Adopting GRC and cyber security to help facilitate enterprise risk management
How to overcome the obstacles to acheivng true enterprise risk management (ERM).
Add bookmarkOrganizational risks are growing as companies become increasingly digital and interconnected. Throughout time, new risk-oriented functions have arisen out of necessity such as cyber security. The result of forming different groups, typically on a reactionary basis, is disparate siloed groups which speak different languages and have different goals.
Also read: Automating enterprise cyber security
Meanwhile, businesses and their IT ecosystems are becoming more complex which results in additional forms of risk. The modern enterprise is digitally connected to partners, customers, and third-party data sources as well as mobile devices, cloud environments, the Internet of Things (IoT) and social.
To identify and close the risk gaps, the diverse risk-oriented groups must be able to collaborate effectively. In addition, organizations should have an enterprise risk management (ERM) group or committee that supplements whatever may exist at the board level so that the entire spectrum of risks can be identified and managed on a day-to-day basis. To achieve all this, organizations are adopting intelligent ERM and integrated risk management (IRM) solutions that help facilitate more effective risk management between and across the disparate functional areas. Those solutions also help risk professionals identify new opportunities for innovation.
This article explains some of the challenges today’s organizations face and how leading companies are driving better outcomes.
The fragmented approach to risk has been reactionary
Traditional risk management, compliance and cyber security are three of many risk-focused areas that emerged out of necessity. Traditional risk management concerns itself with business risks, such as credit and operational risks. Compliance, which sometimes precedes traditional risk management, is driven by regulatory and legal mandates such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA), the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Cyber security emerged in reaction to misuse and abuse of new technologies but ultimately to protect digital operations and data from all ranges of internal and external threats.
Each separate risk function operates effectively within the scope of its silo, speaking a different language than the other groups. Meanwhile, their organizations are competing in a global business environment in which entire industries are being disrupted by digital newcomers. The constant and accelerating change has caused companies to partner with non-traditional entities and extend out to non-traditional customers. Similarly, their technological footprint has pushed out beyond the proverbial four walls to mobile, cloud, IoT and social, enabling companies to engage their constituencies in new ways. The growing complexity has created opportunities for bad actors and inadvertent innocents to expose organizations to new forms of risks for which it may not be prepared.
Quite often, risk-oriented departments have been organized to align with the structure of the business. The problem with that is the business is always changing. While it is possible to reorganize a company based on risks and risk categories, more companies are better prepared to enable cross-functional collaboration to improve risk-related efficiencies and effectiveness, including identifying and minimizing or avoiding risk gaps. In addition, organizations should have an ERM function for day-to-day risk oversight that exceeds what a subcommittee of the board can achieve on its own.
The importance of narrow and broad views
Risks are best managed by the people who understand them and are empowered to do something about them. For example, no one understands the causes and effects of cyber security incidents better than a trained cyber security professional. The same is true for other areas of risks including traditional risk management and compliance. So, narrow expertise is essential.
“Board members come to us, and they say, ‘When compliance, cyber, internal audit, and risk management talk to me, they all give me a different top risk. Why can’t they coordinate and make sure I understand what are the top three to five risks facing the organization, not just within the silos?”
Kreg Weigand, partner, internal audit and enterprise risk at KPMG
However, today’s hyperconnected world results in a network effect as it relates to risk. For instance, when a data breach occurs, it tends to impact the cyber security team as well as legal, compliance, finance, and public relations. If the people responsible for managing risks are not communicating and if there is no ERM function with visibility across the affected areas, the enterprise cannot manage the potential fallout effectively.
There needs to be a level of consistency across the groups, which an ERM function can help provide including a risk taxonomy, a control taxonomy, how to identify issues, and how to conduct risk assessments. Similarly, there can be technological systems in place, including ERM and IRM systems, that provide the cross-functional visibility and collaboration capabilities. In addition, all the groups should align with common business objectives, not just the narrow goals of their own groups.
“The maturity of risk management, as a function and as a profession, has come to the point that there’s an awareness that everything is connected and the dependency isn’t just about upstream or downstream business functions, technology, or how we work with third parties. Every piece plays a role, and that three-dimensional connectivity is complex.”
