligations.

Again, that perspective on GRC, which sounds straightforward enough, is being viewed through the eyes of the vendor.

Probably the same for every vendor, right?

Not so fast.

More holistically, would it be identical to how the client defines GRC?

Another no.

Let’s look at the delineating factors.

From a vendor perspective, what comprises each individual GRC system is totally dependent upon each vendor.

Simply put, not all systems are created with identical features.

The rationale is straightforward and understandable.

Look no further than the broad construct of the GRC umbrella – consisting of risk, compliance and a final element of governance that, drilling down to more specific risks, can be incredibly broad and wide-ranging (e.g. audit, corporate governance oversight, policy management, fraud, model, ESG, AI etc.).

It’s not hard to understand how the inevitable differences in system emphasis and packaging could (and do) result.

As a consequence, the GRC marketplace has found itself flooded with competing vendor-centric solutions, each seemingly in search of the next, new GRC challenge.

A skeptic could argue that each successive GRC solution becomes more inflexible, costly, complex and/or esoteric than the prior one.

With all these drivers, the “ask” of the GRC client often becomes to:

• Accept a system that is unwieldy and inflexible
• Tolerate system features that you don’t need
• Sacrifice other elements that you (or your Board of Directors) really want
• Endure a bevy of reports, scorecards etc. that are neither pertinent nor understandable
• Tolerate service standards that seem average, at best

Needless to say, this is not really music to the client’s ears.

From a client’s perspective, therefore, the pursuit of a GRC solution all too often narrows to a choice that is best termed as “one-size-fits-all” or “take-it-or-leave-it”.

That’s not the way it’s supposed to be, if you roll back the tape and try to comprehend what GRC means, at the 40,000 foot level.  Maybe it’s time to take all this in and perform a sanity check of your GRC system.
After all, system capabilities and design should be all about the client.

With that in mind, how does a client think about GRC and, as a result, how should the vendor “ideally” design the system to meet those client needs?

First, the basic governing premise for GRC needs to be established, as follows:

The profound, pervasive and vitally important challenges that drive GRC emanate from the company, not from the vendor.

This principle, which always has been, and always will be, true, cannot be overstated.

It’s not about forcing the client to perform contortions – and sacrifice functionality – to align with an inflexible, rigid tool.

As a 35-year real-life practitioner in the GRC space (25 years as a corporate risk manager and 10 years in the ERM Governance and Disclosure world), I know whereof I speak.

While the concept of GRC is said to have been created over 20 years ago (2002), the underlying challenges actually constituting those GRC exposures have been around forever.

They were certainly there in front of me on my first day as a risk manager in 1985, well before that “umbrella” concept of GRC was “created” and/or the first automated tool was developed.

Having said that, and mindful that there is no one “best” prescribed system or solution, it can be stated with certainty that a GRC automated tool should possess the following attributes:

• Capable of evolving and growing over time
• Potential upgrades should be straightforward
• Solution must be dynamic, nimble and agile
• As such, it should be configurable
• Can be either modular or holistic
• Data must be able to be shared across modules
• There needs to be cross-functional coordination
• The system must be unified and linkable
• There should be rich, robust functionality
• The system needs to understand the business context of the company (what it does) as well as its culture and stakeholders
• GRC strategy must be aligned with the overall business objectives
• The tactical execution for each of the constituent parts of the GRC automated application must be part of the tool
• Monitoring of GRC system performance must involve a robust, fully-embedded business intelligence platform

With all these features in hand, a unified approach to GRC capabilities within the overall solution should allow a company to leverage GRC information across the enterprise.

By linking key elements across risk, compliance, audit and corporate governance (as well as related disciplines), the solution should be able to streamline processes and maximize utilization of information dashboard and analytics that cross boundaries.

Similarly, linked solutions reduce overlap, share overall insight, reuse work and tackle siloed GRC responses while securing what’s private.

