Managing risk and maintaining compliance in the face of complexity and constant change is a major challenge for organisations, from the Board through to Management and even dedicated risk and IT professionals.
Organisations, their business units and subsequent departments all have separate needs and diverse compliance standards that they need to meet, as well as exposure to differing third-party risks.
As a result, various approaches and systems tend to organically develop throughout an organisation for tracking and monitoring compliance activity, which makes it difficult for organisations to get a clear view of their overall risk posture.
This creates the danger of overestimating or, worse, underestimating risks, simply because there’s no normalisation or aggregation when reporting on those risks.
As transactions, data, processes, relationships and assets multiply across the organisation, trying to impose a single process for analysing and reporting on completely different aspects of the business becomes increasingly difficult.
Even if a company has a chief compliance officer, they will often take a decentralised approach to compliance. This leads to what GRC expert Michael Rasmussen labels ‘scattered silos of compliance’, with departments not collaborating or sharing resources, and in turn failing to see the big picture.
This gives a flat view of risk which can mislead organisations about their true risk status, and also makes it more difficult to maintain accurate risk information and respond effectively to changes in laws or risks.
A tool you can trust?
GRC processes are made even more difficult when using outdated, spreadsheet- or paper-based processes. Because these are not easy to share or act upon, spreadsheets often become mere documentation, rather than effective tools for compliance monitoring and management.
On the other hand, some companies adopt a centralised, one-size-fits-all approach to compliance. For any organisation that has multiple departments with different compliance requirements, this can cause difficulties.
While such an approach can be more cost-effective, it can lead to different departments and individuals feeling that compliance is purely a reporting exercise and hence not their responsibility, and so losing visibility and control. It also does not take into account the specific needs of individual departments’ functions.
Recognising differences, standing together
What’s needed, therefore, is a federated approach to risk and compliance. This approach means applying common standards and methods for risk identification, management and reporting throughout the organisation, but also supporting unique risk assessment methods and workflows to cater to the needs of every business unit and department.
A federated GRC architecture has centralised coordination and shared services, but management is performed more at departmental level, encouraging risk functions from different departments to work and collaborate together – enabling services, technology and information to be shared across the organisation, but used in different ways.
But how should a company approach building a framework that supports a federated approach to risk management? Here are four key components that are essential in establishing a common information and technology architecture, that also allows individual departments to apply their own risk management strategies.
Just using heat maps or traffic light graphs is no longer enough for analysing and assessing risk. Organisations need a range of risk analysis methods that incorporates evidence libraries, impact and likelihood tables, and risk registers.
They also need to be able to normalise and aggregate risk. Some business units will be smaller than others, yet carry disproportionately high risk, so companies need to be able normalise the risks by unit size, contribution to overall revenues, and so on.
An effective federated risk management solution will provide a centralised dashboard for reporting across risk management systems, as well as analytics capabilities for reporting to external and internal stakeholders.
Another feature to look out for is assessment templates based on common control standards, and the ability to create multiple versions of assessments to cater to different parties’ needs.
Organisations can achieve a federated, collaborative way of doing compliance activities by putting in place automated workflow and task management systems, and assigning fine-grained permissions to the individuals responsible for these.
This establishes set processes for GRC activity that can be used repeatedly as the business develops.
Integration with other IT functions, external data sources, and historical information from previously-used compliance systems is critical to success.
This will gives organisations access to as much data and evidence as possible, extracting data that would otherwise be buried in emails and documents scattered across the company, and putting them in the best position to meet the compliance standards that apply to them.
With the world of risk constantly changing and becoming more complex, a federated approach to risk management processes is the best way of keeping them as simple and practical as possible.
Standardising systems ensures that those people responsible for risk within their departments can use common language and measures for risk management, helping the whole organisation not only to cut its risk exposure and better manage its compliance but also to help shift the underlying culture towards risk.
Sourced by Richard Hibbert, CEO of SureCloud