The next phase is that people want to standardize. This is typically a corporate desire. Corporate is tired of the concerns that keep it up at night and it wants to produce more meaningful results, benchmarks and trends. For this to be accomplished, some level of standardization is required. The rigorous way of doing this is to enforce one model onto the organization. This is a great way to transfer the sleepless nights from corporate to local entities (with the expected boomerang back to corporate). Recognition at the local level is low, as business processes tend to be different.

Now, reality is much more complex than this, too complex for a simple blog. Standardization means different things for business processes, for risks, for controls, for objectives. Business process standardization is a great thing, but not very easy, and quite a different project than a basic risk or compliance project.

Business process standardization, when done properly, brings profound value to the company and drives performance and continuous transformation. Unfortunately, it is only one or two steps up the maturity ladder in the GRC world; definitely the way to go, but few companies are there yet.
Risk standardization is a great thing. It ensures proper reporting and aggregation. Care should be taken that risk management doesn’t become an exercise to satisfy corporate reporting needs, rather than an embedded way of working in the business, the first line of defense.

Control standardization is the coolest thing. This is where most money can be saved. Note that controls standardization or convergence is not the same as controls reduction (because that increases risk levels per definition). Care should be taken that controls are specific enough to deal with the actual risk.

Local versus central; always a balancing act, and the balance can be different in any two companies.

Ps.If you read this blog after April 12, please contact our marketing team. The webinar is recorded.

The challenge is of course we don’t know what we don’t know. Consequently, we also don’t necessarily know that it’s too good to be true when we actually believe it is good. I know this for a fact, because I have ample experience with buying classic cars, overexcitedly.

This is related to the ability of people to assess risks. Risks further in the future are generally assessed lower than reality, whereas closer risks are assessed higher. This effect is evolutionary and beneficial. The effect enables entrepreneurs to think they have a great idea that will make them rich overnight,  while it doesn’t tell them all the horror they will face. On the shorter term, the effect also stimulates running away from scary tigers when they come too close. A risk manager should know all this, and should help dampen the effect. Help understand the risks and know when it’s too good to be true. And be especially wary when the positive effect is far in the future, because then we tend to be too rosy. If only I knew all of this when I bought that Riley several years ago. Since I sold it, it has continued its devastating path throughout Europe; the effect seems to be omni-present!

This becomes even more difficult with qualitative risks. The reputation risk appetite on all sorts of topics will perhaps be very low, but it should be realized that even the smallest entity can witness an event with devastating reputational impact, just like the largest one. So, risk appetite for this should be viewed at a corporate level. This may mean that risk tolerances would need to be set at (near-) zero tolerance for all entities, in order to prevent risks being taken that are higher than the overall risk appetite. In itself, it is an indication that the organization has become so large that its size has made it more vulnerable for risk events with a reputational impact. Perhaps, this effect is also the reason why large organizations are considerably less agile than smaller ones. Organizations need to ensure that the risk tolerances they set this way do not freeze business, while there is a considerable risk in doing so the more detailed an organization becomes.

So, having some sort of system in place to monitor risks at a corporate level becomes crucial, more so than micro-managing all decisions in the organization. In addition, monitoring risks at a corporate level means that there needs to be a clear and defined way to roll-up risk monitoring results from all the entities. With that in mind, the discussion on risk appetite and risk tolerances will add a lot of value to today’s business conduct.

See previous blogs on this topic, some of which include thoughts on risk targets (where do we want to be). There are multiple ways to prioritize risk; there is no best way. Risk prioritization needs to fit a particular organization’s needs and a particular situation. Perhaps, at an enterprise-wide level, detailed IT risks need to be assessed differently than strategic risks.          

But don’t forget: putting risks on a heat map is about creating awareness and setting priorities. It is basically about risk response: what do you do now that you have an understanding of a potential risk event. Do you accept it, do you stop facing this risk, do you strengthen your control measures, or, perhaps, do you find a way to transfer the risk, in order to ensure it is properly handled?

It is not about actually putting a true business value behind the risk; for this, more information on a risk is required – and you would need a more quantitative assessment.

Inherent (or gross) risk is the level of risk if all the measures and controls were failing. Often this is also the worst case scenario for this risk, as a simple rule of thumb.
Residual (or net) risk is the level of risk with all the measures and controls in place.

Think of the risk of the office building burning down. We have fire alarms and we have fire extinguishers, both measures to mitigate the risk. The inherent risk is probably assessed as the entire building burning down, say a value of 4M Euro with a certain likelihood, say once every twenty years. This is a pretty high risk, as it is likely to happen sometime during your career in that building. The measures that are taken will reduce this risk to a likelihood of once every fifty years and an impact of 200k, because the fire will be contained in a smaller area.