A representative listing of GRC system activities might be, as follows:

Compliance

• Document controls, assess performance, manage exceptions
• Tools to manage regulatory change and document compliance framework
• Test or assess performance, manage remediation and share status results with stakeholders
• Financial (SOX, PCI); Industry (NERC, HIPAA); Departmental (HR, IT)
• Approvals, Attestations, and Certifications

Risk

• Systematic approach to identify, assess, mitigate and monitor risks
• Centers on risk register
• Empower Risk Owners to manage and assess their own topic risk set
• Goal is to collaborate with risk owners and other internal and external associates in a clear and transparent manner
• Board-level reports and scorecards should be available to be generated in order to assess performance and establish risk priorities

Audit

• Program definition based on client-specific reporting
• Management insight into audit execution and planning
• Management review, overrides to final plan
• Engagement planning
• Electronic workpaper management
• Issue and remediation management

Governance

• Policy definition
• Policy review and renewal
• Demonstrable performance

Other GRC-Related Activities

• Model risk surveys, including reliance on Artificial Intelligence (AI)
• Fraud-risk studies
• Cyber risk (information security)

Summary

An “ideal” GRC solution revolves around specific customer needs. Enterprise GRC software that supports Compliance, Risk, Audit or Governance needs should be highly configurable solutions that can be tailored to a company’s users, data and processes. Embedded Business intelligence features should generate dashboards and reports that are needed for internal and external purposes. GRC Solutions should support business processes, not the other way around. Each of the components of GRC are integrally linked to the achievement of a company’s corporate objectives.

About the Author:
Michael Cawley is a risk management executive with a 35-year record of broad and diversified accomplishment in the strategic and tactical elements of corporate enterprise risk management (ERM). He performed day-to-day development and execution of a risk management program that covered all elements in the identification, assessment, mitigation and monitoring of all exposures within the corporate risk universe. Specific experience involved being a corporate risk manager for a service-related conglomerate (15 years) and then a biopharmaceutical manufacturer (10 years) before assuming an ERM governance and disclosure leadership role (10 years, through 2021) for a major worldwide financial entity. Currently, Mike serves as a Subject Matter Expert (SME) in an advisory role for ERM Best Practices for the advancement of DoubleCheck’s new ERM One application.

The post Governance, Risk and Compliance (GRC) – Pursuing the “Ideal” Frame of Reference first appeared on DoubleCheck Software.

Part A – Strategic Risk Context

Key Element 1:  Describe Business Profile and Brand

• What does your company do, per the information in the “Core Business” category of your Risk Register?
• What are your unique business characteristics and drivers of success?
• Where does your reputational risk emanate from?

Key Element 2:  List High-Level Business Goals (examples shown below)

• Achieve Targeted Performance
• Preserve Capital Adequacy
• Maintain Liquidity
• Protect Franchise Value/Reputation

Key Element 3:  Customize an Enterprise Risk Management (ERM) Mission Statement

Example: “ERM is the process to identify, assess, mitigate and monitor enterprise-wide risks that might impact the company’s ability to achieve its strategic business objectives.”

Key Element 4:  Develop, and Live By, an Overall Company Cultural Model

• Who We Are (e.g. high-performing, inclusive and equitable)
• What We Recognize and Reward (e.g. transparent meritocracy)
• Behaviors We Expect (e.g. mandatory ethics and Code of Conduct)

Part B – Risk Foundation

Key Element 5:  Establish Risk Governance Structure

• Roles and responsibilities portrayed either vertically (top-down and bottom-up) or horizontally (three lines of defense)

Key Element 6:  Set and Maintain Risk Appetite(s) and Tolerance(s)

• Risk appetite represents general willingness (high, medium, low) to assume risk and expose capital to risk of loss
• Risk tolerance reflects the specific pre-defined threshold(s) at which appetite might be exceeded, triggering management notification, assessment and/or corrective action

Part C – Tactical Risk Execution (4-step process)

