Organizations face countless challenges in today's dynamic digital age. From interconnected supply chains to globalization, technological advances, cyber threats, ESG obligations, geopolitical instability, and the emergence of risks such as global pandemics, this landscape is evolving at an unprecedented pace. .
Additionally, regulatory requirements are increasing rapidly. Over the past 60 years, the U.S. population has increased by 98%, while federal regulations have increased by a staggering 850%.
Organizations are managing their internal complexity due to diverse business lines, large government bureaucracies, complex and fragile IT infrastructures, large data environments, extensive vendor relationships, and evolving customer needs. However, these challenges must be addressed.
To succeed in this environment, organizations require a formal approach to risk management that allows them to proactively identify, assess, and mitigate potential risks. Risk management approaches must ensure resilience, regulatory compliance and strategic decision-making in increasingly complex and interconnected situations. Several regulatory bodies shape corporate governance, such as the U.S. Securities and Exchange Commission (SEC), which requires effective risk oversight on the boards of public companies. The missions of these external organizations highlight the critical need to understand the complete picture of risk to enable informed strategic and tactical decision-making, and many organizations It encourages the development of risk management (ERM) programs.
Unfortunately, even these plans attracted some attention, including the 2008 financial crisis, the Boeing 737 crash, the Fukushima nuclear disaster, the Enron accounting scandal, and the BP Deepwater Horizon oil spill. There were also some failures.
In August 2020, Citibank was scheduled to pay interest to the lender on behalf of Revlon, which acted as the loan agent. However, due to a combination of human error and a lack of adequate safeguards in the payment system, the entire principal amount of the loan, totaling $900 million, was transferred to the lender. Citibank asked lenders to return the funds, but several refused, leading to a legal dispute. Adding to the ordeal, the mistake resulted in a $400 million fine and a consent order from the Office of the Comptroller of the Currency (OCC) to address deficiencies in Citibank's risk management practices.
Although ERM has come a long way in the nearly 20 years since its inception, there are still some challenges that can lead to blind spots that can become problematic or even catastrophic, such as those listed above. there is.
Data quality is one of the most pressing issues. Approximately 84% of CEOs expressed concerns about the quality of data on which decisions are based. Given the large number of risks and stakeholders, organizations must maintain a repository for accurate risk management and reporting.
Many organizations manage this information in a GRC (governance, risk, and compliance) platform. The GRC platform includes systems, processes, and practices that enable organizations to effectively manage risk and achieve business objectives while complying with applicable laws, regulations, and internal policies. These platforms handle a variety of risks and corresponding controls, including financial, operational, compliance, and operational resiliency. Because risk stakeholders are diverse, it is essential to provide multiple views of data that connect to resources such as people, technology, data, and third-party vendors. The platform should provide a comprehensive view of the entire forest down to individual leaves, providing both detailed insights for functional teams and a broader perspective for senior-level stakeholders.
Setting risks and managing data within a consistent business context is critical to ensuring effective deployment. Many platforms achieve this goal by pinning data to a “core process” or standard reference model, but data quality issues often arise. The survey found that 74% of respondents find it difficult to maintain reliable data regarding non-financial risks. Organizational complexity beyond what can be expressed in core processes and models is an important factor, as the processes an organization performs can pose unacceptable risks. Without alignment, risk data can become inconsistent or inaccurate due to misunderstandings from different stakeholder perspectives.
Another challenge lies in the operating model, which requires coordination among diverse stakeholders. Many organizations employ a three lines of defense model. The first line represents the business units, the second line oversees the process from an overall perspective, and the third line is the independent internal audit function. However, this model has its challenges. One survey reported on statistics and found that 50% said they faced difficulties in defining roles and responsibilities between front-line and second-line workers. The root cause of this problem is a lack of accurate definition of business context, ownership, and accountability.
Addressing these challenges requires greater integration of the “what” the business does into the ERM program. This includes creating and maintaining a comprehensive inventory of processes within a process inventory classification and outlining ownership at each point in the chain. Integrating this taxonomy into the GRC data model is important to provide a more accurate business context. This integrated approach addresses many challenges in risk data and risk operating models, leading to more comprehensive risk assessments. This is also important to provide business decision makers with an accurate view of the risk landscape.
In other words, an effective ERM program must be coupled with strong process capabilities through a process center of excellence (COE) that is responsible for creating and maintaining this comprehensive information repository.
Such a process requires organizational investment and commitment. But as we navigate the digital age, organizations that adopt this business integration approach can walk with confidence while protecting themselves, their customers, and the markets they serve.
