Distinguishing risk management from compliance may not seem like a critical line item on your business agenda, but doing so can make all the difference between merely avoiding risk and actually creating tangible value.
Leadership teams and risk managers who understand how compliance and risk management differ, and how to bring the two together, can make a real impact at their organizations.
How Compliance and Risk Management Align and Differ
Without a doubt, compliance and risk management are closely aligned: Compliance with established rules and regulations helps protect organizations from a variety of unique risks, while risk management helps protect organizations from risks that could lead to non-compliance—a risk, itself.
Ultimately, both compliance and risk management help organizations maintain their stability and integrity on a variety of levels. In fact, an organization can’t really have a robust risk management program without compliance and vice versa.
However, their differences are worth noting because compliance-related activities and risk management-related activities deserve unique approaches and execution tactics. Here’s how to compare compliance and risk management:
Tactical vs. Strategic: Since non-compliance can trigger expensive fines and penalties, as well as reputation damage, it should not be undervalued. Still, it requires more of a “box checking” approach—or dotting i’s and crossing t’s—in order to ensure your organization is obeying prescribed rules and regulations. Risk management, on the other hand, should depend more heavily on analysis in order to circumvent risks or determine risks worth taking.
Prescribed vs. Predictive: The prescriptive nature of compliance and predictive nature of risk management explains, in part, why the former is more tactical and the latter is more strategic. With compliance, organizations must adhere to rules and regulations already in place. Risk management, however, should be less reactive. It should be able to forecast the impact risks will have on your organization—spurring new and innovative processes (as opposed to subscribing to established rules) that minimize risks or take advantage of their upsides.
Risk Aversion vs. Value Creation: Of course compliance has upsides. However, complying with governance rules and regulations rarely translates into value-generating business propositions without the long-lens approach of risk management. Compliance usually stops with verification that a rule has been followed to avoid risks. The best risk management, though, can transform the necessary evils associated with compliance into a winning value proposition. See firsthand how Stanley Steemer transformed a compliance-driven process into a vehicle for value creation.
Siloed vs. Integrated: Compliance is often driven by a siloed compliance department or siloed initiatives in various departments. And while compliance processes certainly benefit from broad transparency, they can survive without it. Conversely, the most impactful risk management programs cannot perform in silos. Integrating departments, technology systems and processes is necessary to determine the overarching risks within an organization and how they should be handled—whether it’s to avoid their implications or drive value.
Tackle compliance and risk management with different approaches using the same technology.
Despite the differences between compliance and risk management, the right risk management technology can actually address both.
First it can serve as a compliance management system, helping compliance managers centralize all of their information and then automate the myriad administrative tasks required to comply with everything from FCPA, ISO, IT requirements, NIST, Sarbanes-Oxley, and more. More specifically, the right risk management technology can:
Serve as a repository for all known governance (regulations, contracts, internal policies) with change tracking and monitoring
Make the connection between governance and the potentially impacted processes, places and people
Facilitate compliance attestation using interactive PDFs to minimize time and effort for self assessment
Provide a full audit trail, including participant copies of attestations
Interface with other internal or external systems for relevant regulation updates
All of this helps to address the tactical and prescriptive nature of compliance, but the technology can do so much more. Thanks to its ability to consolidate risk and compliance information in one place, as well as produce the strongest of analytics, the right risk management technology enables strategic, predictive and integrated risk management.
The technology can surface your relevant risk information—from wherever it’s hiding in your organization—analyze it, connect it with other internal and external data, and normalize it securely in the cloud. From there, you can easily answer critical business questions—uncovering both threats and opportunities for your organizations, and allowing you to focus on areas where your attention is most needed.
Ultimately, the right risk management technology can serve the dual purposes of compliance and risk management programs because of its own dual purpose: Automating and streamlining administrative tasks, while serving as a crucial analytics tool.
Sure, compliance and risk management are different. And organizations need to be careful to not lump the two together as one initiative, with one approach. However, understanding their similarities and how to align the two is equally important—allowing you to reap the benefits from compliance and risk management being in sync.
