Risk convergence and implicationsfor GRC technology solutions

Security breaches involving customerrecords and multibillion-dollar lossesarising from rogue trading activitiesare just some of the high-profile risk eventsthat amplify the critical importance ofgovernance, risk and compliance (GRC) toa firm’s economic health. Meanwhile, thereverberations of the subprime crisis havedramatically affirmed the interdependenceof varied risks across an enterprise, whichneed to be managed holistically rather thanin traditional silos.
Managing risk and compliance in silosis both cumbersome and costly. For eachnew regulation or risk discipline, organisationstypically implement a new technologypoint-solution. This fragmented approachlimits an organisation’s ability to streamlinerisk and compliance processes, and reducecosts. It also obscures the opportunity tointegrate risk and compliance to gain aholistic view of the firm’s risk landscape.
Not surprisingly, the frequency of riskevents that create negative headlines, andthe inefficiency and ineffectiveness of asiloed approach, are generating renewedinterest in the convergence of GRC withinthe firm. A recent Ernst & Young studyshowed convergence is under way at a largenumber of organisations. Yet the survey alsounderscored that, although risk convergenceis in progress, there are no agreed-upon bestpractices. When it comes to risk convergence,firms are for the most part still on thelower half of the learning curve.
There is confusion about the benefits ofGRC convergence because the industryuses the terms ‘enterprise risk management’(ERM) and ‘risk convergence’ interchangeably.ERM attempts to integrate risk disciplines,such as operational, compliance,strategic and technology, to achieve a holisticview of risk exposure across the enterprise.This enhances the visibility into the firm’srisk landscape, which enables improved,risk-informed business decisions.
Risk convergence, on the other hand,addresses inefficiencies and opportunitieswithin the ERM framework to maximisethe cost benefit of conducting risk managementprocesses. The primary goal is toachieve practical process improvement thatresults in efficiencies and cost saving.
Convergence within a GRC frameworkis aimed at achieving both ERM andrisk convergence objectives. It helps therisk organisation to reach the next level– controlling costs, achieving efficiencies,managing risk and providing better supportfor business decision-making.

What needs to be converged

The COSO II ERM Framework shown infigure 1 illustrates the key dimensions of riskconvergence: risk disciplines, GRC processesand risk granularity. The risk disciplines(columns) in the COSO mode include strategicrisk, operational risk, reporting risk (forexample, financial controls such as Sarbanes-Oxley) and compliance risk. Depending onyour firm’s industry and specific objectivesfor GRC, you might add additional disciplinessuch as market risk, credit risk andtechnology risk.
Whatever risk disciplines are significantwithin your firm, the goal is tointegrate them within a single frameworkthat produces a holistic view of your risklandscape. However, many technologysolutions focus on a single risk discipline,such as operational risk or compliance.These solutions might be appropriate fora siloed approach but they usually lackcritical capabilities that are required forGRC convergence.
The rows in the COSO cube represent thedifferent risk and compliance processes thatare involved in an integrated GRC framework.The objective is to integrate activitiesboth across columns and across rows. Forexample, you would not want to have onesystem for managing risk assessments foroperational risk and a different system forcompliance, or different systems for handlingloss events separate from risk assessments.
The third dimension in the COSOTechnology often provides point solutions for specific risk disciplines, but better results can beachieved if risk management is converged within a single framework. Patrick O’Brien of OpenPagesoutlines the principles of effective GRC convergence and the implications for technology solutionsRisk convergence and implicationsfor GRC technology solutions26 opriskandcompliance.comWhen it comes to riskconvergence, firms are for themost part still on the lowerhalf of the learning curveOpenPages.indd 26 23/5/08 14:32:07model – risk granularity – is extremelyimportant for operationalising an integratedGRC framework. In the COSO cube yousee four levels of the business entity structuredepicted but, in practice, there couldbe any number of levels in the entity hierarchy.There are other hierarchies, such asprocesses and accounts, that also need to berepresented within your GRC framework.
The level of granularity at which GRCprocesses, such as risk assessment andrisk measurement, are carried out will bedifferent across risk disciplines. For example,strategic risk will tend to be conductedat a high level, while Sox will be carriedout at a much lower level of granularity,especially in terms of processes, risks andcontrols. It is important for your technologysolution to have the flexibility tosupport the right level of granularity forthe different risk disciplines and the rightlevel for your organisation.

Principles of GRC convergence

Now that we have discussed what needs tobe converged, we will look at the key principles/requirements of GRC convergence andthe implication for technology support.

