A game of risk?

Placing greater cultural importance on the implementation of enterprise risk management is an important step in an organization’s growth and security, argues Tom Bolger.

What is the biggest challenge organizations face with regards to risk management?

Tom Bolger: The primary obstacle to a truly successful implementation of an enterprise risk management program or a full-scale governance, risk and compliance (GRC) initiative is the corporate culture, especially in financial institutions. Specifically, not enough focus is placed on making changes to that culture in order to accommodate the required shift in thinking.

The core change is to stop viewing risk, compliance and audit as overhead activities, and therefore less important to the business. Rather, they should be considered fundamental to the success of the organization, and made an integral part of every business unit. This does not mean adding dedicated resources across the organization, but it does mean increased awareness and cooperation from the rest of the team.

Many organizations struggle to align the diverse functions that make up a GRC program. There are many similarities within those activities, but differences as well. To maximize the return on your risk management investment, your culture needs to bridge those differences.

How have other financial institutions embedded and reinforced a risk management culture?

TB: The key to the culture is consistency - common definitions, processes, measurement metrics and management behaviors. Corporate buy-in must be both top-down and bottom-up. Executives need to lead by example, and business units need to realize that GRC activities are a key part of their daily activity, not a nuisance to be set aside or hurried through.

One way to accelerate this process is to introduce incentives and tie compensation directly to the success of the risk program. This delivers a crystal clear message from the executive team - this is important, and you will do it well.

Another option is to applying a broad GRC framework gradually rather than all at once. This provides quicker wins to the organization, and creates showcases to convince other business units of the tangible benefits risk management can provide.

Finally, find ways to minimize the burden on your business units. Your software tools should provide this benefit when they incorporate the key elements of your GRC program.

How does my GRC software fit into this?

TB: Software applications are tools to facilitate - for GRC, you need the software to help with efficiency, flexibility and decision making.

For your cultural change to be successful, the process of performing a risk assessment or participating in an audit cannot be laborious for your business units, and your risk and audit teams need to be able to do more with fewer resources. The software needs to streamline the process, so your commercial lenders don't have to provide the same information multiple times just because someone else is asking the question. Using software to manage the workflow and make the process understandable and easy to use makes risk management routine.

Many organizations that developed or purchased SOX software solutions are now finding them to be inadequate for the current needs of the business. Your software needs to be flexible, so you can include operational losses, key risk indicators and internal audit along with your compliance monitoring. Your institution continues to evolve as the market changes and new regulations arise. You need a software solution that will keep pace.

To get the full value out of GRC, executives need good information in a timely manner. Financial institutions know that risk management means identifying risks and consciously deciding to pursue good risks and avoid or mitigate bad risks. If your system can produce reports that highlight opportunities and weaknesses in real time, you can make well-informed decisions quickly and confidently.

Biography

Tom Bolger is the vice president of global marketing for Methodware, which provides risk, compliance, audit and investigations software to more than 1800 clients. He uses 15 years of experience in financial services and risk management to help guide Methodware's market strategy and solution direction.