Senior Product Manager
Mitigating risks is a daunting task. Beyond Sarbanes-Oxley, organizations are weary of increased governance risk due to new regulatory actions, corporate litigation, demands of corporate social responsibility and stakeholder pressure. Reputational risks are also mounting due to increased media exposure of privacy breaches and financial misuse of funds. In addition, financial and operational risks are top of mind for boards due to the challenging economic environment and the necessity to become as efficient as possible. The mounting complexity and sheer number of risks are challenging organizations of all sizes to rethink their risk management strategy.
Traditional risk management was predicated on a reactive approach. As a critical risk was uncovered, it became the “problem du jour,” task forces were created, and action was taken in a quick and focused manner. After a while, the task force was disbanded and monitoring controls were implemented to ensure their mitigation work was continued. Sarbanes Oxley is one of the best universal examples of this approach. Typically, during the first two years of the implementation of SOX compliance, most companies treated SOX as a “project” led by a project management office and resources were specifically carved out of the organization and dedicated to the cause. In years three, four and five, companies were able to transition to “process” mode by which SOX became integrated into the daily responsibilities of process and control owners and testers.
Most companies employed this approach of risk management recently to other initiatives such as PCI, the Red Flag Rules in the FACT Act, etc. However, this approach is not sustainable and is not cost efficient. There are just too many regulations and internal and external risks facings today’s organizations for companies to respond in such a manner. It is not effective to remove individuals from their day-to-day responsibilities to focus on such projects or hire consultants to address such issues and not retain the knowledge in-house.
Rather, I propose that organizations need to manage risk through an integrated platform approach with strong connections between risk managers and compliance officers. Incorporating a flexible methodology and process for risk management into all levels of the organization will assist companies in better reacting to new risks and monitoring ones that have occurred in the past. This will further enable companies to react without additional burden, immediately gain process efficiencies and aid better decision making. Taking a bit of time up front to implement a framework and tool for integrated risk management can make this a reality.
Building a Risk Inventory
Integrated risk management must start with a risk inventory. A risk register includes a listing of all risks facing the organization, including strategic, financial, operational or regulatory threats. A risk is defined by the COSO Enterprise Risk Management Integrated Framework as a threat against a corporate objective. Thus, the risk inventory must be linked to the company’s objectives and its governance model. By cataloging all of the company’s risks in one inventory, it forces consistency in documentation and evaluation methodology. This enables management to quickly spot trends, aggregate risk data and easily make better decisions with regards to allocation of resources when it comes time to mitigate the identified risks.
It is difficult for some organizations to identify the threats to be registered in the risk inventory. There are two common approaches, and best-in-class programs leverage both approaches. First, a top-down objectives approach can be utilized. This includes examining issues identified in the corporate governance structure such as matters in front of the board of directors for review, corporate policy exceptions, regulatory and internal audit findings, and whistleblower reports. All such observations should qualify as risks as they have been identified as breaches to the governance program and are thus threats to corporate objectives.
Second, a bottom-up survey approach can be leveraged. This includes launching questionnaires to various levels of lower-level management within all operating and corporate functions to gain an understanding of what’s top-of-mind. What’s keeping them up at night? What internal or external forces do they feel could threaten their success? Asking pointed questions for specific roles should also be included. This includes asking IT professionals about the existence of potential network vulnerabilities or asking operational managers about environmental, health and safety concerns. The results from such surveys can easily be correlated and analyzed for trends. All matters that have been consistently identified by the line level management must be included in the risk inventory as these are the front line personnel and they have a tendency to identify risks quicker than the board.
Most importantly, the risk inventory must not be allowed to become stale. The listing must be constantly updated and refreshed with the latest content. In working with one large financial institution, I discovered that their risk inventory included results from an IT manager survey conducted over five years ago. Issues were identified regarding the company’s mainframe computing environment that was no longer in use. It’s great that they were collecting managers’ risk data, but not keeping the information updated caused the entire listing to be discredited by the organization.
Inherent Risk Evaluation
As mentioned previously, a reason for collecting all risks in one inventory is to enable managers to make better decisions about the allocation of mitigation resources. This can be accomplished by evaluating all risks on a common scale. Typically, risks are measured by determining the inherent and residual risk ratings where inherent risk is the combination of the potential impact of the threat on the organization and likelihood of its occurrence. The definition of residual risk various across organizations but is typically viewed as a reduction in the inherent risk by taking into account compensating controls that are in place along with mitigation efforts.
I have worked with numerous Fortune 500 companies on a range of governance, risk and compliance initiatives, and I have witnessed a wide variety of methods for evaluating impact and likelihood. Some have included a three point (low, medium and high) qualitative scale, where others have utilized statistical analysis of materiality and historical loss data in conjunction with risk modeling techniques such as Monte Carlo. The trend that I have seen is the existence of a risk rating maturity model. Companies with less mature risk management programs have begun by utilizing a simple qualitative approach and have moved to a more mature quantitative approach as better data becomes available and the need for sophistication arises.
The best approach for companies is to leverage the risk rating maturity model. First, companies should start quick and easy by implementing a 3 x 3 scale by which risk managers are asked to qualitatively rate the impact and likelihood of all risks on a low, medium and high basis. Next, individual risk managers should be asked to identify the factors they consider when performing that evaluation. Those factors should be examined as to whether they could be quantified, allowing automation of the evaluation. This should be done on a risk-by-risk basis as what may work for one risk will not work for the rest. The end result of the evaluation should still result in a consistent 3 x 3 or 5 x 5 heat map of each risk. This will enable the risk prioritization that is necessary for management to understand the severity of the risks and which to attack first.
