The requirement for integrated risk management systems has never been stronger.
Legal changes to the International Financial Reporting Standard (IFRS) 15 and Financial Reporting Council (FRC) published guidelines make risk management a mandatory process for companies. Meanwhile, the Global Data Privacy Regulation (GDPR) has the ability to levy a fine of 4% of annual turnover or up to €20m per incident.
Most organisations still focus heavily on retrospective business controls with significant reliance on the safety net of audit tested manual controls such as reconciling records from user-driven reports or monthly reviews of master data entries to the system.
However, there are huge efficiencies to be gained by identifying the underlying risks to the business model and deploying operational and automated system-driven controls to manage these.
Streamlining this through the use of technology makes it possible to do more with less, increase the accuracy and transparency of information whilst removing unnecessary and inefficient control activities from day-to-day business activity. Technology investment along with a conscientious shift to a more risk-based rather than controls focused culture can have a transformational effect on the business.
Despite the obvious consequences of under-investment, it is still exceedingly difficult for risk and controls based projects to secure funding when an overriding objective is to avoid costs that do not directly benefit the business.
Investment boards often want to know how a project helps the company’s core business, whether that is selling more shoes, building more houses, or simply following its growth strategy. Many compliance or risk related projects therefore get relegated to the back of the queue when capital investment is required.
An integrated risk management solution is far less likely to receive the funding when directly compared with a revolutionary new tool that speaks to the heart of the business model.
Avoiding capital expenditure
Cloud-based software has changed the fundamentals of how technology is provided. Specifically it allows organisations of all sizes to benefit from sophisticated enterprise IT without the need for an up-front purchase (capital expenditure) or a highly-skilled in-house team.
Similarly, smaller enterprises can compete on a more level playing field but avoid the skills-based constraints that accompany such initiatives.
Governance Risk and Compliance (GRC) as a Service is a good example. It offers increased flexibility in how an enterprise manages risk and control and achieves compliance with relevant internal and external requirements. Essentially it means that an effective GRC strategy, that unlocks the value of integrated risk management to the wider business, can be implemented on an operational cost basis.
Operational cost focus
This is not driven by the intention to hide the costs of such an endeavour, simply the appetite to deliver the values proposed whilst avoiding the traditional challenges to such investment. By empowering an existing operational team to use their existing budgets more widely, the approval times for investment decisions can be shortened and the benefits realised more quickly.
This shifting of the funding goalposts opens other doors. For example, in companies where the ownership of risk management is down to several different business functions, it can be difficult to secure investment for new projects. Adopting a cloud or managed service approach paves the way for organisations to use operational budgets instead of capital expenditure for technology solutions.
As well opening up access to the actual technology without a significant initial investment, a managed service includes the expertise to implement and manage the tools. Rather than recruit and maintain a new team, companies can rely instead on a consultancy network and its specialist knowledge to ensure they realise the full benefits of the solution.
IT options and traditional consultancy services that were previously out of reach for many enterprises start to become accessible and easy to buy. Put another way, taking a cloud-based approach has the potential to change purchasing patterns and mindsets – for the better.
The initial implementation should deliver clear benefits when deployed in the form of a managed service; these continue to be realised throughout its lifespan.
By engaging a carefully-selected partner, it can be reasonably expected that their level of expertise will be demonstrated throughout the service, thus de-risking the operation of the implementation. This expertise can be accessed as part of the operational delivery capability, thereby offering immediate access to an augmented skillset that delivers more than the internal capability or capacity could do alone.
And there are other clear advantages.
An organisation deploying software as a service does not have to undertake administrations or housekeeping duties. Minor as this seems in the initial cost evaluation, the time spent on administrating a system or technological solution can quickly add up to be a significant proportion of total cost of ownership; time which is not spent on the team’s core responsibilities.
Even more important is that, by effectively renting the technology, users ensure that they always have the newest release and can be best placed to take advantage of the latest and greatest features that may be available to further the transformational risk management journey.
All round risk reduction
Given the current economic climate with many external risk factors coming to the fore, it would appear that there is even more justification for many organisations to be discussing risk management at board level. The focus for implementation partners and software vendors should be on helping organisations by removing as many of the barriers for purchasing as pragmatically possible. Although there will still be an element of risk to any investment decision, adopting a cloud model may very well represent the most risk-free option.
This article is from the CBROnline archive: some formatting and images may not be present.