A Journey to Automating Risk Management

Recently we have had numerous conversations with companies, large and small, regarding automating their risk management functions. While the function of risk management hasn’t changed, with Covid, most companies have had to furlough or let go resources just to survive. Businesses have rapidly come to realize that it’s time to use automation for this important function.

Excel spreadsheets, share point and Word are cumbersome, people intensive and prone to error. With limited resource availability, process knowledge and subject matter expertise is either on furlough or in the worst case let go. Such occurrences have become more frequent now and lead to discussions about using automation and a system that can help streamline processes and leverage programmed logic from risk management systems to enhance the risk management function.

The conversations normally start with identifying whether the current processes of Governance, Risk and Compliance (GRC) are documented. Experience has shown that most companies do not have readily available documentation that is up to date. While this is a risk (pun intended) in itself, it is also an opportunity to review and enhance the process and document it as you develop a roadmap. Rome wasn’t built in a day and neither will an automated and integrated risk management process. It is a journey and at various stops along this journey we take stock of how much we have evolved and if we are on the right road. One of the best tools in risk management is the white board. Getting process stakeholders and subject matter experts to brainstorm and visually see ways to enhance processes helps to implement good change. In the Covid era, using web-conferencing tools with whiteboard functionality provides the next best option.

Once you have identified the process, the next step is to identify the roles people will play so that workflows can be implemented. This is where identifying informational workflows, for example, where does data from Point A go for X part of the process to work or, what data should be seen by which roles and so on is mapped out. Having a data classification policy helps tremendously in understanding the sensitivity of the data and who is responsible for the data.

Finally, look at the technology to make sure that it can integrate with the automated risk management system. Most systems today offer open (application program interface) APIs which allow good risk management systems to interface through. Not all risk management systems are created equal so evaluate these thoroughly.

We haven’t talked about the issue that most senior management care about first, Budgets! A good GRC solution should not only provide great functionality that reduces the manual work of risk management through automation, but it must be done at a fair price. Evaluate the solution from various factors in order to calculate the ROI. Critical factors to consider are how long does it take to implement the system; does it requires additional in-house support team to arrive a comprehensive cost. HINT: If the a solution that is consulting heavy and requires an in-house support team – you have the wrong risk management tool!

To learn more, request a demo, discuss a free trial proof of value or simply start a conversation drop an email to contact@maclear-grc.com.