“Enterprises need technology that makes it easier to see and mitigate the potential risks they’re facing,” said Andrea Brody, Riskonnect chief marketing officer. “We developed RKUX to deliver an easy-to-use platform that our customers can easily adopt and quickly experience enterprise-wide benefits without being mired down in technology.”
Ahead of the rollout, several Riskonnect customers tested the system, providing positive feedback throughout the beta testing process regarding the modernized look and ease of movement within the new RKUX. Some of the feedback we heard was based on how it will save time and boost productivity.
“The customer feedback during the development process allowed us to create an interface that truly reflects the wants and needs of today’s risk professionals,” said Roger Dunkin, Riskonnect co-founder and vice president, product.
RKUX is part of Riskonnect’s recent product version release, which also contains additional key functionalities such as:
Efficient navigation designed to guide the user through natural workflow
Note components and file enhancements that provide users with one-click access to outstanding tasks
Turbocharged list and report views that allow for easier data filtering and visualization
Highly functional dashboards with components spanning both columns and rows
User-focused workspaces that prioritize their most important activities
Inspired by feedback from users, new persona specific features tailor to diverse roles within an enterprise. The result is customized navigation styles, allowing all risk team members to work more naturally and productively within their respective environments.
The role of risk management in healthcare has come a long way over the years. But as risks to the healthcare industry multiply—both in number and costs—risk management and risk managers need to be at the forefront of the business. If not, healthcare organizations can’t thrive, or potentially even survive.
How healthcare risk management has evolved
Today’s healthcare organizations face challenges like the rapid advancement of technology, financial risk, evolving patient safety regulations, consolidation, aging facilities and infrastructures, and workforce shortages—giving risk managers at healthcare institutions just a “few” risks to address day in and day out.
This is a shift from the 1970s and 1980s, when risk managers were almost solely focused on clinical issues and minimizing damages from the abundance of medical malpractice and professional liability claims being filed during that time. Also problematic: They were essentially managing this single risk from their own isolated departments
And while isolated and unconnected risk management practices might have allowed healthcare organizations to survive the medical malpractice and professional liability storm 30 and 40 years ago, such practices are not sustainable in today’s tumultuous healthcare environment where risks are more diverse and complex than ever before.
That’s why today’s expanded risks in healthcare require risk management departments to expand their role within an organization. But doing so requires a broader approach to risk management, like Integrated Enterprise Risk Management.
How to move risk management to the top of the agenda
Integrated ERM brings all risks from across the enterprise together to determine how they interrelate — uncovering insights that have previously been hidden within individual silos. It focuses on organizational systems and processes; tends to be proactive in nature, rather than reactive; and hinges as much on value creation as it does risk mitigation.
For starters, risk managers can complete an organization-wide risk assessment, taking into account the risk domains established by the American Society for Healthcare Risk Management (ASHRM). The risk domains include operational, human capital, technology, hazard, strategic, clinical/patient safety, legal/regulatory and financial risks.
From there, you will need to determine areas of focus that need improvement, which will necessitate access to data that can adequately highlight trouble spots or potential success stories—like declines in worker injuries or workers’ compensation costs.
That same data will be critical for getting buy-in up, down and across organizational ranks—one of the next steps in facilitating an Integrated ERM program and expanding the role of risk management at your healthcare organization.
Why risk management technology is a critical piece of the puzzle
Such data, and even collaboration among the variety of departments and stakeholders needed for effective Integrated ERM, are much easier to come by with the right tools and technology. Integrated risk management technology, in particular, can be of great assistance.
The right risk management technology can help healthcare organizations to holistically understand, manage and control risks. It will offer SaaS technology that automates processes, simplifies analysis and streamlines collaboration—facilitating true Integrated ERM in the most efficient and cost effective way possible.
More specifically, the right risk management technology will allow for the following capabilities:
It pulls a wide range of patient safety, insurance and risk management data into a centralized and interactive system.
