Key Considerations for Technology Enablement of Enterprise Risk Management

By: Jack Downes, Soumya Chakraverty, Kevin Schreck

As organizations continue to navigate an ever-evolving landscape of risks and uncertainties, enterprise risk management (ERM) has become a top priority. With advances in technology, ERM can now be more sophisticated and efficient than ever before. In this article, we delve into the world of technology-enabled ERM and explore how it is transforming the way agencies approach ERM. Join us as we examine the latest trends and innovations in this critical field and discover what they mean for your organization’s success.

Perspective: Is ERM technology a blessing or a curse?

The short answer is “it depends”, but to thoroughly answer this question we must first make an honest assessment of the overall ERM program. While it is common to find point solutions being deployed for automation of relatively “simple” ERM programs to readily enable process automations and streamline program architecture, larger organizations are likely to have more complex programs that require more sophisticated solutions, which in some cases, require a mix of technology solutions. In such cases, the degree to which a single or multiple Governance, Risk and Compliance (GRC) systems can integrate different risk management activities and provide a seamless user experience, defines the success of the program and the level of user adoption. Additionally, program and process maturity is a key factor that affects the overall success of the solution. The organization, including its people, processes, systems, data, and policies must be thoroughly prepared for the adoption of technology.

Automation may not always be the right answer to drive maturity of ERM. If the size and complexity of the ERM programs and activities are such that they are able to be sustained with low degree of automation then perhaps the relative value-add for the technology enablement does not justify the investment.

While selecting an ERM solution agencies should evaluate to determine which solution(s) would provide the most value in terms of meeting requirements and sustainability. Figuring out the extent to which the solution can be used to integrate various risk management functions and processes across the organization, and clearing any roadblocks for onboarding critical risk functions onto the GRC solution will contribute to greater success of the overall program.

The Role of Technology in ERM Enablement

GRC solutions have many capabilities that can enable and mature ERM. Key capabilities include:

    • Centralized repository of enterprise hierarchies, processes, risks and controls
    • Risk and control self assessments (RCSA)
    • Top and emerging risk assessment
    • Risk aggregation
    • Risk appetite metrics
    • Automated controls monitoring and testing
    • Risk mitigation through Issue management
    • Integrated risk analytics

For the purpose of this discussion, we would like to recognize that there is an overlap in the terms ‘ERM’, Integrated Risk Management (IRM), and enterprise GRC or eGRC, and these terms are often used interchangeably. Technology capabilities across these three areas are generally compatible and commonly referred to as GRC or eGRC tools or solutions. As such, for the rest of the document, the term GRC will be used throughout. What is most important is to establish a common lexicon to describe the solution capabilities with the project stakeholders and use it consistently throughout the duration of the project.

The following table shows how GRC Technology Capabilities enable ERM Outcomes:

Myth Busters about ERM/GRC Technology

We often confront assumptions about GRC technology solutions that aren’t entirely true. Regardless of their origin, it is important to understand the realities associated with many of these errant assumptions. Although this summary list is by no means exhaustive, it does provide a representation of some of the more common “myths”.

Key Considerations & Pitfalls For Technology Enablement

Once you have committed to a GRC technology deployment to enable your ERM program, it is important to prepare as much as possible for the implementation from beginning to end. Many of the lessons learned we share here are common across all types of IT projects but they are worthy of discussion particularly for organizations that have never experienced it.

Pre-Implementation

Prior to implementing, the focus should be on establishing common ground with stakeholders and eliminating unknowns. Be sure to find a strategic leader (preferably more than one!) to champion your effort over the course of the project. As discussed earlier, a thorough understanding of requirements and objectives will enable you to begin with the end in mind and develop a plan that achieves the desired endstate. Although it is important to embrace all stakeholders and extract maximum value from your project, don’t be afraid to kill the good idea fairy and say no to requirements that don’t align to achieving core objectives. Finally, though you should attempt to develop a thorough plan that accounts for all stakeholders, you should expect it to change. To borrow from President (the General) Eisenhower, “Plans are worthless, but planning is everything.”

Considerations and Best Practices

    • Honest assessment of your organizational and process maturity to handle GRC technology
    • Develop a clear roadmap with end state clearly defined
    • Ensure all stakeholder expectations are identified and accounted for
    • Ensure the required resources and funding are available and supported by leadership
    • Clearly define key business requirements and prioritize them upfront
    • Conduct a thorough evaluation of technology and make selection based on rationalized business requirements and priorities
    • Identify sources of legacy ERM data and assess data quality health
    • Develop data migration strategy

Common Pitfalls and Lessons Learned

    • End goals not clear
    • Narrow vision and scope with point solutions addressing current pain points only
    • Technology defining business requirements rather than the other way around
    • Lack of committed resources due to competing priorities
    • Technology selection without careful evaluation of key business requirements
    • Hidden costs of implementation
    • Project governance not established
    • Legacy data is scattered, disorganized, and is not of good quality

During Implementation

When a GRC implementation project is underway, program leaders should try to maintain everyone’s focus on keeping their eyes on the road. Problems will arise and environmental changes are bound to happen but an unwavering resolution to move forward with delivery is what sets successful leaders and projects apart. The mantra to indoctrinate GRC project leaders is to ‘Be Agile but stay focused on the finish line’. Do not let perfection be the enemy of good (or good enough) as there will always be a trouble log.