Principle 1: Resist theone-size-fits-all approach

GRC, similar to most business functions,is not a one-size-fits-all solution. It has tobe tailored for each firm. As Mark Olsonof the Federal Reserve notes: “An effectiveenterprise-wide compliance-risk managementprogramme is flexible to respond tochange and it is tailored to an organisation’scorporate strategies, business activities andexternal environment.”While most leading companies havetailored their risk methodologies to matchtheir business operations, it is imperativeto select a technology solution that caneasily adapt to your firm’s unique risk andcompliance methodology and evolve gracefullyover time.The ability to adapt the technologysolution to your company’s specific riskmanagement methodology and framework,without having to write custom code, iscalled configuration. The key businessbenefits of configuration include:

  • Lower costs: custom code is moreexpensive to develop for initial implementationand much more expensive tomaintain and extend over time.
  • l Time to deployment: Configurationcan support rapid implementation ata fraction of the time it takes to writecustom code.
  • Future proofing: Configuration willallow you to quickly adapt your riskframework to meet changing requirementswhile minimising the impact onyour business operations.
The extent to which your technology platformis configurable is arguably the mostimportant decision criterion for selecting asolution.

Principle 2: Convergence should enableyou to assess once and satisfy many
The GRC framework should provide aconsistent approach across your organisation’sbusinesses by establishing minimumstandards for risk management. This willensure that risk policies, principles andprocedures are adequate and effective. Byeliminating risk and compliance managementsilos, and harmonising risk and complianceactivities, you can greatly reduce theburden on the business lines, avoid ‘assessmentfatigue’ and free-up resources to focuson achieving goals.
Your technology solution plays a criticalrole in the effort to converge and harmonisemethodology and processes. The technologysolution serves as a common repositoryfor all GRC elements, including frameworks,risk and control libraries, policiesand procedures, and other elements of yourrisk rating methodology. By implementinga single assessment and sign-off process,you can eliminate duplicated and redundantactivities.
To achieve a holistic view of risk acrossthe business your firm will need to establisha common language for risk activities,which involves creating a rating methodologyfor all risk data, such as loss events,risk assessments and key risk indicators.The technology solution can help enforceconsistency by supporting GRC libraries,risk categorisation, calculated fields (forexample, computing risk ratings basedon likelihood and severity) and field datavalidation (for example, enforcing thatcertain fields are required to be filled infor operational risks and different fieldsare required for compliance risks). Thecommon language will be specific to yourfirm so configurability is a critical capabilityfor supporting this principle.

Principle 3: Convergence requirescollaboration and co-ordination
A comprehensive approach to managingrisk enables organisations to reduce duplicationof effort, increase efficiency and makesmarter business decisions. This comprehensiveapproach requires integrating riskand compliance management processesacross the different functional and businessgroups. The key players include:

  • corporate risk and compliancefunctions;
  • internal audit;
  • corporate functions such as finance andIT; and
  • business lines.
Accommodating the sometime conflictingrequirements of these different constituenciesis critical to a successful implementation.Different functions withina company will want to tailor risk practicesto match their business needs. Forexample, to support Sox requirements, thefinance and audit teams might conductvery detailed, qualitative risk-control selfassessments(RCSAs) for financial processes.
Operational risk, on the other hand,might want to perform higher level quantitativeRCSAs for key business processesacross the enterprise.
The technology solution should enable theunification of your GRC initiatives withina single enterprise system. Through a singlesystem of record and a set of platform services,you will be able to co-ordinate multiplerisk disciplines, allowing functional groupsand business lines to efficiently manageintegrated risk and compliance processesthroughout the business.
Through configuration, your technologysolution should enable you to provideeach of the different functions their ownspecific views of key GRC elements such asrisk, controls and assessments. The goal isto leverage what is common but allow fordifferences where they are required.
Workflow is a critical factor in co-ordinatingthe activities of the different functions.
Workflows should be easy to configure tosupport the different GRC processes of eachfunction. Workflow can also help synchroniseactivities across functions; for example,enabling the operational risk (ORM)function to leverage RCSAs performed bythe Sox team. Workflows should automatethe scheduling of tasks and help to ensureconsistency across different functions.

Principle 4: Convergence requires acultural change
The Ernst & Young survey states thatpeople issues are the primary barrier toconvergence. For many people, convergencebecomes a ‘turf battle’. Others viewconvergence as a distraction that can dilutetheir efforts. Many view it as a significantchallenge that will demand resources.Successful GRC convergence requires aculture change that is driven by leadershipfrom the top, while technology can be animportant lever. Some of the key goals forcultural change should include:

  • making risk management a part ofeveryday business activities;
  • internal audit;
  • empowering people by making everyonein the company a risk manager; and
  • providing risk information that isactionable..
Risk management should be viewed asa competency that is embedded in theorganisation, and incorporated in everydayprocesses at all levels of the organisationto produce a competitive advantage.
Senior management must make theprogramme a high-priority initiativethroughout the company, and foster aculture that emphasises the central importanceof ethical behavior, quality controland risk management.
Technology can assist the transition andcan be the rallying point that helps promoterisk awareness and allows you to institute asupportive risk culture within the organisation.Automated risk processes can helpto build accountability and distribute GRCownership into lower levels of the organisation.Your technology solution can facilitatetraining and awareness and help to engagebusiness users by providing actionableinformation that provides better visibilityinto their risk landscape.