Data input automatically triggers real-time analysis of a wide range of patient safety-, insurance-and risk-related information, as well as workflows and activities.
It acts as both a repository for patient safety and risk-related data, and a launching pad for Integrated ERM activities.
It standardizes data from varied sources into common formats that can “talk to each other”—spurring risk management activity or analysis.
Mobile capabilities allow front lines of healthcare organizations to enter pertinent data with speed and ease.
All this will help healthcare organizations to better integrate their risks—allowing you to solve for any underlying issues causing multiple risks, as well as factor in the potential upsides of risks that could actually create value.
Last week I shared with you that our “top secret strategy” for Riskonnect’s acquisition of Marsh ClearSight focuses entirely on customer success. To drive this, we need to put our customers in a position to scale as their own organizations grow and risk increases. This means keeping everything flowing smoothly without any distractions to a customer’s service or solutions. We are fully committed to delivering a positive customer outcome.
Great, so how will Riskonnect and ClearSight products work together?
The short answer is, seamlessly and with greater visibility for organizations to perceive and manage their risks, with a focus on integration and not migration.
It all has to do with our proprietary technology and data—and how we will bring them together to link and correlate all of the risks an organization faces. It doesn’t matter which system—Riskonnect or ClearSight—an organization is using.
It is through this layer of risk correlation that we create a single, unified relationship map of all of the key data elements related to risk: employees, consumers, properties, assets, key risk indicators, policies, procedures, action plans, controls, assessments and third parties.
What is critical for customer success is to achieve resilience, control and visibility to all risks—and the new Riskonnect will deliver that and more through a focus on the customer and their need for integrated risk management technology.
We are very excited about our pending acquisition of Marsh ClearSight. Our combined capabilities will drive a fundamental shift in the risk management solution space that will greatly benefit customers. We will have:
Additional scale and resources to invest in our products
Increased expertise and experience related to implementation and advisory
A focused organization, aligned by industry, dedicated to customer success
An announcement of this scale naturally brings up lots of questions for customers. In response, it might be helpful to understand what is at the basis of Riskonnect’s strategy.
We succeed when our customers succeed.
The ultimate focus of the Riskonnect strategy is to enable customer success through:
Purposeful innovation. We design customer-first products that continuously improve the platform to unlock new value.
Empowered employees. We are committed to our team—investing in their growth, developing their skills, and instilling a common set of values that allow them to do what is right for our customers.
Focused investment. We invest in the resources, processes, and tools that will scale and grow with our customers’ needs—today and well into the future.
Customers will have a partner that can offer a wider range of solutions and opportunities to expand their resilience, control, and visibility of risk. They will be able to seamlessly navigate across their risk ecosystem and connect their risks like never before. They will have improved access to resources and expertise. And they will be able to choose what capabilities to adopt and how to integrate other solutions and providers to continue to transform the way they view and manage risk.
I suppose that our “top secret strategy” isn’t so secret—we just believe we have all the right pieces to make it work best for the customer.
It is simple…
Our customers are at the center of everything we do.
We will empower colleagues with the resources they need to best serve our customers.
We will invest leading risk management technology solutions to deliver the ultimate customer experience.
We can’t wait to carry out this strategy with you.
In today’s media-driven, socially connected world, it’s difficult for companies to hide any mistakes at all—let alone major foibles like instances of bribery and corruption. Yet, such instances are all too common—and damaging—for a whole host of reasons.
Still, companies can more easily solidify their anti-bribery and corruption programs by deploying technology they might already be using for other purposes like risk or compliance management—helping them to overcome the many obstacles involved with maintaining such programs, while also reaping their benefits.
The ROI of being ethical, and what’s holding companies back
Avoiding corruption obviously staves off serious reputational and legal risks for your business, as well as the costs associated with those risks. But promoting your commitment to ethical and transparent practices—while avoiding any missteps—can actually be a revenue generator.
