In one of our latest interviews, we've been joined by Will Anderson, the CEO of Resolver.inc. Resolver provides an integrated risk management software for mid to large-sized organizations to empower business, to move faster. The solutions include risk management, corporate security, business resilience, and IT risk. Over 1,000 organizations worldwide depend on Resolver’s security, risk and compliance software. That’s about 1,000,000 people using Resolver each day. With their prominence in the field, they have taken the role of transforming risk management to risk intelligence, in order to bring more insight into the executive table, and for a better decision making process. We're happy to present you a few key points from this interview.
What is No Code Risk Management?
Bringing more insight to the executive requires us to get it from the first line, which is not always the easiest. Historically, what was happening was that any sort of assessment, whether that be a risk assessment, or a control assessment or asking someone questions about compliance, it’s going onto their desk and it’s being sent in Excel forms or sort of large enterprise software, that’s hard to use. This means that in order to get good quality and accurate we have to be able to engage that front line with something that looks more like a consumer app. So the way to go is to build software with a so-called no-code platform, rather than hard-coding that allows us to tailor the platform to the exact needs of that customer. However, customized solutions can become expensive and inefficient with each change they may require in the future. Nevertheless, with customer-centered companies like Resolver, this also becomes avoidable, as with administrator training and easy configuration options, you won't need to go to the developer each time for tweaks. This allows user to connect a risk to the things that they care about, whether that be a process or an objective or a decision or a project in an agile matter.
Major Trends In the Risk Management Discipline during the Pandemic
Just like in many other fields, the biggest question and challenge here is how do we prevent it from happening next time? And secondly, how we can make sure we can make the sessions and training fully online and efficient.
Europe is much more mature than North America on the concept of the continuous assessment without being in person. There is more interest in such business continuity, although this may not be permanent as the interest has scaled down further we went through returning back to normal state. Europe is also driving a lot in terms of Incident management as there are more serious requirements in Canada and in EU. That’s probably the bigger driver we’ve seen in the last sort of three to six months.
On top of these, there's also a trend to more integration. Accordingly, you should be auditing the controls you say are strong for areas that you say are high risk. There is a lot of integration especially on the European side and the cyber security topic is also commonly discussed. For a tech company, this is especially very crucial, and their most important risk involves around cyber security. Any big breach could mean the shutdown of operations. In other organizations of course, this is one of many risks and it's important for both companies and decision making organisations to focus on topics such as regulatory risk or safety risk in an equal manner - especially moving onto future challenges from the pandemic. It is important to not over-focus on one trend as we might lose sight of something that’s equally big, which doesn’t have the attention of today.
What Role Does Technology Play in Risk Management?
There are a lot of new emerging technologies such as artificial intelligence, machine learning and they have been talked about by everyone in every industry. The question is, if they are really going to be implemented or not. Most likely, but it doesn't come without its risks. For example, in terms of it being deployed in GRC, we have deployed it more on the Incident side because we get in narrative complaints. And what ends up happening is that that’s a block of text and you can search it, but sometimes you want to connect data points together. So it is important for proper AI implementation, to be able to go through a block of text and identify people, organizations, dates, times, places, that sort of thing, and turn it into usable tags. So that if you have an organization show up multiple times in a compliance violation that will be picked up. If it’s just a narrative, it’s not.
Thoughts on Objective Centric Risk Management
There’s no sense in assessing a risk against something that doesn’t matter and what matters are ultimately the objectives of the corporation. And if you want to be relevant at the executive level, you have to talk in the line, which they're used to talking in. However, there is importance in differentiating what exactly you mean with risk management, as it can range from operational risk to enterprise risk management. Oftentimes risk management is used to also mean ERM, or enterprise risk management, however, there is a bit of difference. It’s not just assessing risk to assess Risk, it’s like a box checking exercise and that’s not going to be valuable.
According to Will, when you speak to you definitely do need to tie to objective. However he adds, that there’s some place where we go too far. And that is, on the expert level, the idea of modeling everything. You need the flexibility of a purpose-built modeling solution. And I think if you get really tied down that everything must be quantified and everything must be modeled, you’re going to miss some nuances that you can’t model. Regardless, quantification is still quite important, and this is not to mean to not quantify. What it means is to remember that there’s a lot of things in this world that you can’t model. And if you focus only on modeling, you’re going to miss some qualitative things that are important.
The first takeaway is consumerization and focusing on your first line. If you are not getting good data, there’s no sense in focusing on reporting and all of the other stuff. If your data is no good or you’re getting it a month behind, you’re in trouble. COVID is a great example, considering that no one had a pandemic on their January, 2020 Risk plan. And if you were doing a quarterly, you’d come back in April and the world is upside down. This is an extreme example, but those kinds of high velocity risks happen all the time. So it is important to be very focused on the front line, get integrated with them to make it easy for them.
The second takeaway is integration. Now we are seeing more and more of that but buying siloed systems for SOX and ERM, and compliance and IT Risk does not make much sense. They may have more bells and whistles, but you’ll gain more by asking the assessment once instead of asking people the same thing at different systems or trying to stitch them together.
For now, this sums up the key points of our interview. As the Global Risk Community team, we once again thank Will Anderson for his insight on risk intelligence and providing a solution with Resolver. More information about this topic is available in our interview, which is accessible here:
Our blogs are also available on Medium