Most ERM and GRC vendor offerings currently fail to enable the power and value of applying risk management principles to business decision making. If risk management is about making better decisions, then we need to reset the perspective of what qualifies as a risk management vendor resource.
The Challenge of Embedding Risk Management in Decision Processes
Updates to the COSO ERM and ISO 31000 standards emphasize the need to address risks in the context of organizational objectives and decisions. While the talking points among risk management professionals have progressed, the practical application to business decisions throughout an enterprise is still a significant challenge. Some of the hurdles include:
- The perception of risk management as a standalone function or process.
- Building an executive-led, risk-aware organizational culture.
- The need to clarify risk management responsibilities across an enterprise.
- A market filled with risk management vendors that emphasize risk registers, insurance portfolio management, and regulatory compliance.
Risk management still suffers from the belief it is a time-consuming add-on activity that is just a gating decision control. A reeducation effort is necessary to present risk management as a decision enabler that can raise and optimize organizational value.
The Requirements for a Risk-Informed Decision-Making Process
Integrating risk management and decision making is about (1) people using (2) decision-making processes ingrained with risk management principles and (3) the best information available while leveraging (4) technology to accelerate and optimize decisions and their outcomes.
Some of the relevant risk management principles that apply include assessing and addressing the options, tradeoffs, and uncertainties associated with decisions in the pursuit of business objectives. You can find further details in this post on ten steps of an effective risk-informed decision-making process.
In this context, risk-aware decisions require a system of people, process, information, and technology resources guided by a risk management framework.
As enterprises establish this framework within their organization, it is impossible to build all the resources necessary to identify, assess, and address the range of risk sources they face over time to fully inform decisions. External vendors can fill resource gaps, enhance decision processes, and add risk expertise.
How Vendors Can Support this Process and Fill Resource Needs
Risk registers, insurance products, and regulatory compliance solutions play a role in supporting decisions, but the practical integration of risk management and decision-making processes across an organization demands a broader spectrum of vendor capabilities beyond those of today’s ERM, GRC, or RMIS solution providers.
Consultants support organizational change, redefine roles and responsibilities, and help implement new processes. Risk experts help identify, assess, and offer advice on how to address specific risk sources and events.
A wide variety of software vendors enable technology solutions that
- manage and analyze past risk information,
- monitor and identify real-time risk conditions, and
- predict future risk events and consequences.
Advanced technology and developments in machine learning are extending predictive analytics using vast information sources to now prescribe optimal business decisions. This raises the demand for big data information sources needed to train deep learning models. Risk information and databases are a critical component for building risk-informed decision systems.
Businesses make decisions under dynamic conditions. Changing variables may demand course corrections at any time. This means risk management in support of decisions must continually assess past, present, and future information. The great news is that the convergence of risk management concepts with information technology innovation now has the potential to significantly enhance business decision-making proficiency in dynamic business environments.
The collection of service, software, and information product vendors in today’s market presents what can be a confusing array of offerings to assess when considering risk management resource needs. Some ERM providers, like our fellow GlobalRisk Community member Steven Minsky, strive to address as much of the risk management process and system requirements as possible, but no single solution can address all the functionality and people, process, technology, and information resources needed to integrate risk management considerations with decision making.
A Taxonomy to Classify Vendors that Support Risk-Informed Decisions
Intelligent Management Trends takes a fresh look at the vendor marketplace in the context of enabling risk-informed business decision making. A newly released report, “Risk Management Resources Market Taxonomy, Trends, and Vendor Classification,” translates industry risk management standards into enterprise resource requirements and tackles the challenges of connecting these resource needs to marketplace vendors.
The report identifies the core factors, segments, and vendors that constitute the risk management market from the perspective of optimizing business decisions and offers a holistic categorization of services, software, and information resource offerings that support risk management systems.
The objectives of this research and industry taxonomy include:
- Facilitating vendor-enterprise dialogue by clarifying vendor capabilities in the context of specific risk management resource needs.
- Offering risk management service, software, and information vendors a market-wide perspective to consider their own value positioning, portfolio development, partnership, and acquisition strategies.
- Providing enterprises a classification taxonomy to help decipher how external vendor offerings can provide, supplement, or enhance their risk management system resources.
The report includes market drivers, trends, and extensive vendor examples to substantiate each market segmentation category and definition.
Receive a Free Report Copy in Exchange for Your Feedback
GlobalRisk Community members are invited to receive a complimentary copy of the IMT report, “Risk Management Resources Market Taxonomy, Trends, and Vendor Classification,” in exchange for your suggestions and feedback with points of agreement and disagreement. A limited number of free copies (15) are available, so click this link now to request your copy.
For a more detailed description of the report, including the table of contents and a list of figures, click the following link:
I invite you to connect with me in GlobalRisk Community. I have opened a discussion string on this topic, you can leave comments below, or you can friend me in this community at John Farrell.
All feedback and advice will be graciously accepted.
Comments
Your last sentence is an arrow to my heart! Humans need freedom and empowerment to develop creative and effective business decisions. Yes, limits and controls must play a role, but I think proving the effectiveness of compliance training treating individuals as automatons just to meet some government agency's desires is taking it too far.
Personal accountability has been the missing ingredient. Just think of all of the major corporate scandals and failures over the past decade or so. I list some in the linked article. When has an individual been held accountable for their actions? Even the article you cite acknowledges Garth Peterson evaded any responsibility at Morgan Stanley.
Anyway, thank you for highlighting one of the major hurdles for leveraging risk management for better decision making I cite in the report - risk management is often equated to regulatory compliance. I prefer reading the HBR articles that address how we can improve decision-making process efficiency.
If you hadn't already, I would suggest that you read the recent Harvard Bus Rev article, by Chen and Stoltes, addressing, from the DOJ sentencing guidelines perspective (those guidelines being the Big Bang of the Compliance Universe), the current FAIL state of companies proving that they have an "effective" compliance program in their efforts to avoid penalties analogous to the calculation of the number of stones needed on one's chest to extract a witch confession. They recommend in good faith what they believe are better ways to go about measuring effectiveness, with one example focusing specifically on the need to know what employees knew before training, so you could measure how much they learned. It is not enough to just have training. Telling the DOJ what percentage of employees completed your training programs will not get even one of those stones off your chest. Surveys are suspect as well, as anyone versed in the dark magic of polling will tell you. As a consultant and free thinker, I would chant about having an ethical culture premised on shared values and shared notions of ethics and culture and integrity. That would put you on a path to a better place. But, from my GC perspective, bring on the stones for not being able to prove that you have an effective compliance program. Riddle me this: what is the standard and burden of proof of compliance system effectiveness? We have criminalized compliance, but I have never heard an answer to that question. It's one of those things that lie just over the next hilltop, or the next, or the next. We can talk risk later.
Bradford, I was not sure why you would want to "prove" employees actually understand and consider risks...until I read your background includes roles as a Chief Legal Officer with experience in risk management from a compliance angle. GRC in practice tends to add processes and documentation requirements that overwhelm the use of risk management as a tool to optimize business decision.
Do you believe it must be explicitly proven that individual employees truly understand and consider risks, or is it possible to embed risk management practices, risk information, and board risk guidelines in standard company decision-making processes while satisfying regulatory requirements?
It is one thing to create an environment where your employees understand and actually consider risk as part of decision making to achieve company objectives. It is quite another to create an environment where you can prove your employees understand and actually consider risk as part of decision making to achieve company objectives. If you can accomplish the latter, ... excuse me. I can't finish that sentence without gagging.