According to the Kroll and Ethisphere report, “the publicly traded companies among Ethisphere’s 2018 World’s Most Ethical CompaniesⓇ (Honorees) outperformed U.S. Large Cap Indices by 4.88 percent over the last three years, demonstrating that ethics and performance are well suited.”
However, plenty of barriers exist to maintaining a blemish-free anti-bribery and corruption program. Respondents to the Kroll and Ethisphere survey indicated the top risks to their anti- bribery and corruption programs in 2018 include:
Third-party violations (35%)
Complex global regulatory landscape (18%)
Lack of resources or proper controls (11%)
Risks related to joint venture or M&A activity (8%)
Lack of appropriate cyber security or data protection measures (8%)
Employees making improper payments (7%)
Lack of sufficient automation or monitoring tools (7%)
Lack of support for the compliance program from internal leadership (5%)
These challenges can make it exceedingly difficult to maintain a consistent position of integrity, even when anti-bribery and corruption programs are a top priority for businesses. That’s because so much effort must go into addressing each one of these challenges—particularly managing third parties.
Why third-parties are a major area of concern
Managing anti-bribery and corruption programs when you work with third-party vendors can be especially difficult because organizations not only must worry about their internal programs and policies, but their vendors’ ethical practices as well.
Considering 45 percent of survey respondents said they work with at least 1,000 third parties per year, that’s a lot of I’s to dot and T’s to cross when it comes to making sure everyone is operating with integrity. In fact, 58 percent of companies said after conducting due diligence on occasion, they had at least once identified legal, ethical or compliance issues with a third party.
Companies reported they discovered such instances via the following methods:
Ongoing monitoring (50%)
Ad hoc due diligence (34%)
Third-party disclosure (31%)
Audit of a third party (28%)
Regulatory enforcement (20%)
This means not only do companies have to build anti-bribery and corruption programs that take into account everything from third parties and regulatory issues to cyber security and mergers and acquisition risks, they must also come up with methods to ensure related policies and procedures are being followed. And while it may sound daunting, the right risk management technology can help.
How risk management technology can help anti-bribery and corruption programs succeed
When it comes to third-party anti-bribery and corruption challenges, in particular, the right risk management technology can:
Simplify the vendor risk assessment process: More easily collect any relevant information about vendors through an online portal, where all data can be submitted and reviewed in one place—making it easier to identify key supply chain or vendor risks.
Automate vendor-specific communications or alerts: Receive automatic notifications if vendors might be impacted by an adverse event or if they are the subject of a controversial occurrence, allowing for early intervention to head off any potential disruptions to their business or yours.
Aggregate risk data from across the organization: Gather vendor data in the same place as all other risk data to help support the necessary audit process, and make it more effective and efficient.
As such, developing, implementing and maintaining an effective and resilient anti-bribery and corruption program can actually be seamless. Plus, if you’ve already invested in the right risk management technology or are considering such an investment, you need not go in search of a one-off solution that can help with your ethics initiatives.
In conclusion, one of the best ways to protect your organization from reputational, legal and financial damage is to focus on anti-bribery and corruption efforts, according to the Kroll and Ethisphere report.
Schedule a free demo to see how Riskonnect can help your business with its risk management, compliance and vendor management programs, and so much more—thereby helping your anti-bribery and corruption programs succeed.
Riskonnect has been shortlisted for the category of Best Use of Technology in Risk Management – Partnership at the CIR Risk Management Awards. This nomination recognises the work that we
have done with Vodafone in EMEA.
Now in their 9th year, the Risk Management Awards recognise those individuals, organisations and teams that have significantly added to the understanding and practice of risk management. Judged by an independent panel of experts for exceptional performance, the awards provide an opportunity for organisations and individuals to showcase their best products, projects and people.
The judges look for an organisation to proactively use technology for delivering recognisable benefits in the management of risk, and its successful implementation.
