By now, you likely are aware that policyIQ is a flexible GRC platform that can be easily configured and customized into various GRC and other solutions. One of policyIQ’s strengths is the ability to tailor security at a broad and granular level allowing organizations to implement policyIQ in many areas without stepping on each other’s toes, so to speak. Because of this security capability, with our user-based pricing (rather than the common software model of pushing multiple products or add-on modules), our clients have long been able to leverage policyIQ throughout the organization for multiple initiatives at a reasonable cost.
The latest release of policyIQ includes features that support robust enterprise-wide applications of policyIQ for a range of initiatives. In the past, users in different areas of the organization would create a folder, manual, dropdown or multi-select list to track different critical pieces of information pertinent for their documentation. And while this setup could have been perfect for the audit team’s testing documentation, the same location list, for example, would have to be recreated by the technical accountants performing ASC 606 contract reviews. That was then. Clients leveraging policyIQ’s version 7.8 are able to create and manage Global Lists that can be shared across the organization. If your list of Field Offices is leveraged in various types of content throughout the organization, it can now be centrally maintained and updated rather than having to be updated in several department-specific templates.
Similarly, clients historically had to create independent dropdown fields to track people or responsibilities in their content (i.e. Control Owners, testers, contract reviewers). Now, the lists of users created under Groups and Users and established as a part of user profiles can be leveraged as fields within templates. Once and done.
Here are more examples of where this might be pertinent to you. If you have fields or folders tracking these things and would like to save time and sanity managing them, we recommend looking into the new shared fields (Global Lists, Users Lists):
- Revenue Stream
- Process Area
- Business Unit
- Control Owners
- Significant Accounts
- System Applications
- Relevant Compliance Area
- Prepared By
Of course, reach out to us if you have questions on how to make the adjustments to your policyIQ site.
We want to thank everyone who joined us this week for our latest training session, Enterprise Risk Management in policyIQ. In this 60 minute webinar, we highlighted how to apply the policyIQ technology to your ERM program.
ERM – A Six Phase Approach
RGP’s Governance, Risk and Compliance practice has developed a six phase approach based on years of working with companies around the world to implement effective Enterprise Risk Management. In policyIQ, we use the same six phases to organize and structure ERM.
Use policyIQ Technology to add Efficiency Every Step of the Way
In this training session, we covered ways that clients use policyIQ within each phase of the ERM process. For more information, reach out and schedule some time to talk about your ERM needs!
Preparation: Corporate Goals & Objectives and Cultural Evaluation
ERM should be implemented to support corporate goals and objectives, so ensure that you have those goals clearly documented and made available to all employees. Remember – policyIQ provides free read-only access, allowing you to easily make that information available to all at no additional cost!
And if you aren’t certain whether your organization is ready for ERM, use policyIQ to survey your employees and better understand the current risk environment. Perhaps you’ll find that most employees are risk adverse, while you may later find that your corporate goals require an aggressive risk approach. Knowing that there is a disconnect allows your team to provide additional training, tailored mentoring or even to think about some new hires in key positions.
Phase 1: Risk Inventory
Before you can start prioritizing your risk, you need to really understand all of the risks that impact your business. We discussed two possible approaches:
a. Use a standard list of risks and ask employees to tell you if the risks apply
b. Start with a blank slate and ask employees to think of all of the risks that keep them up at night.
In either case, policyIQ aggregates all of the responses, including aggregating the contents of Excel files that might be sent out to capture risks in that “blank slate” approach. And remember – don’t just survey your executives and senior management! Employees at all levels of the organization will provide different insight into risk, and asking a cross-section of individuals will help to identify risks that you may otherwise not be aware of.
Phase 2: Consistent and Specific Risk Measures
When prioritizing risks, be sure that the measurements used are specific and consistently applied. Ranges of dollar amounts, for example, represent the impact of a risk.
Phases 3 & 4: Clear Risk Appetite Statement and measurable Risk Tolerance
Effective ERM requires a clearly articulated Risk Appetite Statement, describing the amount of risk and kinds of risks that the company is willing to accept. Are you risk adverse? Risk Aggressive? Do you accept some risk, but have zero tolerance for others?
