BWise
Four Steps to Incorporate Risk Management into Your Organization
BUSINESS/MANAGEMENT GOALS
C
O
M
M
U
N
I
C
A
T
E
1
DESIGN
2
DEFINE QUICK WINS
3
ROLL OUT
4
SUSTAIN
TECHNOLOGY
E
D
U
C
A
T
E
Figure 1.
Overall project methodology
The steps of a successful risk management program necessitate using a pragmatic
approach. The critical starting component is utilizing clear and realistic business and
management goals. It is aligned by communication and education and supported
by technology (Figure 1). These pieces are interrelated. Moreover, notice that the
approach is iterative – always evolving to lever leading practice and to jettison those
practices that aren’t adding value.1
Author:
Four primary principles
Tactically, the approach includes four primary principles:
1)
2)
3)
4)
Ladd Muzzy
Principal at
Nasdaq BWise
Design
Define quick wins
Roll out
Sustain
This document explains these principles and how they can assist in developing and implementing a risk management
program in your organization.
1
BWise
Step 1: Design
Design pertains to developing the methodology, philosophy, and governance structure to managing risk.
Critical Success Factors:
• Understanding and leveraging existing approaches to managing risk throughout the business and support
functions (e.g., compliance, finance, legal, HR, audit, etc.)
• Understand and adopt, as appropriate, leading practices
• Establishing and utilizing existing risk and executive committee meetings to discuss risk management topics
• Determining escalation protocols – who needs to know what, when, and how – including both internal and
external constituents (e.g. regulatory agencies, communities, customers, etc.)
• Clearly defining the boundaries and scope of risk management across the organization
• Establishing a common library and definition of risk
• Understanding and developing the supporting technology and software platform
A fallacy that many organizations fall into when developing their risk management program is to ignore many of the
existing activities currently in place both within the business and supporting functional areas, or respectively, the
first and second lines of defense. Now is the opportunity to codify these approaches, determine where there may
be gaps, and to create an approach to centralize a common view.
Moreover, there are opportunities to bring risk and risk management discussions into the folds of organizational
conversations. This includes having risk be a formal agenda item at the Board of Directors’ meetings. Executive and
audit committee meetings need to have a summarized view of the risk profile and to have a clear understanding
of the metrics supporting variances in the risk appetite and tolerance levels and how they change over time. Many
organizations create separate risk committees or task forces that focus on the salient risk details to analyze root
causes, ties to processes, and to develop and monitor actions to address or to capitalize on risk threats/opportunities.
A clearly articulated and documented governance structure, supported through policies and procedures is a critical
success factor to establishing the foundation for the risk management program.
A result of these discussions is to assure that unwanted risk exposures are escalated. The diversity of these
committees, task forces, etc. ensures that there is a holistic discussion about risk including having a business and
functional point-of-view. This produces consensus on the risk’s exposure and any supporting decisions on capital
and/or resource actions to address the risk.
One organization, and one that’s not atypical, would manage risk in a silo-ed basis by function – HR, legal,
procurement, finance, etc. Each had its own approach to identify, assess, manage, and report on risk. Each had a
separate GRC (Governance, Risk, and Compliance) technology that supported its process. The company was viewing
risk on an “apples to oranges” basis, it wasn’t able to take advantage of potential economies of scale when investing
in controls and utilizing resources. In the end, risk data was disconnected, inconsistent, and un-actionable creating
confusion when discussed at the Board and audit committee meetings.
Establishing a common library and definition of risk is tantamount to the success of a risk management program.
You must assure that when someone is discussing a risk that they are doing it on a consistent basis. This does not
mean that a particular business or function can’t have its own view of how critical a risk may be. After all, each
business and function is incented to achieve its own objectives. However, it is critical to ensure that risks are defined
in such a way that it enables an aggregate view when viewed across the organization.