“We are delighted to be shortlisted as a finalist with our client Vodafone, it is a great honour to be considered for these awards. The award recognises technological solutions and partnership,
which are both core to our business philosophy.” Mark Holt, Sales Director, EMEA | Riskonnect
CIR will announce the winners at an awards ceremony on November 8, at The De Vere Grand Connaught Rooms London. A complete list of award categories can be found here.
Michelle Middendorf, workers’ compensation manager at Stanley Steemer, shares how reining in their vendor management process led to dramatic improvements and ultimately allowed the company to expand their commercial revenue with more value-added services.
When Stanley Steemer set out to automate the more basic process of managing certificates of insurance for our 200 franchisees and their vendors, we never anticipated we would be able to reign in our entire vendor management process. But, we did, and it was transformative for the entire company.
Maintaining up-to-date certificates of insurance from third-party vendors can be a real challenge for organizations–ripe with opportunities for error, legal implications in the event of a lawsuit and inefficiencies that can hamstring an organization from growing its business.
That might sound like a lot of weight put on a task seemingly as simple as collecting insurance documents, but if you depend on a multitude of third-party vendors and you’re manually collecting information–relying on one-off communications, calendar reminders or in the worse case scenario, an inquiry from legal to check a certificate’s status–you know the struggle is real.
Automation is Key
This was previously the case for my organization. With more than 200 franchisees and their own multitude of vendors, we were drowning in the process of collecting new certificates, renewing current certificates and following up on expired certificates–all of which were on separate schedules with different stakeholders using various communication methods.
A tremendous amount of time and resources were poured into manually updating and maintaining those records. Despite our efforts, the process was still riddled with non-compliance. In fact, we feared only 30 to 40 percent of our franchisees’ certificates were compliant–putting our organization and franchisees at risk in the event of any legal recourse.
Such risk is what drove us to automate the certificate management process–a decision that has led to dramatic improvements in compliance rates. About 96 percent of our franchisees’ certificates are now compliant, and the data collected from our electronic process has also given us clear direction on how to improve the other 4 percent that is possibly not compliant.
To do this we had to break away from our internal legacy system. We elected to invest in a risk management information system that could help manage certificates, but quickly learned it could also manage our overall vendor agreements. The results have been transformative–simplifying the process so much that we were able to increase our capacity to enlist more vendors.
Seeing the Results
Automating how we manage vendors end-to-end — including how we manage certificates of insurance — didn’t just streamline processes for our business and make life easier for our associates and vendors. It had both revenue-generating and cost-saving impacts that have translated into a real return on investment.
Partnering with Riskonnect has allowed us to:
Expand Our Revenue Stream: We have shifted from primarily focusing on residential business to more aggressively pursuing commercial lines of business — a priority that had been cumbersome, but is now streamlined because we have adequate resources to appropriately manage our vendors. With more vendors in tow — and the confidence that they’re of the highest quality and compliant — we can provide more commercial offerings. In fact, one of our commercial lines of business grew from $3.5 million in revenue to $10 million in revenue.
Maintain Our Headcount: Despite vastly improving our vendor and certificate management processes; drastically increasing our percentage of compliant vendors; and expanding our revenue stream, we haven’t had to increase headcount. Instead, risk technology has allowed us to continue to offer the great service customers expect; offer new services that commercial clients desire; and improve our associates’ workloads.
Reduce Outsourced Services: Not only have we maintained a steady headcount, but we’ve actually been able to reduce our reliance on external partners — like brokers and third party administrators — for services we can now do in house. Formerly, our broker handled certificate management for us, which can be costly. Now that we have our own tool, we were able to eliminate that ongoing expense and the savings have been tremendous.
Results like these are important for so many reasons. Increased revenue and reduced costs are good for any business, but even beyond that, such results help to expand the role and relevance of the risk management department. This is key to reducing risk across the enterprise.
I don’t think we would have been able to achieve these results without the right technology to cut across departments and bring together all areas of risk effectively and efficiently. Using integrated risk management technology has allowed us to reduce costs and enable insights that were previously unobtainable.