Key Element 7:  Identify Risk on an Iterative Basis

• Universe of risks, in an enterprise-wide risk register, within four categories (Financial, Operational, Strategic and Core Business)
• One risk owner per risk, to establish accountability
• Causes and consequences listed for each risk, to set context

Key Element 8:  Assess Risk in Consistent and Transparent Manner

• Severity and likelihood, both before controls (inherent) and after controls (residual)
• Risk direction and velocity, as well
• Rating scales utilized must be consistent and easily-understood

Key Element 9:  Mitigate Risk Severity and Likelihood to an Acceptable Residual Level

• List controls individually
• Insist upon the greatest degree of specificity possible in control description (e.g. performed quarterly, escalation provision etc.)

Key Element 10:  Monitor Risk on an Ongoing Basis

• Execution of wide variety of processes by risk-related bodies (e.g. Risk Committee)
• Pinpoint prominent metrics, such as key risk indicators (KRIs)
• Prepare applicable risk reports prepared for internal and external dissemination

About the Author:
Michael Cawley is a risk management executive with a 35-year record of broad and diversified accomplishment in the strategic and tactical elements of corporate enterprise risk management (ERM). He performed day-to-day development and execution of a risk management program that covered all elements in the identification, assessment, mitigation and monitoring of all exposures within the corporate risk universe. Specific experience involved being a corporate risk manager for a service-related conglomerate (15 years) and then a biopharmaceutical manufacturer (10 years) before assuming an ERM governance and disclosure leadership role (10 years, through 2021) for a major worldwide financial entity. Currently, Mike serves as a Subject Matter Expert (SME) in an advisory role for ERM Best Practices for the advancement of DoubleCheck’s new ERM One application.

The post Ten (10) Key Elements in a Robust Risk Management Framework (RMF) first appeared on DoubleCheck Software.

Connected at the hip.

Nothing in ERM appears “out of the blue”, therefore.

Last month, for instance, we told you that a robust and meaningful ERM program might consider adopting a concise ERM mission statement, one that ties together the “what” and “why” of ERM something like this:

“Enterprise Risk Management (ERM) is the process to identify, assess, mitigate and monitor all enterprise-wide risks that might impair the company’s ability to achieve its strategic business objectives.”

In short, we offered the opinion that an ERM mission statement could help underline the fact that the achievement of strategic business objectives depends upon the four step process involved in the tactical execution of risk.

That four step process – identify, assess, mitigate and monitor – is performed over and over again, on an iterative basis.

Now, seamlessly, we move onto our views on ERM reporting.

Specifically, it is our opinion that, in order to monitor the ongoing success of that centerpiece ERM mission statement, it is incumbent upon an ERM program to develop a powerful ERM reporting regimen that is built upon the following five (5) pillars:

1. Link ERM Reporting to an Embedded and Fully-Integrated Risk Register
2. Champion ERM Governance and Accountability
3. Insist upon Transparency and Clarity in ERM Reporting
4. Promote Risk Culture throughout ERM Program and Reporting
5. Demand High Quality Reporting for All Stakeholders

A more complete explanation of those five (5) pillars:

1. Link ERM Reporting to an Embedded and Fully-Integrated Risk Register

• Avoid: garbage in, garbage out.
• By contrast, aspire to: quality in, quality out.
• Risk reports will only be as good as the efforts devoted to the thankless, hard work involved in compiling and maintaining the underlying risk register.
• Reports need to link up with, and flow directly and automatically out of, a company’s fully-operational and totally-embedded risk register.
• There is no mystery to this: in ERM, everything needs to works together, in lockstep.
• There are no risk universe gaps that are acceptable.
• The universe of risks needs to be arrived at after systematic categorization and careful identification of all possible risks.
• Nothing less than 100% commitment to the discipline of ERM, as well as full adherence to an overall enterprise risk register system, will work.