Notifying and communicating to external constituents should also be considered. This includes reporting on risk
topics groups such as regulatory agencies, the community, customers, external audit, advocacy groups, etc. This
is important given the proliferation of social media where news, good or bad, is spread almost instantaneously.
All constituents want to have the assurance that there is a risk management program in place, concerns are being
addressed, and that risk is being managed on an ongoing basis.
It is instrumental to have a technology software solution that enables and supports the risk processes. More and
more data is created as the program matures. It becomes necessary to ensure that the storage, analysis, mining,
monitoring, and reporting of this data is done efficient and timely. Thinking about and evaluating the software at
2
BWise
the outset makes implantation easier. A common mistake is feeling like there needs to be a “big bang” approach
to technology where everything needs to be done all at once. Trying to accomplish your entire technology and
software needs would not only take a great deal of time, but would not enable the “quick wins” necessary to justify
the efficacy of the program. Get your program started and establish a project plan with clear, short term milestones.
This will allow your program to evolve and mature whilst simultaneously enable you to meet your implementation
goals.
Step 2: Define Quick Wins
Understanding where there may be challenges in implementing the risk management program and defining quick
wins will ensure a greater likelihood of long-term success. One way to do this is by piloting, or testing, the program
in an area. This accomplishes a few things:
1.
2.
3.
It provides the ability to understand the program’s design and its relevancy to the area adopting the framework
Allows for a feedback mechanism to improve the program
Provides the opportunity to monitor and report on the risk profile
A successful pilot program is one that is implemented within an area that is amenable to the project and has a core
foundational understanding of risk, risk management, and the goals of the program. Risk “evangelists” are recruited
to help spread the message from risk management into the area. This ensures there is ongoing communication and
relevance to the area/business.
Acceptance of the risk management program should involve communication and project management.
Communication should continue from leadership to the purpose of the risk management program, employee
expectations (time, activities), and the program’s goals. Typical project management skills – resources, timing,
milestones, etc. are an obvious part for ensuring the pilot project is done on time, within budget, and meets
expectations. For example, when tackling technology:
•
Get buy-in: ensure that user feedback is translated into configuration possibilities. This is usually accomplished
through workshops where there is an opportunity to vet the program and solution and to bring uniformity to
the process.
Figure 2. Risk Dashboard
3
BWise
•
•
•
Dashboards and Reporting: finalize what management needs to see in order to opine on the risk profile
and how risk data will support those requirements. Focus should be placed on the risk taxonomy, the area’s
objectives, the processes, risks and controls. Dashboards and reporting should be actionable and clearly see
any risk changes to help drive concrete actions.
Secure application and technical support in order to identify and remedy potential IT infrastructure issues.
Train staff appropriately. Give them the tools and resources necessary to answer any questions or concerns
that arise. Provide feedback on the program, how it is meeting its objectives, how the information is being
used, and how it is maturing. Enable the business to take ownership of risk and show how the program is
enabling the achievement of the area’s objectives.
Taking a pragmatic approach towards end users, and asking them to collaborate by trying out the initial design as a
post implementation optimization phase, will allow that first user experience to be tested and evaluated.
Step 3: Roll-Out
The successful completion of the pilot indicates the program be rolled throughout the organization. The lessons
learned from the pilot should provide recommendations and possible enhancements to the program. Continued
buy-in remains important. Further vetting of the program, its objectives, and expectations should be communicated
to management. Their buy-in, and reinforced communication of that buy-in to the business, remains critical.
The aforementioned success factors in the
design section become more pertinent as
the implementation begins. Established
governance models are supplied with
reports and supporting communication
from the business on the status of current
risk issues. Past risks are discussed to
their management, mitigation (including
insurance), capital spent, and benefits (e.g.,
reduction in exposure) from those capital
investments. Current topics of interest to
the organization, industry, and/or business
community (e.g., cyber threats) are
discussed through scenarios of how those
potential events may affect the organization.