We now immediately see why it is important to assess both inherent as well as residual risk. The residual risk will tell you whether you need to be nervous about the existing situation. When the residual risk is high, clearly you need to take extra measures. When the inherent risk is high, you need to be nervous about the controls and measures; are they working effectively? Is there still water pressure on the fire extinguishers? Does the fire alarm work? Especially, when the difference between inherent and residual risk is high, it is extra important to ensure measures and controls are working effectively.

This is true on an ERM level, as well as on an operational level. And yes, for those specialists that did keep on reading, reality is probably more complex, because a risk is not just one impact and a single likelihood. There are many potential statistics behind it. That is why risk assessments are intended for setting priorities, not for calculating the risk exposure. That’s a completely different story.

Now, two things might be the case:

Your risk assessment was high, but you don’t see any incidents. Again two things:

• Business was too negative and the risks aren’t actually that high. In this case, care should be taken that business hasn’t over controlled everything at considerable cost and frustration. This is an opportunity for cost reduction.
• The incidents aren’t captured, implying they might happen, and the business is losing many without even knowing it. This is a more serious situation and immediate action is required. This is an opportunity for risk reduction.

Your risk assessment was low, and incidents are happening more than anticipated.

• Clearly, the business underestimated risks and business processes are under-controlled. Extra measures should be taken immediately and risks should be re-assessed. This is an opportunity for risk reduction and cost reduction too; preventing the incidents from happening.

All situations are triggers to increase risk awareness and risk responsiveness. Such an integrated view on risk assessments and incidents is only possible when you have an integrated system.

• Go through the phases of maturity in CA in one software package, leverage existing knowledge of tooling in CAAT’s and extend to Continuous Monitoring/Auditing later
• Integrated automated and manual testing
• Direct accessibility of results and follow-up by Internal Audit departments
• Integrate with other GRC activities such as ERM (Risk Assessments) as described in the GTAG towards Continuous Assurance
• Other technical infrastructure benefits and Total Cost of Ownership

What is our vision?
In order to provide a practical example of the benefits of having an integrated GRC Suite, that includes Data Analytics, CM and CA capabilities, take a look at the following graph:

It tells us that our performance has increased in managing our overdue accounts receivables. It also provides Internal Audit with the insights on the effectiveness of this process over a certain period, the entire year in this case. Any peaks or strange behavior in trends can directly be explained through the management comments which are directly visible in the graph. An auditor’s opinion is pending, orange dot at the end of the year, and twice management has indicated that the control of overdue receivables is insufficient, the red dots. This graph represents the tip of the iceberg only.

There is much more information underneath that is derived from an integrated GRC suite. The picture below depicts individual components (not all are relevant for this example). Let me explain which ones are: 

• The IC Framework Integration is a decomposition of processes, risks and controls. In this case Billing -> Non-collectable receivables and loss of interest (reducing working capital) -> Periodic monitoring and follow-up of overdue receivables. All other functionalities make use of this framework for integration purposes
• KRI/KPI/KCI – Regardless of the correct name, Key Risk Indicators give direct insight in the current state of affairs and provide means to easy trending. In this case the KRI is defined as a % of turnover which is overdue more than 60 days
• Continuous Monitoring – The data to calculate the KRI and the exact details underneath (what customers are overdue, what amounts/regions/products etc.), including individual invoice data is automatically captured from a source ERP/Financial system and analyzed, presented and pushed into a follow-up workflow
• Control Self Assessments are performed on most key controls from the IC framework. During these self-assessments, management makes use of the Continuous Monitoring data to substantiate their opinion. Any exception is either explained and documented or needs appropriate follow-up actions
• Action Management handles the tracking and tracing of all outstanding tasks for management
• Since an Audit Module is integrated in the GRC Suite, all data is present and available to Internal Audit. Even though they have an independent function, the entire audit trail of findings; follow-up, CM data, results, etc. is available in the system and accuracy is guaranteed. Their opinions are available throughout the process (see yellow dot in graph) or at a specific point in time when an audit is performed

All data to produce the graph, but also all data that is relevant for follow-up, monitoring, auditing and trending is directly available in the same application. It makes the auditing, and continuous monitoring an integral part of day-to-day business. It becomes part of the Internal Control environment. There is a much more detailed explanation behind all of this, which will be published shortly in our series on Data Analytics for GRC Vol. III – The Future of Audit Analytics and Continuous Auditing. Stay tuned!

For risk management and compliance, we have made much effort to implement ideas from the market. These include advanced incident management, configurable workflows, risk aggregation in a variety of different ways, and much more. So to conclude, the new release of our GRC platform is developed to equip teams with the right tools to work more effectively and efficiently in order to cope with the ongoing growth in the number and complexity of GRC programs. If you would like to learn more, request access to one of our recorded webinars on Compliance and Policy Management, Internal Audit, and Risk Management.