GRC strategy, training of employees & simulation methods

In Michael Rasmussen´s opinion this change of culture starts with the awareness that risk is owned by the businesses front lines. Too often the employees’ concept is that the chief risk officer is responsible for risk, but a chief risk officer is more to be seen as a facilitator and collaborator. They have to monitor risks and detect their interconnections. This is a task that can be better accomplished using software. This mentioned culture change also needs to be achieved for quantitative methods in risk management. In a lot of companies, risk simulation is only done by the central second line function – thus people who have a thorough knowledge about statistics and mathematics.

A good communication and a step-by-step approach is important to train people of the first line regarding those quantitative methods. They need this knowledge to interpret and apply it in the context of business. Employees must understand how their role in the company has to deal with risk quantification and how to apply it to their specific business area. Quantification is something that needs good guidance. That was the reason for GBTEC (formerly avedos) to implement a corresponding component to the GRC software BIC. It offers guided tours about the whole risk management- and quantification process. These tours explain what is needed methodologically and tool-wise to run through this operation.

There is a big advantage of using quantitative methods and risk simulation compared to the “compliance approach” and the simple heat-map view on risk. The last two approaches fail to put a number in value on the impact of the organization. Quantitative methods and risk simulation give a clear understanding of the financial impact that the business is going to bear with certain risks. It is important to relate risk management to performance. Managers are accountable for the figures a company produces. They are interested in how the risk they are taking impacts these.

• Companies need to understand their current state – the fundamental reality. Where are they today? How are they currently managing risks in the organization? What is working? What is not working? How fragmented or integrated is their risk management?
• Once they have understood their current state, they can define the future state. Companies cannot achieve that overnight. Michael Rasmussen recommends 3-years-plans. What does the company want risk management to look like in 3 years? How will it change from the current state?
• Companies must develop a project plan which defines how to achieve its goals. A strategic plan is crucial, because a rapid change of too many processes and operations destines the project to fail.
• The other important thing is to keep the right people involved in the strategy. This helps making the risk management process successful.
• And finally, companies must pick the right technology. Too many organizations choose a GRC platform that is only good in one aspect of risk management. Companies must analyze their solution to really stick to their 3-years plan. It is important to select a technology that supports the company in achieving its goals.

The first episode of the GBTEC podcast started in February 2019. This series is all about the topics of integrated GRC, enterprise risk management, internal control system and information security management. Meanwhile 10 episodes are already available and can also be streamed via various well-known platforms such as Soundcloud, Spotify and Apple Podcast.