Policies codify expectations and are
monitored for exceptions and reinforced
through the second line of defense.
Figure 3. Risk Overview
Risk data will need to be stored with a
software solution. Business requirements
and expectations will begin to be
documented as the methodology becomes
adopted. Although many organizations feel a bespoke solution is needed, a technology that can be used “off-theshelf” provides the necessary components to implement and sustain the methodology. Considerations include
bringing in delivery best practices including having a configurable platform and short technical upgrade times. A
“change board” should be created made up of key employees to ensure the governance of the methodology and
supporting system are meeting needs and objectives.
Risk dashboards and reports help visualize the risk profile. The information therein not only marries to the risk
taxonomy of the organization but also supports the organization’s make up (e.g., by business, function, risk type,
etc.). Additionally, the ability to delve into a risk’s detail will enable the first and second line to understand how the
risk is manifesting itself into a particular exposure. This can be done, for example, by tying a risk to a key process
4
BWise
in the value chain. Regardless of the approach, aggregating and disaggregating risk allows the business and the
functions to understand the risk profile and make informed decisions about whether and how to treat a risk.
Step 4: Sustain
Sustaining the risk program remains a challenge as the business needs to understand and strike an optimal balance
between creating value and maintaining conformance. Expectations of how capital is expended (CapEx) will be
evaluated. There should be the expectation that if there is CapEx to manage/mitigate a risk, that the risk’s exposure
will be reduced over time. This change should be measured as one way to show the value of managing risk.
There are a number of compulsory expectations for managing risk as well. Laws and regulations dictate what needs
to be done within the organization. These are done to avoid such things as:
• Regulatory fines
• A Memorandum Of Understanding (MOU) that may, in certain circumstances, cause stunts in organizational
growth with a merger or acquisition.
Technology too plays a crucial role in sustainability. Embracing a slowly expanding approach will pay dividends.
Think big, start small, and then scale up. This will enable individuals to understand and adopt the technology,
support quick wins, allow for flexibility to changes in the framework, and reduce exposure.
For example, a large financial services organization moved to a single technology platform for its risk management
activities from three separate systems. There was a temptation to discard all three at the same time, but instead
the company took a phased approach utilizing the new system in the risk management function as the start.
The company’s taxonomy and approach was entered into the system and data was utilized effectively through
dashboards and reports to report changes in the risk profile to management for action. Eventually, the technology
was utilized by other functions such as information technology and operational risk management with great success
as the common platform made the aggregation of data useful for companywide decisions.
Regardless of whether your stance is to add value or avoid adverse consequences, communication and education
remain fundamental to the risk management program’s longevity. To reiterate, there are a number of important
communication protocols:
•
•
•
•
•
Affirmative support from executive management
Understanding and buy-in from management
Employee “marketing” on the ease of use and implementation
Benefits of managing risk and reducing unwanted exposures
Sharing leading practice and potential pitfalls
Education remains important as well. There isn’t only the education of learning the methodology and the technology,
resources need to answer and address questions regarding execution. There are also escalation mechanisms that
need to be constantly reaffirmed to ensure that harmful risks are addressed as quickly as possible, not just creating
awareness when reporting on a periodic basis. Education should also be built into learning modules, whether
classroom or online, that reinforce the framework and governance structure. It also should be a part of onboarding
of new employees.
The governance structure provides the backbone for a sustainable risk management program. This includes defining
the roles and responsibilities for support functions (e.g., risk management, vendor management, compliance, human
resources) as well as oversight (e.g., executive and risk committee(s), and the Board of Directors). Tactically, policies
and procedures lay out the expectations of the business to ensure that activities support the risk management
philosophy. Technologically, data governance remains critical to ensure that the organization is making “applesto-apples” comparisons across the organization. These structural elements extend a common risk and control
taxonomy assuring that managing and reporting risk is done on a consistent basis.