Principle 5: Risk management mustbe actionable
A common mistake for many risk convergenceefforts is to focus too much attentionon supporting the requirements of seniormanagement (for example, dashboardreports), while neglecting the needs ofpeople in the business who are the first lineof defence for risk management.Your technology solution should playan important role in helping to make riskmanagement actionable. The key requirementsinclude:

  • making the solution easier to use fordifferent, sometime infrequent, users;
  • presenting relevant data to the user(rather than forcing them to seek it out);
  • ensuring consistency across GRC processes;and
  • exciting and empowering users, ratherthan frustrating and confusing them.
A great way to bring relevant data to theuser is to have a home page that can beeasily tailored for different types of users.For example, control testers should havea list of controls that need their attentionand assessment reviewers should see theassessments they need to perform. All usersshould have issues and action items on theirhome page so they know what remediationefforts require their attention.
A great way to bring relevant data to theuser is to have a home page that can beeasily tailored for different types of users.For example, control testers should havea list of controls that need their attentionand assessment reviewers should see theassessments they need to perform. All usersshould have issues and action items on theirhome page so they know what remediationefforts require their attention.
  • route risk and compliance activities tothe right people at the right time;
  • monitor risk and compliance activitiesand track subsequent actions;
  • establish triggers and points of escalationso the responsible managers are notifiedand aware when action is required; and
  • notify managers when identified actionis not taken.
The technology solution can be a great aidto the user if it can easily pull together theright data into a single view that supportsthe activity being performed. The alternativeis that the user has to navigate through thesystem to find the relevant data and for infrequentusers this can be a daunting task.GRC information should be communicatedup, down and across the organisation, soreporting is a critical component for makingrisk data actionable. To support analysis, decision-making and action, reporting needs tobe timely, accurate and flexible. The presentationof data is important and should includegraphs, charts, trends and dashboards.

Principle 6: Assume risk is everywhereand make it the focal point
Risk is everywhere in the organisation.There is risk to business objectives, riskto processes, risk to new products, risk ofnon-compliance to regulations, third-partysupplier risk and so on. To adequatelyunderstand risk within multiple disciplines,you need to be able to assess risk to multipleGRC elements.
For example, for strategic risk assessmentsyou will want to perform high-level, topdownrisk assessments at some level in yourbusiness entity hierarchy. If you are performinga financial controls assessment you mightbe concerned with risks to material accounts.You might be focused on risk to key businessprocesses or, if in the compliance group, youwant to understand risk exposure relative tothe regulations that affect your business.Your technology solution must be flexibleand, through configuration, allow youto assess and associate risk to multiple GRCelements. Questions you should ask include:

  • Does the solution force a single view ofrisk, for example, is it process-centric inthat it associates risk only to processes?
  • Can risk be associated to multiple GRCelements such as entities, processes,policies, accounts and regulations?
  • Can risk be categorised at multiple levelsusing multiple taxonomies, for example,Basel II (three levels), COSO or yourown categorisation scheme?
  • Can risk be assessed at the differentlevels of granularity, for example, multiplelevels in the business entity or processhierarchy?
  • Can losses be linked to risks to determinehow risk exposure is trendingversus actual losses?

Principle 7: Risk convergence is evolutionarynot revolutionary
Your risk and compliance methodologieswill change over time as your GRC frameworkevolves and best practices mature. Inaddition, your organisation will change dueto reorganisations, mergers, acquisitionsand divestitures. Your technology solutionmust be able to evolve with you. The technologysolution should enable you to easilymodify the GRC elements that you store inthe system. For example:

  • configure fields without coding – addfields, remove fields, change their labels,change validation criteria and so on;
  • add new types of information – such asa new requirement to assess risk againstthird-party vendors;
  • add new relationships between dataelements – for example, you might betracking losses against the businessesthat caused the loss, but now need toalso associate losses to the businessesthat were affected by the loss.
  • Can losses be linked to risks to determinehow risk exposure is trendingversus actual losses?
If your technology solution is rigid andrequires software code changes to accomplishthe above list, your chances for a longtermsuccessful GRC framework will begreatly reduced.
You should expect to evolve your bestpractices and change your risk managementmethodology over time. If your technologysolution cannot respond quickly to changesin best practices or changes in your business,you will end up with a solution thatdoes not reflect the realities of your businesspractices and does not meet the requirementsof your users.

Summary

GRC convergence presents an opportunityto maximise the cost benefit of risk managementprocesses while also increasing theeffectiveness of risk management througha holistic view of risk across disciplines.Achieving these goals requires an ability toeasily embed risk management into a firm’severyday business processes and the enablingtechnology platform must have a high degreeof configurability to adapt to a company’sunique risk management methodology.
Thus, meeting the increasing demands ofGRC in a large organisation requires effectivetechnology support to manage enterpriserisk in a rigorous and systematic way – acrossthe entire business. Technology can play acritical role in developing and implementingan integrated GRC framework, but it shouldbe used as an enabler, rather than to prescribeprocess and methodology.

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here