Proper Oversight and Enterprise visibility drives realizable ROI
Risk Management Software- Change Is the Challenge
Today, more than ever, how well you take and manage risks affects your cost of capital. Recent regulatory trends such as Basel II for financial services and Sarbanes-Oxley (SOX) 404 for publicly traded companies have heightened the importance of better Enterprise Risk Management (ERM).
Anyone who has tried to initiate an enterprise-wide program knows that a key reason for failure is the inability to “sell” and “manage” the necessary change across the entire organization. This paper lays out a pragmatic approach for change and establishing successful ERM through a series of bottom-up steps that build on existing functional capabilities. These should be seen not as replacing a top-down approach, but as acting in parallel, in an iterative, mutually re-adjusting and re-enforcing manner.
The major investment for SOX compliance can now finally yield value far beyond an auditor’s attestation. The Internal Audit and IT departments can then integrate and build on this investment. Lastly, each Line of Business and its respective business functions also manage risk, which can be incorporated with the others together under one clear mapping. The five bottom-up steps below ensure that your ERM efforts are successful by leveraging existing strengths and gaining “ownership” from the frontline.
Read about our holistic GRC Software Solutions
STEP 1
Use Your 404 Documentation to Create a Common Map
Until SOX, there was no “Rosetta Stone” to provide a common, universally applicable map of the business, in terms of organizational entities, transaction processes, systems, people, risks, and their overall relationship to financial accounts. A common map is the foundation for identifying risks in a consistent manner across the enterprise. It also ensures alignment across different regulatory environments, risk types, and process owners who may have to address them.
STEP 2
Build on Your Top-Down, Bottom-Up Risk Assessment
The new SEC guidelines and the PCAOB’s Auditing Standard No. 5 have heightened the awareness for an integrated top-down and bottom-up risk assessment approach to SOX. The opportunity is to rationalize the number of key controls required and streamline their testing based on relative risk. Besides the efficiency gains this yields in compliance itself, it creates a precedent for how to define risks hierarchically and to target your efforts where they are most valuable.
STEP 3
Extend and Integrate With Internal Audit
Internal Auditors have built up a history of assessing operational, financial, and compliance risks across the enterprise for prioritizing and planning annual audits. These risks and audits share the same core elements of the map—companies, locations, and processes. Of course, the shared Audit Universe created by integrating SOX with IA will also result in greater resource efficiencies and speed.
STEP 4
Align With IT Governance Practices
Beyond the general computer and application-level controls required for SOX, IT manages multiple risks on a daily basis but they typically all can fit into the structure in the same way as the SOX IT controls already have.
STEP 5
Engage and Leverage Your Process Owners and LOBs
Initially overwhelmed by the time and learning curve required, many process owners are now far more aware of financial misstatement risks within their areas. This “culture” of managing risk locally is a valuable asset, where new types of risks can be layered onto the same risk culture and framework. When risks are tracked against a common map of the business, it is easier to establish the relationship between business performance and risk. How these risks are managed is critical to sustaining the goals in revenue growth, expense management, and long-term investment.
The Right Information Is Critical
Underlying each of these steps is the need for a single, integrated view on enterprise-wide risks that is aligned with and supports each of the functional constituencies above. Furthermore, the nature of this information requires a fairly complex structure to effectively capture the flexible hierarchies and many-to-many relationships it must convey. Such complexity is best addressed when the information source is based on business intelligence design, because if the information is correct, filtering it becomes a much more straightforward task.
Roland Mosimann, CEO and co-founder of Business Intelligence International is an industry pioneer in helping drive initiatives around risk and Performance Management that are anchored in business intelligence design. In 2004, he drove the launch of the Aline™ Platform for On-Demand Governance, Risk, and Compliance.
He recently co-authored The Performance Manager: Proven Strategies for Turning Information into Higher Business Performance, itself a follow-up to his earlier book The Multidimensional Manager — 24 Ways to Impact Your Bottom Line in 90 Days with more than 400,000 copies printed that remain in use by organizations worldwide today.
To learn more about BI International's Comprehensive Risk Solutions
Contact Us or Call 877.254.6324