Watch our Stanley Steemer webinar to learn more about their journey and tips for turning Riskonnect into cross-departmental opportunities within your own organization.
Riskonnect has been touting the advantages of the pending acquisition of Marsh ClearSight—like more solution choices, deeper industry expertise, and an expanded team of knowledgeable resources.
But what do customers really think?
I’ve had a chance to speak directly with many customers since the announcement. So to answer that question, I’ll share some of my personal experiences with customers and what they have had to say. This includes face-to-face conversations, web meetings, and social-media exchanges.
I have gone through many mergers and acquisitions throughout my career and have seen the full range of customer responses—but never this…
Here’s what customers have said:
About the complementary nature of the combination …
“We are excited, particularly with the potential to now expand our implementation more deeply into claims administration.”
“We selected ClearSight in our evaluation process, but really liked Riskonnect’s flexibility and additional modules. I hope you can bring these strengths together.”
About the people …
“I really enjoy working with my client service team. They are an awesome group of people. I’m looking forward to meeting you and your team one day soon as well.”
Actions speak louder than words.
Since the announcement on July 18, 2018, customers have expanded their relationship with Riskonnect at a 25% higher rate than in the same period the prior year. And we have a 100% renewal rate.
What was I most surprised about?
What I didn’t expect to hear was how excited both Riskonnect and ClearSight customers are about the expanded capabilities.
Over and over I heard: “I just selected <insert Riskonnect or ClearSight here> and “I’m excited to learn more about the new capabilities <insert Riskonnect or ClearSight here> brings to the table!”
I was surprised by how little time we need to spend explaining the benefits of the combined organization. Customers already get it. Customers continue to voice strong support for the provider with which they originally chose to partner, yet remain open for new opportunities.
Not only was this a surprise, but the openness further validates our go-forward strategy.
What are we doing about it?
Customers trust us for a reason, and we will continue to earn that trust into the future, whether you are a Riskonnect or ClearSight customer. Here’s how:
– We will continue to support and enhance the systems currently in use.
– There will be no requirement to migrate.
– Customers will continue to enjoy the same service and support.
– We will help customers access the expanded capabilities of the combined organization.
Thank you to everyone that has reached out and shared their thoughts. Keep it coming!
That’s why it’s important to weigh the pros and cons of forming and maintaining a dedicated risk committee, and to understand the tools that can better support your organization’s risk management efforts regardless of your approach.
Why the struggle?
Why would any organization take more than a millisecond to determine if it needed a committee to oversee risk? After all, such a committee could protect the organization from harm, as well as recognize the potential upsides of risk—thereby creating value.
Of course, nothing is that simple. Forming and maintaining a risk committee that is truly beneficial can be complicated. Challenges include:
Committee composition: Risk is best managed when analyzed from every angle, rather than in a vacuum. As such, a risk committee should be composed of members with expertise across a multitude of areas. This can be difficult, however, if the makeup of your board is not already diverse, or if those board members with diverse backgrounds are strapped for time because they are currently serving on other committees. Regardless of backgrounds, though, overburdened board members with limited availability is another hurdle organizations must overcome when establishing any new committee, including one dedicated to risk.
Committee scope: The purpose and responsibilities of a board-level risk committee should be clearly defined so members have an understanding of any specific risks that need to be overseen, and how they must integrate with other committees to capture a complete picture of risk. This helps prevent duplicative work, and protects against risks slipping through the cracks. Risk parameters must also be clearly defined for the committee so it can discern risks within and outside the organization’s appetite for risk. All of this can be a challenge, though, if committee overlap, politics or hampered communications limit the risk committee’s performance.
Reporting and communications: Speaking of communications, solid processes and procedures must exist to facilitate communication and effective reporting. This means the risk committee must be able to access and easily share relevant and timely data that helps the organization to foresee and act upon risks. Otherwise, it will not be able to easily integrate with other committees, or grasp the full range of risks affecting the organization. However, efficiently and effectively communicating and reporting is no small feat if a risk committee lacks the structure and tools needed to assist with these tasks.