5
BWise
Organizations are faced with creating and demonstrating that their risk management program is adding value and
embedded within the organization – that it is living, breathing, and adaptable as the business morphs to respond to
opportunities and competitive pressures. The framework will mature as well, which is why it is an iterative process.
Leading practices need to continue to be explored and incorporated into the approach while activities that aren’t
working should be removed. All this is accomplished through an active communication and education campaign.
Finally, technology and software supports the entire approach and enables the business to be efficient, effective,
and timely to opine on and support the risk profile.
Ladd Muzzy is a principal at Nasdaq BWise. He has over twenty years’
experience in developing, implementing, and coordinating risk management
programs. He has held senior corporate (Bank of Montreal, Barclays,
Capital One) and consulting leadership risk management positions. Many
of his experiences involve evaluating an organization’s risk management
philosophies and current practices to move them to leading practice. Ladd
can be reached at [email protected]. To read more from Ladd Muzzy
and our other GRC experts, follow us on LinkedIn: https://www.linkedin.com/
company/bwise
Nasdaq BWise is a global leader in enterprise Governance, Risk Management, and Compliance (GRC) software, with
a strong heritage in business process management. BWise delivers a truly integrated and proven GRC platform. This
platform enables an organization to track, measure, and manage key organizational risks in one integrated system.
BWise provides solutions for the GRC needs of hundreds of customers worldwide across all industries.
BWise® GRC Platform
BWise offers multiple role-based software solutions for Risk Management, Internal Control, Internal Audit, Compliance & Policy Management, Information Security and Sustainability Performance Management. Each solution
derived from the BWise integrated Governance, Risk management, and Compliance Platform supports the end-toend process of a given role.
Damian Thomson
Chief Information
Security
Ann Green
Head of Internal
Audit
Gerard Parker
Chief Risk
Officer
Jackie McLaren
Michael Bauer
Chief Compliance
Corporate
Officer
Group Controller
BWise® GRC Platform
BWise®
Information
Security
BWise®
Internal Audit
BWise® Risk
Management
BWise®
Compliance &
Policy
Management
BWise®
Internal
Control
6
BWise
About Nasdaq BWise
Contact Information
Nasdaq BWise is a global leader in Enterprise
Governance, Risk Management and Compliance
(GRC) software. Based on a strong heritage in
business process management, the BWise® GRC
Platform provides companies with highly-rated,
proven software solutions for Risk Management,
Internal Control, Internal Audit, Compliance &
Policy Management, Information Security and
Sustainability Performance Management.
Nasdaq BWise has sales, service and support offices
worldwide. To contact us at our local offices
in Asia, Australia, Europe and the United States,
visit www.bwise.com/offices.
BWise’s end-to-end solutions support an organization’s
ability to understand, track, measure, and manage key
organizational risks. Nasdaq BWise helps companies
truly be in control by balancing performance with their
financial and reputational risks, improving corporate
accountability, increasing financial, strategic and
operating efficiencies. Using BWise, organizations
are able to efficiently comply with anti-corruption
regulations like FCPA and the UK Bribery Act, the
Sarbanes-Oxley Act, European Corporate Governance
Codes, ISAE3402/SAS-70, PCI-DSS, Solvency II, Basel II
and III, Dodd-Frank, ISO-standards, and many more.
Nasdaq BWise sales, service and support offices around
the globe provide for the GRC needs of hundreds of
leading companies worldwide. For more information,
visit www.bwise.com.
WWW.BWISE.COM
Legal Notice
This document may be part of a written agreement between BWise and its customer, in which case the terms and conditions of that agreement apply hereto. In the event
that this document was provided by BWise without any reference to a written agreement with BWise, to the maximum extent permitted by applicable law this document
and its contents are provided as general information ‘as-is’ only, which may not be accurate, correct and/or complete and BWise shall not be responsible for any damage or
loss of any nature related thereto. All rights are reserved. Unauthorized use, disclosure or copying of this document or any part thereof is prohibited.
7