I think back to a handful of audits over my career as an internal auditor where the people performing the function we audited just seemed to get it right. They knew how to run their business, but they were also managing their risks well, they had good controls in place, and there were very few, insignificant findings. Ahhh, what a dream. However, the vast majority of the audits were a different story. The thought I had over and over again was, “I just wish these people would think through their risks and their potential impacts, and consistently implement the right controls" (versus what they thought the auditors would want). Their issues were lack of understanding, incentive and ownership. In my first example, ownership existed. In the second, ownership over risks and controls was lacking.
In all fairness, these poor folks were stretched about as far as they could be just running their business, let alone performing risk management. Fast forward to today’s world where risk management is expected at all levels of the business - and not just because it’s good practice, but because everyone expects it, from regulators to customers to boards of directors, and more. The good news is more companies are starting to recognize this and do something about it. I’m not just talking about industries where risk management has been standard practice for years, but most industries are seeing significant advances in maturity. This is where the auditors can begin to breathe a little easier (just a little) for two reasons. One, the 2nd Line of Defense (LOD) groups, such as Operational Risk Management (ORM) and Compliance, are getting their act together in terms of their approaches, capabilities and people, insomuch that Internal Audit (IA) can rely on their work more than ever before. However, the second reason is more significant and points to the title of this blog - everyone is starting to own risk.
Do we have a long way to go before everyone actually owns risk at their level in their organization? Of course, but it’s starting to take place and I’ll give you some reasons why. Certain industries like financial services, utilities and transportation, out of necessity have had risk management in place for many years and have matured ahead of the curve; for example, insurance practices have incorporated risk management into their standard operating procedures and how they make money from their inception, so the concept is more fully integrated. Next, risk standards like ISO 31000 and COSO have long expounded the reasons and benefits of managing risk and those companies following the standards have moved forward at a faster pace in their risk management capabilities. Further, as regulatory bodies and their standards across most industries and geographies have advanced, they almost all include requirements for risk management practices. Finally, and more personally, consequences on customers and even company executives of not having effective risk management programs in place have all but brought some well-known companies to their knees lately.
As risk experts at RSA Archer, we work with hundreds of companies to help them manage their risks and implement controls, and even though we have a long way to go, I see a collective improvement - I’ll call it the “rising tide effect”. Ever heard the analogy that a rising tide lifts all ships? I used it in a prior blog but I love it and it’s applicable here because it’s happening in risk management, and helping more people in more companies at all levels understand, take ownership and do something more about their risks than ever before. Because of the reasons I stated earlier and many more, this rising tide of risk management is helping us all to be better managers of risk.
Another factor I’ll mention is technological advances. Risk systems have improved over the years as Governance, Risk and Compliance (GRC) technologies have become more and more engrained into companies, helping the tide rise even more. In fact, I’ll say the tide is turning because Archer is helping companies not only reduce bad risks but take advantage of positive risks to gain competitive advantage. We believe that the ability to harness risk and transform compliance is an untapped source of competitive advantage to fuel the enterprise. That’s why we’re so excited to announce the recent launch of RSA Archer GRC 6. With new features to bring technology and business processes together we’re better able to help everyone own risk within their organization. Two fundamental improvements we think will help raise all ships which include:
There is lots more to this launch, so check out our Virtual Launch event to hear more about RSA Archer 6.
I want to mention the effects all of this rising tide of risk management has on our audit friends. IA has been extolling the virtues of risk management for years through the recommendations they make to companies in implementing controls and better understanding their risks and exposures. The fact that we see more companies and individuals within them understanding and owning risks is a fundamental and welcome shift. The goal of every internal auditor I’ve ever met has been for “the business” to own their risks and controls, like my example at the beginning. The fact that this tide is definitely rising isn’t lost on this former internal auditor and I can’t wait to see where it goes next!
If you have additional thoughts, views or examples, email me at patrick.potter@rsa.com or tweet me at @pnpotter1017.