We recently sat on a panel of the webinar hosted by the advisory specialists ARQ in Malta to discuss the pitfalls and successes of embedding an effective & efficient risk culture.
Here are some of the key thoughts and take aways from the panel of experts.
The heightened risks associated with running an organisation in past few years has been nothing short of staggering:
- A global pandemic
- Unprecedented cyber risks
- Geopolitical risks from the war in Ukraine and the Middle East
- Ever increasing regulations and complexity
- Changes to working practices rewriting the control framework required
All of the above lead to uncertain times but make managing Risk exciting!
Now Enterprise Risk clearly plays an integral part to the success of an organisation, however Risk also needs to increase its bandwidth but with constraints on budget and availability of skilled staff, how can Risk do more with less?
- Align your Risk management strategy to the business objectives
Risk should be seen as an enabler to growth of the organisation, not an inhibitor. To do this you need to ask yourself:
- Is your risk framework overly bureaucratic?
- Is it updated as the strategic objectives change and new risks arise?
- Are you ensuring the regulatory requirements are being met- this is key to enabling the strategy to be executed.
- Build strong relationships with the business
Enterprise Risk should be a partner to the business but for too long, Enterprise Risk has been viewed as a tick box exercise, necessary to appease the regulators. To make the business see Risk as a partner, Risk needs to demonstrate the value of the inputs and the outputs of the Risk Management activity. Have you reviewed your risk management framework for the following:
- Are you performing risk administration or risk management?
- Can you demonstrate clearly the benefits that the risk activity of your framework have bought, and that the risk level has been reduced to within appetite?
- Can you show the potential financial loss that has been saved through risk management? Or how your framework supports the brand of your organisation?
- Are you asking the business to perform value added activities that change behaviour and embed an effective risk culture, or are they tick box activities that do neither?
- Is there open communication between Risk and the business?
- Ensure you have the right risk data to inform and support management decisions
Risk needs real time risk data and this needs to be both dynamic and forward looking. You need to be able to see gaps in your regulatory compliance, failing controls, increasing risks real time and to also plot forward looking risk data.
This risk data should be used to support management to both make data driven decisions but also to challenge the business. However, we all know that producing ‘one version of the truth’ which is in real time, accurate and complete is time consuming and complex if relying on multiple sources and documents.
- Automate & Streamline
Without automation:
- It takes longer to produce the risk data together than the actual time you have to analyse and act on it!
- Risk data cannot be dynamic or real time
- It is harder to get the business to engage timely, or to demonstrate ownership for their risks and controls
- Tracking status of risks, controls, issues and actions is difficult and time consuming
- Mapping of compliance to regulations and identifying and analysing gaps can be ineffective as data is not real time.
- You have to rely on a series of spreadsheets and documents to manage your framework – this is not efficient.
The benefits of automation in the form of a Governance Risk and Compliance platform (GRC) have been well documented:
- Efficient risk and control assessment activities.
- Enhanced traceability and transactions.
- Improved transparency and collaboration through one integrated technological platform.
- Early warning indicators enable you to anticipate and mitigate potential outcomes.
- Enhanced insight to enable risk-informed decision making.
- Improved issue identification and remediation.
- Increased business performance through meaningful reporting.
- Capability to efficiently manage compliance to a variety of regulations and industry standards.
Our advice is to trust in the benefit of automation! Our GRC- ERIC enables automated simple, cost effective, ongoing compliance for:
- Rule GAP analysis
- Risk Assessment
- Control Assertation
- Testing
- Risk, issues and action tracking
- Reporting at a touch of the button
For more info, or a demo of ERIC contact 1RS- www.1rs.io
For further discussions on embedding an effective and efficient risk culture within your organization, please feel free to contact ARQ Risk Advisory




