To succeed, a company must take risk, but how can it keep a close enough watch to make sure the risks do not demolish its very existence? After Chris Mandel described the risk appetite framework in part 1 of this posting, Brenda Boultwood, Senior Vice President of Industry Solutions at MetricStream, took the floor to describe how technology can make it happen. She was the second of two presenters at the webinar “Aligning Risk Appetite with ERM Governance” sponsored by the Global Association of Risk Professionals on March 17, 2015.
Boultwood said that risk assessment can be a “unifying call” between several departments and business units within an enterprise. A company can rapidly transition from a siloed and fragmented functional structure to an integrated business model requiring a new standardized risk framework.
The risk appetite framework can act as the foundation for the strategic planning process, with each functional support area playing a role in evaluating a company’s strategic risks. “Fundamentally, we are talking about data management,” she said.
A well-chosen software platform that combines governance, risk management, and compliance (GRC) functions can unite multiple perspectives on risk assessment. “It’s no longer just market and credit risk,” she said.
During the risk assessment process, a company scores and establishes what is most important to watch. The company must ask itself many things as it sets up a risk management framework, such as “what are the best key risk indicators? What are the acceptable risk thresholds?” when determining risk metrics.
For example, human resources processes involve several types of risk such as reputational risk and IT security risk, so the GRC platform should pull together data for these and other risks. These key risk indicators, such as rate of employee turnover, are crucial. KRIs identify risk exposure levels, detect changes or trends in existing risk exposures, and can reveal emerging risks.
To maintain this framework, a company must continuously evaluate the risk landscape, and continually communicate top risks, emerging risks, and strategic risks throughout the organization. “By understanding the enterprise risk factors, a company can develop strategies to optimize controls, improve performance and reduce the negative impacts to the business alerted to take action,” she noted.
“The Board likes context,” she said. “They want to know where and why these risks are happening.” Risk intelligence for business performance means the Board of Directors should receive overviews of key business processes and risks to provide a context for their decisions, such as heat maps of top current risks. The CEO and the CFO receive special, customized reports.
A good GRC platform supports firm-wide risk governance and strengthens the ties between the business and the Board of Directors. This is done through the common language of risk and controls available on a GRC platform that is available company-wide.
The risk appetite framework can act as both the foundation and the unifying factor in an organization, and technology can enable it all. ª
Click here to view the webinar presentation Aligning Risk Appetite with ERM Governance. Brenda Boultwood’s slides go from 32 to 42.
Disclaimer: TextMedic completes occasional contract work for MetricStream.