Managing risk and maintaining compliance in the face of complexity and constant change is a major challenge for organizations, from the Board through to Management and even dedicated risk and IT professionals. Organizations, their business units and subsequent departments all have separate needs and diverse compliance standards that they need to meet, as well as exposure to differing third-party risks.
As a result, various approaches and systems tend to organically develop throughout an organization for tracking and monitoring compliance activity, which makes it difficult for organizations to get a clear view of their overall risk posture. This creates the danger of overestimating or, worse, underestimating risks, simply because there’s no normalization or aggregation when reporting on those risks.
As transactions, data, processes, relationships and assets multiply across the organization, trying to impose a single process for analyzing and reporting on completely different aspects of the business becomes increasingly difficult. Even if a company has a Chief Compliance Officer, they will often take a decentralized approach to compliance. This leads to what GRC expert Michael Rasmussen labels “scattered silos of compliance,” with departments not collaborating or sharing resources, and in turn failing to see the big picture.
This gives a flat view of risk which can mislead organizations about their true risk status, and also makes it more difficult to maintain accurate risk information and respond effectively to changes in laws or risks.
GRC processes are made even more difficult when using outdated, spreadsheet- or paper-based processes. Because these are not easy to share or act upon, spreadsheets often become mere documentation, rather than effective tools for compliance monitoring and management.
On the other hand, some companies adopt a centralized, one-size-fits-all approach to compliance. For any organization that has multiple departments with different compliance requirements, this can cause difficulties. While such an approach can be more cost-effective, it can lead to different departments and individuals feeling that compliance is purely a reporting exercise and hence not their responsibility, and so losing visibility and control. It also does not take into account the specific needs of individual departments’ functions.
What’s needed, therefore, is a federated approach to risk and compliance. This approach means applying common standards and methods for risk identification, management and reporting throughout the organization, but also supporting unique risk assessment methods and workflows to cater to the needs of every business unit and department.
A federated GRC architecture has centralized coordination and shared services, but management is performed more at departmental level, encouraging risk functions from different departments to work and collaborate together – enabling services, technology and information to be shared across the organization, but used in different ways.
But how should a company approach building a framework that supports a federated approach to risk management? Here are four key components that are essential in establishing a common information and technology architecture, that also allows individual departments to apply their own risk management strategies:
Just using heat maps or traffic light graphs is no longer enough for analyzing and assessing risk. Organizations need a range of risk analysis methods that incorporates evidence libraries, impact and likelihood tables, and risk registers. They also need to be able to normalize and aggregate risk. Some business units will be smaller than others, yet carry disproportionately high risk, so companies need to be able normalise the risks by unit size, contribution to overall revenues, and so on.
An effective federated risk management solution will provide a centralized dashboard for reporting across risk management systems, as well as analytics capabilities for reporting to external and internal stakeholders. Another feature to look out for is assessment templates based on common control standards, and the ability to create multiple versions of assessments to cater to different parties’ needs.
Organizations can achieve a federated, collaborative way of doing compliance activities by putting in place automated workflow and task management systems, and assigning fine-grained permissions to the individuals responsible for these. This establishes set processes for GRC activity that can be used repeatedly as the business develops.
Integration with other IT functions, external data sources, and historical information from previously-used compliance systems is critical to success. This will gives organizations access to as much data and evidence as possible, extracting data that would otherwise be buried in emails and documents scattered across the company, and putting them in the best position to meet the compliance standards that apply to them.
With the world of risk constantly changing and becoming more complex, a federated approach to risk management processes is the best way of keeping them as simple and practical as possible. Standardizing systems ensures that those people responsible for risk within their departments can use common language and measures for risk management, helping the whole organization not only to cut its risk exposure and better manage its compliance but also to help shift the underlying culture towards risk.
Richard is co-founder and CEO of SureCloud, a provider of Software-as-a-Service Governance, Risk and Compliance Solutions. Prior to founding SureCloud, Richard held a range of senior executive positions at technology organizations in the UK, mainland Europe and North America, where he led sales, marketing and market development functions. Today, in addition to leading SureCloud and overseeing the continual innovation of the SureCloud platform, Richard advises enterprises on their governance, risk and compliance practices.