Such challenges can impede a risk committee from achieving its ultimate goal of risk oversight and being able to identify interconnected, emerging, or forgotten risks, as well as identify risks worth taking. Still, plenty of organizations have formed risk committees with great success. So how do you know if a risk committee is for you?
Is a risk committee for you? Here’s how you know.
Unfortunately, determining whether an organization needs to establish a board level risk committee does not usually hinge on a finite set of yes and no criteria. The two simplest determining factors are:
Are you subject to regulatory requirements that necessitate a dedicated risk committee? If yes, form a committee.
Based on your definition of success, is your organization successfully managing risk without a risk committee? If yes, don’t form a committee.
Beyond that, organizations on the fence about starting a dedicated risk committee should base their decision on:
– The level to which risk management is a priority
– Whether enough time is being spent on risk management based on its priority ranking
– Whether board members have the resources—in terms of time, tools and support—to be on a dedicated risk committee
– Whether a culture of collaboration among all board committees exists so the risk committee can succeed
If your analysis seems to indicate your organization should avoid establishing a dedicated board-level risk committee, that doesn’t mean you have to merely roll the dice when it comes to risk management. Other effective ways to focus your board’s attention on risk include:
– Divide risk among separate committees, but have them come together occasionally to discuss how risks interconnect.
– Fold risk management into one other committee, like the audit or finance committee, but set parameters to ensure risk is discussed through a broader lens than finance or audit issues.
– Make sure integrated risk management is a topic discussed at multiple board meetings in a thoughtful and in-depth manner, as opposed to a two-minute line item to merely check a box.
– Improve risk management reporting efforts so the board has better and more understandable data at their fingertips, which they can quickly process to make more informed decisions.
Regardless of the route your organization takes when it comes to board-level risk oversight, the right tools and technology are critical to having an impact.
How Risk Management Technology Can Help
The right risk management technology, first and foremost, brings together all areas of risk effectively and efficiently, enabling insights that have previously been unobtainable. So whether you have a dedicated risk committee or multiple committees sharing risk oversight, all stakeholders have access to necessary, real-time risk management data.
This protects against a broad range of risks being overlooked because of the challenges previously mentioned, such as a dedicated risk committee that lacks members with diverse backgrounds; if risk is rolled into an already established committee like audit or finance; or when risk is spread out across various committees, making it a challenge to track who is watching what.
The right risk management technology can also serve as a regulatory and compliance management system, as well as an audit management system. It will automate and streamline the many activities related to managing these areas, along with traditional risk management.
All of this lessens the burden on board-level committee members. They will have more time to either jump on that new risk committee that they previously didn’t have enough bandwidth for; or, if they serve on a multi-purpose committee—like risk and audit management–they will have more time to focus on strategic risks, rather than get bogged down with audit work alone.
Finally, the right risk management technology will offer self-service analytics, make reporting seamless and more effective. Reports and dashboards can easily be configured to measure risk and visually demonstrate where your organization stands in relation to its pre-determined thresholds, KPIs and KRIs. Further, the system can automatically notify stakeholders when thresholds are met or are at risk for being met in real time.
As a result, reporting takes less time for your already time-crunched board members, whether they sit on a dedicated risk committee or on other committees where risk management partially their responsibility. It also opens the lines of communication among all committees as everyone has access to the same real-time, easy-to-understand information.
This way, getting up to date doesn’t hinge on an overworked committee getting a report out to the right people at the right time, but instead hinges on technology that automatically informs stakeholders that something needs to change if the organization wishes to continue to achieve its objectives.
Determining whether your organization would benefit from a dedicated risk committee is a big decision that requires a lot of thought and work to properly execute upon. But no matter your organization’s approach, be equally thoughtful about the technology and tools in which you invest to manage risk, as well as related areas like compliance, audit, safety and vendor management. It can have just as much or more impact on your program than committee structure.