with Michael Rasmussen, internationally recognized pundit on governance, risk management, and compliance (GRC)
The following text is a summary of the second part of our podcast with Michael Rasmussen. The summary of part 1 can be found here.
The connectiveness of risks and other GRC information related to these is a significant topic for successful companies. In the case of COVID-19, a lot of managers are worried about the consequences a new or extended lockdown may bring and ask themselves the following questions:
Companies have different objectives such as department objectives, product objectives, etc. It is important to map risks to those objectives and to understand their interconnectedness. Objectives are very frequently changing in organizations. Also, even if the strategy stays the same, the way of tackling it changes. Each change of strategy has an impact on the risk portfolio. In case of COVID-19 there is a great interest in improving GRC and risk management approaches. But it’s not an open cheque. Companies must develop a strategy that defines how to make risk management more efficient, effective, and agile. Too often risk management is approached as a mandatory compliance exercise and therefore not part of the company culture itself.
Many companies start thinking about using quantitative methods, simulations, and aggregation of risks but often fear that this is too mathematical, complex, and hard to understand. There is a lot of education that must take place there. Companies need to make sure that not only the second- and third-line functions understand those quantitate methods. It is important to present it to the front lines: the operational management which owns these risks. It must understand these methods to take actions.
This can be achieved by providing the necessary information and training for employees to comprehend the underlying technology. Furthermore, it is important to anchor the organization’s risk management culture in the workforce.
In Michael Rasmussen´s opinion this change of culture starts with the awareness that risk is owned by the businesses front lines. Too often the employees’ concept is that the chief risk officer is responsible for risk, but a chief risk officer is more to be seen as a facilitator and collaborator. They have to monitor risks and detect their interconnections. This is a task that can be better accomplished using software. This mentioned culture change also needs to be achieved for quantitative methods in risk management. In a lot of companies, risk simulation is only done by the central second line function – thus people who have a thorough knowledge about statistics and mathematics.
A good communication and a step-by-step approach is important to train people of the first line regarding those quantitative methods. They need this knowledge to interpret and apply it in the context of business. Employees must understand how their role in the company has to deal with risk quantification and how to apply it to their specific business area. Quantification is something that needs good guidance. That was the reason for avedos to implement a corresponding component to the GRC software risk2value. It offers guided tours about the whole risk management- and quantification process. These tours explain what is needed methodologically and tool-wise to run through this operation.
There is a big advantage of using quantitative methods and risk simulation compared to the “compliance approach” and the simple heat-map view on risk. The last two approaches fail to put a number in value on the impact of the organization. Quantitative methods and risk simulation give a clear understanding of the financial impact that the business is going to bear with certain risks. It is important to relate risk management to performance. Managers are accountable for the figures a company produces. They are interested in how the risk they are taking impacts these.
Get informed on the facts and latest trends in GRC – and stay tuned for upcoming events, webinars, podcast episodes or trainings.