2. Champion ERM Governance and Accountability

• What is the key ERM governance shortcoming that a company should be trying to avert?
• Simply put: failure to assign responsibility to the appropriate Risk Owner(s).
• All it takes is one critical risk to be overlooked.
• Most recent egregious example of ERM Governance malfeasance – Silicon Valley Bank (SVB)
• In that case, the Chief Risk Officer (CRO) position for SVB was left unfilled for an unconscionable eight (8) months.
• How can something not go wrong with such gross malpractice?
• ERM Governance Step #1: Establish Risk Manager or CRO as person in charge of overall ERM program and responsible for risk universe oversight.
• ERM Governance Step #2: Assign one Risk Owner for each risk in the universe – operative precept for this is “Buck Stops Here”.
• ERM Governance Step #3: Demonstrate the proven, embedded nature of ERM by detailing the Three (3) Lines of Defense responsibility for each individual risk control.

3. Insist upon Transparency and Clarity in ERM Reporting

• Bottom line: what good is reporting if nobody understands the particulars?
• Risk Owner Report “tells the ERM story” in a logical and sequential manner: chronicling causes, consequences, controls and key risk indicators (KRIs) for each risk.
• Word format for that Risk Owner report allows risk owners to update “story line” as needed.
• With story in place, Risk Owner can then move on and properly rate metrics for each risk (severity, likelihood, direction and velocity).
• “Pop-ups” should be provided in the ERM tool in order to make rating process understandable, transparent and consistent, across the universe.
• Ratings need to be straightforward and intuitive, especially since Risk Owners may have no background in ERM but are still deputized to be Risk Owner once a year.
• Key point: don’t make this an academic, hypothetical or open-to-debate exercise.
• “Just do it”.
• Prioritization of risks will follow automatically, based upon ratings.
• Ratings will point company to best use of resources and time, around the subject of risk.

Comprehensive Risk Report

4. Promote Risk Culture throughout ERM Program and Reporting

• Definition: shared understanding and behavioral attitudes of the company’s employees towards risk-taking.
• Answers the question: “Is everyone on the same page with regard to risk management?”
• Undeniable fact: no place to hide when there is a cogent reporting mechanism in place.
• Responsibly and teamwork is demanded of everyone.
• Everyone needs to understand what’s at stake (satisfying ERM mission statement) and what’s to lose if tactical execution of ERM does not lead to strategic business objectives being met.
• Logical extension: link remuneration, at least in part, to the successful management of risk.

5. High Quality Reporting for All Stakeholders

• Simultaneously satisfies internal (Board) and external (Regulatory) reporting requirements.
• Different constituencies have their own unique reporting needs.
• Risk arrow heat map indicates both inherent and residual risk values for each risk and demonstrates the impact of (and reliance upon) controls.
• Ideal situation is one where there is a fully-embedded ERM platform able to handle all of reporting needs without downloading reports into a separate tool, like Power BI.
• Effective reporting leads to actionability around risk tolerances and appetite.

Risk Scorecard – Cyber Security

Very simply, the engine that drives powerful and impactful ERM reporting is the risk register.

ERM One is a revolutionary, yet straightforward, risk register application that DoubleCheck LLC has developed, based upon what it has been privileged to learn from clients over time.

It is an out-of-the-box tool that delivers an integrated ERM process together with a comprehensive, high-level categorization of exposures (Financial, Core Business, Operational and Strategic), fully loaded with over 60 pre-populated risks to be used as a starting point for the risk register.

ERM One incorporates into one, intuitive turn-key risk register product the best-practices tools and content to help optimize ERM and thereby put your firm on a path to achieving its strategic business objectives.

Click HERE to download a FREE copy of our ERM One white paper.

About the Author:
Michael Cawley is a risk management executive with a 35-year record of broad and diversified accomplishment in the strategic and tactical elements of corporate enterprise risk management (ERM). He performed day-to-day development and execution of a risk management program that covered all elements in the identification, assessment, mitigation and monitoring of all exposures within the corporate risk universe. Specific experience involved being a corporate risk manager for a service-related conglomerate (15 years) and then a biopharmaceutical manufacturer (10 years) before assuming an ERM governance and disclosure leadership role (10 years, through 2021) for a major worldwide financial entity. Currently, Mike serves as a Subject Matter Expert (SME) in an advisory role for ERM Best Practices for the advancement of DoubleCheck’s new ERM One application.

