We’ve been working with the folks at GRC20/20, and in particular, with Michael Rasmussen, the father of the term GRC which he created when he was the Lead Research Fellow at Forrester in 2003.
Together we’ve produced a paper about providing 360˚ contextual awareness of risk. Michael’s industry research has shown that in many organisations, it is the case that risk management still takes place in silos. Distributed business units maintain their own risk data, spreadsheets, analytics, modelling, frameworks and assumptions. And while organizations are keen to improve risk management, this standalone approach for each area poses a major challenge.
When an organization runs risk in a piecemeal fashion with information held in silos, there is little collaboration, and therefore no opportunity to build intelligence as individual risks intersect and compound. This approach makes it all but impossible to connect risk management to corporate business strategy, objectives and performance.
Michael notes that managing risk effectively requires multiple inputs and methods of modelling and analysing risk. Such enterprise wide risk intelligence is what gives a full perspective of risk and so leads to better business decisions. Mature risk management is built on an information architecture, that shows the relationships between objectives, risks, controls, loss and events.
None of this is any surprise to us, but it’s very interesting to see that for many organizations, compartmentalized risk management is still the norm.
Later in the report Michael discusses how ARM has helped users to move from manual processes that used too much risk management resource, to a greater risk management maturity, where they have dramatically improved the quality of their risk data, and ability to report on risk.
Michael concludes that organizations are best served to take a collaborative approach to risk that allows differing projects, processes and departments to have their view of risk, that can roll up into an enterprise and/or operational view. This is achieved through using a common architecture that supports the overall corporate risk objectives.
To read the report in full register for your copy here: http://resources.activerisk.com/grc20-20-review-of-active-risk-manager