Recently, Gartner released its 2011 Magic Quadrant for enterprise governance, risk, and compliance (eGRC) software. While the report highlights the top vendors of eGRC, which includes LogicManager, it also identifies some revealing trends within the eGRC marketplace based on reliable consumer feedback. The most notable trend recognized is the shift towards enterprise risk management (ERM) software by eGRC programs. As Gartner states,
“ERM has emerged as the most significant use of EGRC platforms.”
It used to be that compliance was by far the leading use of eGRC. Now however, ERM is seen by business leaders as the way to provide their boards of directors with transparency, monitor the achievement of organizational goals, and be proactive on emerging risks. Overall, Enterprise Risk Management (ERM) software is now seen as the method to improve business performance.
This trend can be directly attributed to increased regulatory pressures on boards of directors. These new regulations, which came into effect in February 2010, now hold boards of directors personally accountable for risk management oversight of material risks all the way down to the front-line, meaning that boards are given the choice between closing gaps in risk management or disclosing these gaps to the public. Doing neither, is now considered fraud. The “we didn’t know about it” defense is no longer valid.
Considering these regulations went into effect in early 2010, it comes as no surprise that Enterprise Risk Management (ERM) software capabilities became the priority by GRC reporting programs in 2010, and continued to be in 2011. Similarly, this is now the second consecutive year that LogicManager, the leader in Enterprise Risk Management (ERM) software, has been represented in the magic quadrant.
So what does this all mean for risk managers?
Action must be taken. In the past it may have been sufficient to only reach senior managers for risk assessments, now however, due to the above regulatory changes, risk managers need to engage the front-line directly with risk assessments.
Risk management reporting has changed, so don’t be caught waiting for your board to give direction. The board expects the risk manager to identify and assess risks across all levels and silos of the organization and reveal the gaps in reporting to the front-line. If you continue to report using senior-level assessments only, even if the board seems to be complacent, it won’t be long before the board turns to someone else for risk management.
Three metrics to present at your next board meeting:
- Business Process Improvement: Engagement at the front-line – Roughly 10% of all employees are front line managers. Do the math for your organization. How many risk assessments has the front-line conducted this year? How many front-line managers do we reach? Show the board how large the gap is and determine how much liability (or gap) they are willing to accept.
- Performance Management: Linking risks to processes and goals – Of the front-line managers you’re not reaching, how many have assessed risks related to strategic goals this year have gone unreported? The risk manager must be able to make the connections and demonstrate how these risks impact business processes and strategic goals.
- Identifying emerging risks: How many emerging risks, that front-line managers are in the position to identify, are going unaddressed? What is the degree of disconnect between the number of unaddressed risks and those that have proven, sufficient mitigation action in place?
After presenting these metrics, the next step is showing the board how the gaps in reporting can be filled. Tell them what resources are needed and what decisions need to be made, after all, the board does not want to be charged with fraud and does not want to turn away stockholders by reporting their flaws in risk management.