The post Five (5) Pillars of Impactful Enterprise Risk Management (ERM) Reporting first appeared on DoubleCheck Software.

The successful management of risk, therefore, is integrally connected to the achievement of the company’s strategic objectives.

Enterprise Risk Management (ERM) is an essential discipline that all companies need to install, embed, and inculcate into the organization, in order to:

• Set risk priorities and actionable resource allocation.
• Uncover organizational weaknesses.
• Expose hidden, value-add opportunities to exploit.
• Assure the active and continuous process surrounding the management of risks, since the universe of company risks doesn’t manage itself.
• Enable the timely flow of risk information to all company stakeholders
• Gain support from organizational leadership (people with a true and holistic view of company) since those individuals are the key decision-makers who establish budgets and allocate resources.

As a vital first step towards the establishment of a robust and meaningful ERM program, all companies should develop and agree upon a mission statement for that critically-important discipline of ERM, one that:

• Explains the here-and-now (not aspirational) purpose of ERM
• Centers on actionability, not empty buzzwords or jargon
• Is succinctly expressed, intent upon inspiring understanding, consensus and transparency
• Combines ERM strategy with its tactical execution

To address all those points, how about considering adoption of this concise mission statement, one that ties together the “what” with the “why” of ERM?

“Enterprise Risk Management (ERM) is the process to identify, assess, mitigate and monitor all enterprise-wide risks that might impair the company’s ability to achieve its strategic business objectives.”

Every word matters in this ERM mission statement. It is boiled-down, simpler-is-better, with eyes always on the ERM “reason-for-being”.

Specially, the ultimate goals of the ERM mission statement are to:

• ensure ERM is given its full importance within the organization, not perceived as an adjunct to other corporate functions, like Compliance or Internal Audit
• establish ERM as a pragmatic and usable regimen, not some stand-alone, academic hypothesis, to realize its maximum impact
• pinpoint the risk register – covering the universe of all enterprise-wide risks – as the centerpiece and starting point of all ERM activity
• underline the iterative, four-step tactical execution process (identification, assessment, mitigation and monitoring) associated with ERM and that company risk register universe
• meld together the ultimate strategic importance of ERM in ensuring that the attainment of key high-level company objectives (e.g. earnings performance, capital adequacy, liquidity, reputation) are best promoted

Quite simply, the engine that drives a powerful ERM mission statement is the risk register.

Toward that end, ERM One is a revolutionary, yet straightforward, risk register application the DoubleCheck LLC has, over time, been privileged to learn from its clients.  ERM One is out-of-the-box tool that delivers an integrated ERM process together with a comprehensive, high-level categorization of exposures (Financial, Core Business, Operational and Strategic), fully loaded with over 60 pre-populated risks to be used as a starting point for the risk register.

In short, ERM One incorporates into one, intuitive turn-key risk register product the best-practices tools and content to help optimize ERM and thereby put your firm on a path to achieving its strategic business objectives.

About the Author:

Michael Cawley is a risk management executive with a 35 year record of broad and diversified accomplishment in the strategic and tactical elements of corporate enterprise risk management (ERM). He performed day-to-day development and execution of a risk management program that covered all elements in the identification, assessment, mitigation and monitoring of all exposures within the corporate risk universe. Specific experience involved being a corporate risk manager for a service-related conglomerate (15 years) and then a biopharmaceutical manufacturer (10 years) before assuming an ERM governance and disclosure leadership role (10 years, through 2021) for a major worldwide financial entity. Currently, Mike serves as a Subject Matter Expert (SME) in an advisory role for ERM Best Practices for the advancement of DoubleCheck’s new ERM One application.

The post The Compelling Case for an ERM Mission Statement first appeared on DoubleCheck Software.