How Enterprise Risk Management Prevents Surprises
Steven Minsky | Nov. 10, 2015
Governance programs are the unsung heroes of 21st-century business operations. Their situation is analogous to that of football’s offensive line.
If an offensive line does its job, no one will notice it, but when something goes wrong, the spotlight shifts.
Governance personnel know this feeling all too well. Unwanted surprises – be they compliance notices, audit findings, or a poor vendor relationships – are bad for business. Even a good surprise, like exceeding a sales target, can cause trouble if the proper controls and infrastructure are not in place to seize the opportunity.
When we think about governance, risk, and compliance roles not as separate, individual functions, but as a singular effort to make business predictable and prevent unwanted surprises, it changes how those functions operate.
What causes Surprises?
In business, it’s not knowing all the relevant information and how that information connects across silos and levels. You can’t prepare for what you aren’t aware of, and governance personnel do not have the means to know what changes their colleagues on the front line are experiencing, or what information – if shared – would increase effectiveness.
The role of Enterprise Risk Management software is to link governance, risk, and compliance personnel to each other, and with their front-line stakeholders, by providing both a shared goal and a method of achieving it. The goal of preventing surprises is enabled by a key feature of our GRC system called a Taxonomy, or a method of compiling, connecting and sharing data across business functions to uncover relevant risks and determine who is most vulnerable to the materialization of these risks.
A risk-based approach makes that data comparable by providing a common baseline for prioritizing activities. The problems that might cause the greatest issue, or the ones most likely to occur, are escalated to the appropriate decision-makers who can allocate resources for a resolution. In the same manner, systemic risks that effect multiple groups are automatically identified, because departments are no longer operating with their own set of standards and assumptions and are connected automatically through a risk taxonomy.
A decade ago, lack of risk awareness might have satisfied litigators in the aftermath of a loss event. However, today’s regulations have made board members and senior leadership teams accountable for risks, regardless of at what level the risk materializes. Mature enterprise risk management programs are more than a safety net. These programs are invaluable insurance policies against the surprises your business might face and assure achievement of corporate performance objectives.