Considerations and Best Practices

    • Plan for ongoing Stakeholder engagement and communications, expectation management during implementation
    • Prepare to deal with cultural resistance and leadership changes and have contingency plans
    • Ensure adequate program management is in place
    • Implement and adhere to a well-defined process for dealing with (technical) change and technology challenges during implementation
    • Plan for and closely monitor data mapping, transformation, quality and governance.
    • Perform data cleanup as appropriate, prior to migration
    • Execute on plans for archival and storage of legacy ERM data that does not require to be migrated to the GRC platform
    • Ensure that the infrastructure required to support technology integration remains intact and current

Common Pitfalls and Lessons Learned

    • Key stakeholders not engaged in requirements identification and design vetting
    • Too much complexity and scope (trying to solve everything)
      Infrequent or inadequate project communications
    • Stakeholders trying to bring a lot of unnecessary legacy data onto the GRC platform
    • Lack of attention to Change Management and how it affects your people

Post Implementation

The project doesn’t end once the technology is live. Quite the opposite actually, as most of the long work is just beginning. Even when implemented, technology solutions (and users!), require continued attention. Now it’s time to focus on arguably the most difficult part: customer satisfaction and engagement. Stakeholder engagement remains a constant and top priority, and nothing should be dismissed or you risk failed adoption. Put simply, if it’s broken, fix it! Be prepared to market your work as well and use the tool to tell the success story. Lastly, be sure to stay on top of tech debt and be future proof but know when to move on.

Considerations and Best Practices

    • Develop and resource a plan for user training and support
    • Provide adequate means for reporting and usability enhancements
    • Build a two-way street for feedback and continuous improvement
    • Continue to monitor integration with other non GRC systems and support from infrastructure
    • Continue planning for the next phase and any application version upgrades or additional enhancements
    • Ensure sufficient resources remain available for ongoing
    • Technical Support
    • Finally, be sure to apply the previously developed Metrics to assess your ROI

Common Pitfalls and Lessons Learned

    • Assuming that delivery = success
    • Poor adoption: lack of buy-in, waning leadership support, training, personnel turnover
    • Lack of future budget for training, maintenance, and support
    • Failure to stay aware of evolving technology, new solutions and integrations
    • Not keeping up with version upgrades, facing end-of-life issues

The Future of GRC Technology Looks Promising

The future of GRC technology looks promising. The market continues to mature in terms of the extent and depth of solutions available, and there are many different solution offerings now available to address newer risk management challenges such as Environmental Social and Governance (ESG), Diversity Equity and Inclusion (DEI), and financial crimes, beyond the traditional domains of financial, operational and cyber risk and compliance. At the same time, organizations must also improve and mature their use of the technology to help fully realize the potential benefits offered through automation, and drive integration of risk management functions across the enterprise. The integration of traditional GRC tools with advanced data modeling and artificial intelligence (AI) capabilities has opened new vistas in exploring further maturation of ERM functions. However, before launching into the exploration of these new and wonderful capabilities, a multi-year vision and strategy must be established along with a target operating model. Implemented and managed with a well architected strategy and plan, ERM/GRC solutions can become powerful tools for the company for risk aggregation and integrated reporting, risk analytics, and decision support.

Meet the Authors

Contact Us

Soumya Chakraverty

Managing Consultant
Risk Pro Solutions

Soumya specializes in integrated risk management and GRC, encompassing enterprise, operational and technology risks and controls. He has extensive experience in banking and financial services and public sector. He provides strategic consulting to organizational leaders to help enhance risk maturity and improve compliance. He is also a Board member for the Association for Federal ERM (AFERM). A regular public speaker, he has also published articles on GRC implementational and operational risk.

Jack Downes

COO
Elevate Government Solutions

Jack is a veteran, leader and program manager with over 27 years of experience building and leading teams from small businesses to large organizations with thousands of personnel in the execution of highly complex operations. He has personally advised senior government officials and served on a Presidential Directive Sub-committee. He has implemented numerous operational risk management and management internal control programs across a myriad of organizations and currently leads efforts to enable technology adoption in Governance, Risk and Compliance.

Kevin Schreck

CEO
Elevate Government Solutions

Kevin is a career technologist having spent time at organizations such as Northrop Grumman and Microsoft. He has worked with both Public Sector and Private Sector clients and understands first hand the challenges of integrating technology to solve problems. In the last few years he set his sights on leveraging technology to build out Governance, Risk, and Compliance solutions that scale to an agency-wide level.

1720 1000 ElvtGovt

Leave a Reply

Previous Post
Navigating App Development in an Uncertain Economy
Next Post
Elevate 5G Partners with DISH to Launch Groundbreaking Cloud-Based Automated Testing Platform