At first, GRC doesn’t feel hard or complex. Everyone understands a word as simple as ‘risk.’ And you know that if you have a risk, you need to implement a control to mitigate and manage that risk. And the type of control you choose to implement, from internal registers to software solutions, is largely dependent on your risk appetite. It’s a really simple concept.
But start breaking your risks down into different categories. Now you have operational risk, which is concerned with your processes and the way you run the business, and people risk, which is more strategic and concerned with scaling your business. Even at this level it’s still not complicated.
Now consider that your business doesn’t operate as a whole; over time it’s naturally evolved, and silos have formed. Now there are lots of teams all doing different things, using their own models, speaking their own language, working to their own agenda, which means you need an integrated approach to risk management.
But within each department, there will be some really specific risks. For example, finance will need to deal with liquidity risk and credit risk. So now you need some very specific controls to mitigate these niche risks.
And don’t forget to include risks from your external environment. You can have the most robust security in the world, but a small third-party can leave you exposed and vulnerable.
All of a sudden, your world has become very complicated. And that’s before we’ve even mentioned the minefield of regulatory risk.
If you were an accountant, the world is very black and white. You have a set of incomings and outgoings that when you plug into your spreadsheet will (hopefully!) balance perfectly.
Risk can’t ever be that specific. We operate in a grey area, where our numbers are less certain because we’re estimating things like loss and likelihood. And then you end up adding qualitative data in an attempt to justify your estimates and instill a higher level of confidence, but all you do is make the process more complicated.
In the ideal world, everything would tick over like clockwork. But we live in the real world where complexity exists – and often for good reason, and that complexity is impacting your ability to stay ahead of the competition and changing market conditions, hampering customer service and slowing productivity.
Complexity is a natural part of life, but you still need to operate business-as-usual and so can’t afford to let risk make you feel suffocated.
Research from McKinsey shows that most organizational complexity resides within your systems and processes. Start by taking a step back and understanding what creates the most complexity in your organization. Then remove the things that don’t add value, and accept that sometimes things have to operate a certain way, which may seem overly complex, but it’s ok.
In the battle to fight organizational complexity, it’s process that will reign victorious. Your risks may not be logical, but once you have a framework that accepts them while embracing your organization’s eccentricities and complimenting the different ways your departments operate, you can make informed decisions around that model.
In our recent webinar, we shared an innovative framework that helps organizations take a simple, integrated approach to risk management.