Rik Parker, principal of cyber security services, KPMG
Obstacles to achieving ERM
Culture is one of the biggest obstacles to achieving ERM because culture depends on the alignment of people. To establish an effective ERM function, an organization must define the role of that that group in relation to all the other risk-oriented groups beneath it. Then, the ERM group needs to help ensure that the various risk groups align with common goals and that the groups’ rules of engagement are consistent.
“Can you get buy-in from local areas to be able to do this? Because it’s going to have to be done across business functions. No change management process is painless, but the time you invest in doing [ERM] right will pay dividends for years to come.”
Alla Valente, analyst at Forrester Research
Although higher levels of collaboration have been enabled by IRM systems, for example, the risk groups should understand the benefits of communicating and coordinating with each other so they can work together more effectively. Though individuals and groups tend to work with the company’s best interests in mind, some organizations have had trouble achieving the level of collaboration they aspire to because the company has grown very quickly, either organically or by acquisition, or they lack the structure and processes necessary.
ERM and IRM systems can help facilitate cross-functional collaborative processes. However, effective processes are not the result of implementing a tool.
When the risk functions are collaborating effectively with the proper processes and tools in place, the organization is in a better position to:
- Understand the entire scope of risks
- Avoid doing things that cause risks
- Reduce risks by adding mitigating measures
- Take on more risk
An organization that understands its risk appetite and tolerance can also innovate in new ways by taking calculated risks. Otherwise, the company may take too few risks which limits the potential scope of its or the organization may take on more risks than are wise.
“We like the three lines of defense: The first, second and third. We believe the primary responsibility for managing each and every one of these risks is the first line which is the operational part of the business that runs the organization. The second line of defense is the risk management organization which oversees and challenges us to think through the right topics. The third is internal audit which provides an independent level of assurance.”
Joe Nocera Principal, cyber security and Privacy at PwC
How GRC tools are evolving
The governance, risk management, and compliance (GRC) solution space has been dominated by large legacy players which primarily serve financial services and other highly regulated industries. However, more enterprise software players have entered the market and new players with modern ideas have emerged. In fact, in 2017, Gartner shifted away from GRC tools in favor of IRM platforms that enable “simplification, automation and integration of strategic, operational and IT risk management processes and data.”
More specifically, instead of being so heavily focused on compliance, IRM encompasses six different areas including:
- Digital risk management
- Vendor risk management
- Business continuity management
- Audit management
- Corporate compliance & oversight
- Enterprise legal management
IRM provides actionable insights as opposed to just informational insights. The challenge with the latter is what to do with the information on a dashboard. The new tools, because they represent more than just compliance, understand the first and second lines of defense. They are also incorporating newer technologies such as robotics process automation (RPA), artificial intelligence (AI) and machine learning (ML) so that the system can provide recommendations within the unique contexts of an organization’s risk landscape and the company’s approach to managing risks. Unlike traditional GRC systems which provided point-in-time information based on scans or self-assessments, the newer platforms provide a near real-time view of the environment.
Also read: GRC and cyber security must unite
Another benefit of IRM solutions is the ability to correlate events, the impacts of actions taken, and the outcomes based on a company’s own data, anonymized data from similar organizations in the same industry, and public information. It then provides recommendations based on an analysis of all the data.
Intelligent systems are not magic, nor are they “set and forget” technologies, however. Their accuracy depends on several factors including whether the system has adequate information available to do its job properly, the quality of the data on which it is trained, the extent to which new data has impacted the accuracy of the model, etc.
Executive interview with Scott Bridgen, GRC consulting director at OneTrust
Cyber Security Hub: What obstacles keep risk functions such as governance, risk, compliance, and security from working together effectively?
Scott Bridgen: Inadequate communications within and between teams, departments and organizations, which leads to:
Lack of accountability: Assumptions that monitoring, performance management and corrective action were someone else’s responsibility.
Risk oversight: A culture focused on the organisation’s priorities to the detriment of key risks and also,
Information bias: An institutional culture which puts more weight on positive information than on information suggesting there is cause for concern.
