New ways of managing risk across the ‘three lines of defense’ will help organizations deal with the unexpected in 2017 and beyond.
Regulation and the probability of a high impact event causing reputational damage are quite likely to keep many business leaders awake at night.
These threats have grown over the past decade, and yet some organizations continue to operate without a considered approach to risk management.
Others have relied on software solutions to develop a fixed framework that considers each risk or regulation in isolation.
Developing, maintaining and monitoring a risk mitigation plan — picking off the risks one-by-one — is easy enough to do but can be of limited effectiveness.
Gaps and overlaps
The reality is that the risks posed by our constantly evolving world cannot be well managed by risk frameworks and technology platforms that are overly rigid and organize risks in silos.
Events, business models, and regulations are just three big moving parts that business leaders have to contend with.
The complexity that these changes create means fixed risk frameworks — and the software solutions that inspired them — eventually fall apart.
Such fixed frameworks and their procedures leave gaps and overlaps.
They generate vast amounts of information from which it is difficult to derive a single view of risk and to determine: “Are we actually in control?” and “What do we need to be worrying about today?”
So if technology has led us to the challenges we are in today, when it comes to managing risk across the three lines of defense, what should we do differently in 2017 and over the next 10 years?
- The first thing that will change is that solutions must be scalable. Often solutions developed from the “ground up” for managing the three lines of defense worked well for simpler organizations and times, but struggled under the weight of the increasing volume and complexity of data many organizations now face.
- The next change is to the idea that all three lines of defense must sit within the same “tool” and that they should adopt the same framework — an ask that has proved impossible to achieve in most organizations.
- Another focus for change is the way the three lines of defense use automation. Sometimes it failed because the first line of defense refused to engage — for example, by not completing assessments properly because they “don’t like” them. In other places, automation broke down under the pressure of relentless change — internal, external, and across the compliance, risk and audit teams.
Clearly, the complexity and volume of data associated with the three lines of defense exercises has been under-estimated.
The notion of organizations creating common data standards as a way to consolidate this data is unrealistic. Any new, technology-based approach to the three lines of defense must have a different way of managing information at its core.
This requires solutions that can manage unstructured data — from both inside and outside the organization — and bring this data into the three lines of defense in a way that helps all stakeholders make risk-aware decisions. Previous generation technologies necessitated all data be standardized which is a wholly unrealistic expectation given the diversity of risk themes that a solution must address.
Artificial intelligence may play a role in supporting these activities as this vision evolves.
Understanding the risks
We have invested in technology that was originally designed to manage complex and unstructured data. This was then developed into a solution to manage information flows across the three lines of defense in some very large organizations.
Our goal is to help our clients better understand the risks — and decisions — they are facing by:
- Enabling them to derive the intelligence they need from the unstructured data outside their organization.
- Empowering them to better navigate through the unstructured data created within their organization.
- Working with them to bring together this external and internal unstructured data to better understand the risks organizations face and the decisions they have to make.
In 2017, we will be offering both out-of-the-box solutions as well as a toolkit that enables clients to tailor the solution to their individual businesses.
This should be crucial for creating true risk insight within your organization.
We provide risk management solutions to help you stay informed of the latest regulatory updates, educate employees on the laws and regulations that affect their daily responsibilities and manage your exposure to third party risk and conflicts of interest.
To learn more about how we can help keep your organization compliant in today’s regulatory environment, please visit Regulatory Intelligence , Regulatory Change Management, Compliance Learning, Third Party Risk, Internal Audit and Conflicts Compliance.