with Michael Rasmussen, internationally recognized pundit on governance, risk management, and compliance (GRC)
The following text is a summary of the second part of our podcast with Michael Rasmussen. The summary of part 1 can be found here.
The connectiveness of risks and other GRC information related to these is a significant topic for successful companies. In the case of COVID-19, a lot of managers are worried about the consequences a new or extended lockdown may bring and ask themselves the following questions:
- What happens to our risk bearing capacity?
- What are the benefits of an integrated GRC strategy?
Companies have different objectives such as department objectives, product objectives, etc. It is important to map risks to those objectives and to understand their interconnectedness. Objectives are very frequently changing in organizations. Also, even if the strategy stays the same, the way of tackling it changes. Each change of strategy has an impact on the risk portfolio. In case of COVID-19 there is a great interest in improving GRC and risk management approaches. But it’s not an open cheque. Companies must develop a strategy that defines how to make risk management more efficient, effective, and agile. Too often risk management is approached as a mandatory compliance exercise and therefore not part of the company culture itself.
Many companies start thinking about using quantitative methods, simulations, and aggregation of risks but often fear that this is too mathematical, complex, and hard to understand. There is a lot of education that must take place there. Companies need to make sure that not only the second- and third-line functions understand those quantitate methods. It is important to present it to the front lines: the operational management which owns these risks. It must understand these methods to take actions.
This can be achieved by providing the necessary information and training for employees to comprehend the underlying technology. Furthermore, it is important to anchor the organization’s risk management culture in the workforce.
In Michael Rasmussen´s opinion this change of culture starts with the awareness that risk is owned by the businesses front lines. Too often the employees’ concept is that the chief risk officer is responsible for risk, but a chief risk officer is more to be seen as a facilitator and collaborator. They have to monitor risks and detect their interconnections. This is a task that can be better accomplished using software. This mentioned culture change also needs to be achieved for quantitative methods in risk management. In a lot of companies, risk simulation is only done by the central second line function – thus people who have a thorough knowledge about statistics and mathematics.
A good communication and a step-by-step approach is important to train people of the first line regarding those quantitative methods. They need this knowledge to interpret and apply it in the context of business. Employees must understand how their role in the company has to deal with risk quantification and how to apply it to their specific business area. Quantification is something that needs good guidance. That was the reason for GBTEC (formerly avedos) to implement a corresponding component to the GRC software BIC. It offers guided tours about the whole risk management- and quantification process. These tours explain what is needed methodologically and tool-wise to run through this operation.
There is a big advantage of using quantitative methods and risk simulation compared to the “compliance approach” and the simple heat-map view on risk. The last two approaches fail to put a number in value on the impact of the organization. Quantitative methods and risk simulation give a clear understanding of the financial impact that the business is going to bear with certain risks. It is important to relate risk management to performance. Managers are accountable for the figures a company produces. They are interested in how the risk they are taking impacts these.
- Companies need to understand their current state – the fundamental reality. Where are they today? How are they currently managing risks in the organization? What is working? What is not working? How fragmented or integrated is their risk management?
- Once they have understood their current state, they can define the future state. Companies cannot achieve that overnight. Michael Rasmussen recommends 3-years-plans. What does the company want risk management to look like in 3 years? How will it change from the current state?
- Companies must develop a project plan which defines how to achieve its goals. A strategic plan is crucial, because a rapid change of too many processes and operations destines the project to fail.
- The other important thing is to keep the right people involved in the strategy. This helps making the risk management process successful.
- And finally, companies must pick the right technology. Too many organizations choose a GRC platform that is only good in one aspect of risk management. Companies must analyze their solution to really stick to their 3-years plan. It is important to select a technology that supports the company in achieving its goals.
The first episode of the GBTEC podcast started in February 2019. This series is all about the topics of integrated GRC, enterprise risk management, internal control system and information security management. Meanwhile 10 episodes are already available and can also be streamed via various well-known platforms such as Soundcloud, Spotify and Apple Podcast.