CSH: What should they do to better align their efforts?
SB: Ongoing communication: Talk openly about their goals and barriers to execute – work together to help each other overcome barriers.
Understand interdependencies: Your team impacts others – yes, you might think that patching a server is a low priority, but for the compliance teams, who must evidence that data is secure, it’s the highest priority.
Be adaptable: Learn to embrace change, things don’t always have to be set in stone and if teams can flex to accommodate others, then working together will become easier.
Unified front: ‘Act as one, move as one’ when dealing with the ‘C Suite’ - must have each other’s back and ensure everyone is onboard. The same goes for training, do not silo yourselves when training on ‘risk language’.
CSH: Where does enterprise risk management fit in?
SB: Enterprise risk management (ERM) doesn’t fit in to a specific domain or task, it’s everywhere. Organizations start an endeavor to take a business opportunity, these are strategic enterprise level initiatives that should shape and inform how subsequent goals and tasks are executed to align the business. There is uncertainty about if the organization will take the opportunity or not. So, each endeavor has an associated risk. Enterprise Risk Management (ERM) is important because its success determines the health and life of the business enterprise. If an organization fails to identify risks to its existence (on a broader scale), it will be ill prepared to face any risk events.
ERM institutionalizes risk management procedures in the organization by standardizing the “master” objectives, and designates the tools, methodology, people and processes in monitoring associated risk.
“An ounce of prevention is worth a pound of cure.”
CSH: How can an enterprise risk management group or committee work most effectively with the more specific risk functions such as cyber security and compliance?
SB: By clearly setting the bar - Giving specialized teams a common initiative to work from and contribute to should be among the primary objectives for ERM committees.
CSH: How can IRM and ERM solutions help?
SB: ERM solutions can help align risk initiatives from specialized risk domains such as vendor, IT & cybersecurity, ethics or privacy to core strategic business goals. ERM solutions can also help to enhance visibility by providing aggregated and normalized calculations of quantitative or qualitative values collected across risk management activities to a holistic view of an organizations overall risk posture.
Integrated Risk Management solutions can also help enhance visibility by further extending connectivity, data collection and classification outside of traditional second and third-line risk and audit professionals to first line business activities. Given the digital nature of operations there is a huge opportunity for expanded oversight – and IRM solution can help “wrap” the data with the appropriate context to retain meaningful information through risk analysis to board reporting.
Business continuity comes back into sharp focus
Business continuity has always had a place in risk management, but it has not been given the same level of priority as it had during the Y2K frenzy, until recently. Although organizations have contemplated natural disasters, political unrest, and even pandemics, businesses around the globe were not prepared for the sudden and severe impact of the Covid-19 pandemic. Unlike the dot com bust and the 2008 financial crisis, the pandemic’s impacts have been both global and systemic, wreaking havoc in every industry. Companies such as Amazon suddenly found themselves scrambling to keep pace with a sudden spike in demand while others were forced to shut down temporarily as the result of executive orders. Now, business continuity is again a top priority because as recent history has shown, circumstances can change dramatically and almost instantaneously.
Also read: Business continuity managment for Governance Risk Compliance
With the pandemic hit, organizations had to pivot, change policies and alter the way the operate faster than ever imagined. They realize now that they need to be prepared to do the same thing again in the wake of the “new normal.” Given the complexity of the problem and all the functional areas the pandemic impacted, the business continuity function can no longer sit in a siloed department. It must be integrated into the first- and second-line business practices to ensure that decision makers and risk professionals have the ability to interpret signals that could prevent the company from meeting its objectives.
Conclusion
Businesses must have broad and narrow views of risks and those views must work in concert to anticipate threats and enable swift action. As organizations become increasingly digital, they have become more complex entities that involve more types of risks that must be dealt with swiftly and intelligently.
Organizational cultures and structures as well as the tools necessary to manage the expanding landscape of risks are all evolving simultaneously. Modern risk professionals from GRC and security to beyond must endeavor to collaborate as necessary to anticipate and manage the full scope of risks more effectively. There also needs to be an ERM function with visibility across the functions, so that risk gaps can be avoided, and more innovation can be enabled.