A well-established enterprise risk management (ERM) program can be crucial to helping an organization achieve its strategic objectives. But, how can organizations implement an ERM program that drives corporate performance?
For most organizations it is an evolving process that takes time and effort to achieve. Effective ERM requires a comprehensive view of multiple risk types and their impacts on each other and in aggregate—and technology can play a bit part in this.
Below are 15 functional technology capabilities that are needed to support a successful ERM process.
1. Maintain a comprehensive risk repository
Having a centrally maintained risk repository that all stakeholders can access, with real-time updated information, is critical. Everyone needs to be making decisions off the same source of information. As things change (and we all know they will!), this ensures there is one source of truth.
2. Link risks to strategic objectives
ERM should be put in the context of an organization’s strategic objectives. Looking at risk through the lens of your strategic objectives allows you to see accumulation and interaction of risk as it relates to the key things your organization is striving for. This allows you to see where your weak spots are so that resources can be directed at the right initiatives.
3. Map risks to policies, processes and control objectives
Mapping risks to policies, processes and control objectives can help you prioritize resources. It’s extremely important to quantify risk treatment and response—ensuring to prioritize resources by focusing on areas with highest risk, or the least amount of coverage.
4. Connect to risk management frameworks and regulations
Map frameworks, standards and regulations to your internal controls to track regulatory compliance. While COSO and ISO are both valuable risk management frameworks, they are sometimes too theoretical and can be hard to apply. This is where technology can come in and apply those frameworks for you (so you don’t have to).
5. Connect to data from a wide range of sources
Having access to data to measure, monitor and predict risk is extremely important. Without data, risk assessments can be highly subjective and biased by opinion. Meaningful data to inform risk assessment can help your organization maximize performance and monitor any changing risks in real time.
6. Analyzing massive amounts of data to identify risks and anomalies
Being able to analyze 100% of transactional data to detect, prevent and predict risk events gives organizational assurance. Without the use of technology, analyzing data in your organization would be near impossible. In my experience most organizations have data in disparate systems and it can be a big challenge not just to access the data, but also to blend it together in meaningful ways.
7. Libraries of specialized analytics
Building on analytics, we know that 60% of business processes (e.g., accounts payable, payroll and vendor management) are common across different organizations. Things like The other 30% are industry specific (e.g., banking, insurance and healthcare). The final 10% are often organization specific. Analytics designed to automate the monitoring of common key controls and processes and industry-specific needs can save you a lot of time and have you up and running with continuous monitoring in a few days.
8. Data visualizations and trend analysis
Having to manually put together aggregate information is time consuming and prone to error. Imagine you have a risk register in Excel and you build heatmaps in Powerpoint. What happens when your risk assessment changes? How can you ensure that your heatmap and risk register are aligned and in sync? Technology can remove this manual burden by providing out-of-the-box data visualization tools and heatmaps and making them available to everybody with the most up-to-date information. It can also show you how your risk assessment has changed over time.
9. Smart exception monitoring
Monitoring risks, controls and processes isn’t very useful if no one knows when something bad happens. Manual checking of reports and email is too slow and more likely to fail. Technology can automate routing of issues and exceptions and ensure that proper escalation happens when problems are not resolved in a timely fashion.
10. Smart response management
When problems are identified, being able to centrally track, manage and remediate them is critical to ensuring that proper measures are in place. Technology can ensure that everyone is aware of the status, can collaborate in a central place, and can capture additional evidence or information. Technology also provides workflows to ensure proper steps are taking place and appropriate people are involved in resolving issues.
11. Questionnaires, surveys and attestations
A good risk management program will not only analyze transactional data, but will also attempt to gather, aggregate and analyze information from the people who manage the day-to-day operations of an organization. This is best done with surveys powered by technology. Surveys offer a convenient way to gather information from a lot of people in a consistent way so that it is easy to identify trends and find common themes. This is helpful during risk identification and assessment, and even for monitoring purposes.
12. Manage and monitor hotlines
Risk and incident hotlines can provide an escalation process within risk management teams. Risk event forms or hotlines are an effective way to provide a central place for employees to report incidents, risk events, or even fraud and theft. Using technology to gather these events and send them to appropriate teams for follow up is crucial to building a good risk management program.
13. Risk scoring
Technology can enable a consistent risk assessment process across the business. Being able to assess risk on impact and likelihood (and potentially other factors like velocity) is important for organizations in making critical decisions and prioritizing risk response efforts. Technology can help create a consistent approach to risk assessment and automate the scoring models and heatmaps.
14. Dashboard views of risk monitoring and assessments
Real-time dashboards are essential for key stakeholders to monitor and report on key risk indicators. Customizable dashboards give executives and stakeholders access to the information they deem most important in making key decisions that affect performance.
15. Integrate specialized risk management systems
Embracing a culture of open data makes it possible for the organization to aggregate and blend data in meaningful ways. No organization has one system to manage their business. In the new age of technology, organizations use the best tool for the job and that often means that a variety of technology will be used for various activities. Technology makes it easy to integrate data across systems, both from workflow and data analysis perspectives.