Residual Risk Evaluation
The residual risk rating is typically much easier for companies to evaluate because it can be based on data that already exists in the organization. Once the inherent risk rating has been established by evaluating the impact and likelihood, mitigating controls should be identified for each of the critical risks. Appropriate mitigating controls are those whose operation will limit the impact of the threat on the organization and/or the likelihood of its occurrence. Potential sources of such controls include risk and control matrices used for SOX compliance and regulatory compliance reports like PCI, FFIEC, etc.
However, one common mistake I have seen all too often is that the identification of the mitigating control alone is not enough. The operating effectiveness of the control must also be taken into account when evaluating the control’s mitigation of the identified risk. SOX and regulatory compliance testing results should be integrated with the risk management evaluation to provide such information. By integrating risk and compliance, the risk data becomes significantly more accurate and reliable. The residual risk could automatically be adjusted whenever testing of the mitigating controls is performed and new conclusions are acknowledged. This will also dramatically increase the value of the SOX documentation, enabling it to be leveraged for strategic purposes.
Undoubtedly, a certain level of residual risk will remain. Some risks may not have mitigating controls or the controls that have been identified are not operating effectively. These remaining risks can be prioritized based on the related corporate objectives and regulations in conjunction with the inherent risk ratings. This will enable management to prioritize the mitigation of those risks.
The actual mitigation typically takes one of three forms. First, a company may elect to reduce the risk. A remediation plan is designed, implemented and managed. Since most companies are very adept at deficiency management processes due to SOX and other regulations, it is simple to plug risk reduction projects into this process. Second, a company may transfer the risk via insurance or other cooperative arrangements. Third, the company may elect to avoid the risk by removing the cause of the threat. If the risk is that workers compensation claims are rising too quickly due to safety problems at one particular plant, it may be appropriate for that facility to be shut down, thus avoiding the risk. Finally, some risks may be too expensive or impossible to mitigate. These risks are accepted and monitored over time to ensure the impact and likelihood remains stable.
Like the identification of risks to include in the risk inventory, the evaluation of the risks and selection of mitigation response techniques must be performed on a continuous basis. Typically, I have implemented quarterly monitoring assessments to re-evaluate inherent risk and provide updates on the status of risk mitigation. This continuous refresh of the risk register will further cement its strategic value in the organization.
Utilizing a Risk Management Tool
Every Fortune 500 organization I have worked with started this risk management journey by utilizing Microsoft Excel for the repository of their risk inventory and evaluation. As in the case of SOX, all quickly came to the conclusion that spreadsheets are not the answer. Many then acquired risk management point solutions which are very good at calculating risk ratings and categorizing the inventory. However, this is still not good enough. Rather, the utilization of a GRC solution is a requirement for effective risk management.
A GRC solution enables the operation of several governance, risk and compliance processes in one common platform. Users can leverage and relate data from one process to another. As we discussed, it is instrumental to link the risk inventory to the corporate governance program, relate risks to mitigating controls and the test results of those controls, and manage the mitigation of risks alongside the remediation of all other deficiencies discovered in SOX, internal audit and regulatory compliance audits.
A GRC solution includes policy and objective management, compliance management and deficiency management processes and will permit the inter-relationship of all of these programs which together can be made more effective as a result. In addition, some GRC solutions provide a flexible platform enabling management to adapt the system over time. As we discussed, it is important to leverage the risk rating maturity model and start evaluating risks simply and move to more complex models over time. A flexible platform which can be easily modified by the business owners rather than IT is required for such an approach. Selecting the proper tool will be a critical success factor in the organizations’ risk management program. The solution should allow the company to leverage data which already exists in new ways and be flexible enough to grow with the company over time.
Unfortunately, risks are all around us and they are not going away. In order to effectively manage risks, companies must adopt an integrated platform approach to risk management rather than the traditional reactive “project” mode of operation. This integrated platform approach begins with a risk inventory of all potentials threats to the organization, which is sourced utilizing top-down and bottom-up data collection techniques.
Risks are then evaluated for impact and likelihood to determine an inherent risk rating. The rating is determined by employing a risk rating maturity model based on evolving the complexity of the rating from qualitative to quantitative measures over time. The residual risk rating is then determined for each risk based on the existence of effective mitigating controls and the status of mitigation response techniques.
The effectiveness of controls should be based on compliance testing already taking place throughout the organization, thus linking risk and compliance. The risk inventory and related evaluation is a simple process but requires an effective tool to manage the data. A GRC solution is the appropriate selection as it can link data that already exists in other processes and enable the evolution of the company’s methodology over time.
This approach to risk management ultimately is focused on delivering a highly scalable platform by which new risks and regulations can be responded to in the appropriate manner that best fits the threat they represent. It also provides management with key risk data to utilize when making better business decisions.
Senior Product Manager
A seasoned finance professional, David Walter provides expert insight into compliance and risk challenges. Walter currently serves as senior product manager for Archer Technologies, a provider of enterprise governance, risk and compliance (GRC) solutions, where he directs the vision of all GRC solutions including Risk, Vendor, Compliance and Audit Management. A CPA, he formerly served a diverse set of public and private companies, with roles including director of internal audit, CFO and vice president of finance.