Governance, Risk Management And Compliance —Effectively Raising Risk Intelligence Culture

Since the early 2000s, several industry and government agencies have expanded their compliance rules that address companies’ risk management plans, policies, and procedures.

Image: What to Know: Supply-Chain Risk Management & Geopolitical Risk

Compliance officers are almost always under pressure from senior stakeholders to communicate as accurately as possible the status of compliance risks and controls in real time. Information about significant risks is collected and communicated throughout the organization in a timely manner, which allows staff, management and the board of directors to fulfill their responsibilities. While all three lines of business must work together to identify and mitigate risks, compliance experts must proactively identify and manage compliance risks and help the organization avoid potential violations of regulations or policies. Organizations need integrated risk views, formal risk management policies and coordinated responses to risk events, and tools to manage risk. To effectively manage risk, management and the board of directors need a practical approach to risk management and operational discipline to implement this approach at the company level. If an organization wants to manage risk effectively, risk management must be integrated into day-to-day business practices. While business leaders can help shape the desired culture, this alone does not guarantee the right day-to-day risk management decisions. However, proper structural and organizational choices, descriptions of roles and responsibilities, and appropriate definitions of organizational units and reporting lines are essential to ensure that business risk is managed reliably and effectively.

The mindsets and behavior of individuals and groups within an organization — not just a risk organization — play a critical role in the implementation of a company’s business risk management strategy. The goal must be to determine the most effective ways to integrate risk into their core management processes. A risk-based methodology helps companies rethink their corporate risk management so that the executive management and board of directors are equipped with appropriate information about risks and opportunities to support decision making in developing strategy and management effectiveness.

What is a risk intelligence culture?

A risk intelligence culture is characterized by aligning risk management with the organization’s strategy and promoting an integrated approach to risk management and insurance. A risk culture is the glue that combines all the elements of the risk management infrastructure, reflecting the common values, goals, practices, and strengthening mechanisms that incorporate risk into organizational decision-making and governance. A risk culture also is the cornerstone of balancing the inevitable tension between creating corporate value through innovation and efficiency on the one hand, and protecting corporate value through risk appetite and risk management on the other hand.

Image: Why Location Risk Intelligence and Monitoring are Crucial to Modern Business

To be successful, companies need to adopt a top-down approach to risk and compliance management, and create a risk awareness culture. A culture that promotes effective risk management encourages openness, bottom-up communication, the sharing of knowledge and best practices, continuous process improvement, and a strong commitment to ethical and responsible business conduct. Transforming sentiment into a strong culture of risk requires employees to be clear about how their decisions and actions affect the broader mission of the company. The right tone emphasizes high ethical standards and a culture of compliance, but it must be balanced with a message that allows managers to take appropriate risks in pursuit of short- and long-term business benefits. Consider the impact of changes in strategy and organization, as well as the occurrence of external events, including changes in the regulatory framework, when assessing the need for changes to strengthen the culture of risk. After completing an initial assessment of the current risk culture, executive management should consider the need for organizational change and take steps to implement it as directed by the board. In contrast, risk management, corporate governance, and compliance are all in an integrated risk management process. As a result, risk management plans increasingly include business processes to identify and control threats to their digital assets, including private business data, personally identifiable information (PII), and intellectual property. Responses to risks are usually based on their perceived severity, including control, prevention, acceptance or transfer to third parties, while organizations usually manage a wide range of risks.

Define a composite risk profile appropriate for the digital age

Although interpreted differently by different organizations, GRC typically covers activities such as corporate governance, corporate risk management (ERM), and corporate compliance with applicable laws and regulations. Disciplines, their components and rules must now be brought together in an integrated, holistic and enterprise-wide way (the three main characteristics of GRC) — in accordance with the (business) operations managed and supported by the GRC. Both the culture and the tools used by risk and compliance teams are changing with IRM to increase transparency and standardization across the organization. Incorporating more sophisticated quantification and monitoring capabilities into a company’s day-to-day strategy implementation and focus on significant risks and opportunities can help management define a composite risk profile appropriate for the digital age. Also of significant value is an integrated compliance data model that can offer a contextual view of risk, that is, in terms of its relationship to other risks, as well as controls, regulations, policies, functions and objectives. Technology can increase stakeholder risk awareness by providing transparency of risks across the organization and consistent and reliable data on the potential impact of those risks. This ability to understand and control risk enables organizations to have greater confidence in their business decisions. However, in more and more cases, CEOs and business leaders are taking a more proactive stance, as their goal is to further develop risk management skills (based on their strategic and economic priorities and increasing levels of aspiration). Ultimately, they are able to gain a real competitive advantage and increase company value while taking risks into consideration. For example, the ISO 31000 principles provide a framework for improving risk management processes that can be used by companies regardless of the size of the organization or target industry. Although ISO 31000 cannot be used for certification purposes, it can help provide guidance for internal or external risk audits and enable organizations to compare their risk management practices with internationally recognized benchmarks.

Image: Integrated Risk Management Approach

Integrated solutions can also help organizations define and link key elements of compliance, such as objectives, processes, risks, controls, and rules. For example, an organization may need to comply with new data privacy regulations (compliance activities) that help reduce IT risks (asset risk management activities) and certain internal data protection controls (corporate governance activities). When there is no collaboration or integration between different compliance departments, whether it is policy management, compliance risk management, regulatory change management, compliance case management, or regulatory reporting, there will be a lot of work and data duplication.

 Further reads

• What is GRC? https://www.servicenow.com/products/governance-risk-and-compliance/what-is-grc.html
• GRC (Governance, Risk, and Compliance): The Definitive Guide https://riskonnect.com/resources/grc-guide/
• The Importance of Risk Culture by Jim DeLoach https://www.corporatecomplianceinsights.com/the-importance-of-risk-culture/
• Enterprise Risk Management and Risk Culture by Cindy Levy, Uwe Stegemann, Olivia White and Hans Helbekkmo https://www.mckinsey.com/business-functions/risk-and-resilience/how-we-help-clients/enterprise-risk-management-and-risk-culture
• A Risk Intelligent Approach to Risk Governance by Cynthia Vitters, Ryan Morgan and Gerald Andriole https://deloitte.wsj.com/articles/a-risk-intelligent-approach-to-risk-governance-01549418534
• Revamping Risk Culture in the Digital Age https://www.protiviti.com/US-en/insights/bpro121
• What is risk management and why is it important? by Linda Tucci https://searchcompliance.techtarget.com/definition/risk-management
• 7 Steps to Create a Risk-Aware Culture by Roger Dunkin https://www.treasuryandrisk.com/2020/09/21/7-steps-to-create-a-risk-aware-culture/
• Corporate Culture and Risk Management by Ian Waxman https://www.riskmanagementmonitor.com/tag/risk-culture/