High level Risk Appetite Statements can then be broken down into specific and measurable Risk Tolerance statements. Risk Tolerance is something that can be measured, tested and adjusted for a certain type of risk.
Phase 5: Reviewing Risk KPIs / Auditing Risk Tolerance
Regularly review actual performance against those Risk Tolerance measures. Document your audit results in policyIQ, remembering to include the data that was tested as attachments to your test results.
Phase 6: Incorporate ERM into the rest of your business
Finally, it is critical that your ERM program doesn’t exist in a silo. Risk management is happening all around your business, and the results are feeding your ERM program. Link those lower level process risks and mitigation procedures to your ERM program, giving full visibility into all levels of risk management.
We are looking forward to working with many of you to implement Enterprise Risk Management into policyIQ! Contact us to schedule a meeting – no cost and no obligation – so that we can discuss the specific aspects of your ERM program that can be improved through technology.
If you haven’t explored how you can use policyIQ to implement or enhance your Enterprise Risk Management (ERM) program, we need to talk! policyIQ’s Governance, Risk and Compliance (GRC) platform provides the flexible infrastructure that you need to…
- conduct risk surveys and assessments,
- document your risk tolerance and metrics, and
- capture activities that take advantage of risk opportunities or that mitigate excessive risk, or
- take action on organizational issues.
RGP’s Enterprise Risk Management Expertise!
RGP’s GRC practice works with companies around the world to implement ERM programs. In some cases, starting with a complete cultural survey to better understand the real appetite (or perception of appetite) for risk across the organization. RGP recently presented a webinar, “Enterprise Risk Management: Are you optimizing your ERM program?” The webinar drew hundreds of attendees from companies around the world, anxious to learn how they could improve their ERM program and confidently answer that question with a solid “YES!”
Alongside GRC Practice Leader Les Sussman, risk management expert and Washington DC office Managing Director, Eric Gerner, provided an overview of a successful, efficient and sustainable ERM process – as well as practical keys to ERM success.
Sustainable ERM Process
In that webinar, Mr. Sussman and Mr. Gerner walk through a six phase ERM cycle that provides a sustainable framework in which a company can identify, prioritize, implement and monitor ERM activities.
We have integrated the use of policyIQ into these six phases, ensuring that ERM practices are efficient every step of the way!
Are you working on Enterprise Risk Management initiatives? Contact us and let’s talk about how RGP and policyIQ can help you to be more efficient, provide visibility into enterprise risk and risk appetite throughout the company, and create an on-going, sustainable ERM process.
Our firm, RGP (Resources Global Professionals), has been on the road presenting in cities around the country on the “Keys to Success in Enterprise Risk Management”. We’ve had some terrific conversations with Risk, Finance, Legal, Compliance, Security and Audit professionals and facilitated conversations drawing from everyone’s experience to address the hurdles that different companies are facing. These exchanges and new partnerships are invaluable!
Among the keys to success, one that has been identified is the value that technology can bring to several phases throughout the ERM implementation process. If you’re a reader of the policyIQ blog or are a part of the RGP community, you have likely heard that policyIQ is often used for Risk and Compliance documentation, audit, policy management and related process automation. This includes Enterprise Risk Management!
Capturing the full ERM cycle of information in one place helps to ensure that everyone has easy access to the information—the ability to grab a pulse on various aspects of the program in real time from anywhere. This is also of chief importance to a successful program: keeping ERM accessible and an ongoing part of every strategic conversation.
To give some examples:
Questionnaires or surveys
policyIQ provides tools to make the administration of any collection of information more efficient. At your fingertips, you can see who you have heard from, who still has a questionnaire outstanding and you can automate the reminder to those with outstanding surveys or questionnaires.
With that, our tool is utilized to help organizations better understand their risk culture by gathering opinions from strategic members of the organization by conducting a survey—one that might even allow anonymous submission of responses to encourage the most candid feedback possible.
This same functionality is applied to gather an initial and to capture principals’ thoughts on the priority of risks.
Key Documentation and Support
It is critical that a solid ERM process include a number of discussions and agreements among the organization’s risk owners as a matter of course. What conclusions were drawn from the culture assessment? What risks bubbled up to be considered the most critical? What definition (thresholds in dollars, numbers, events, etc.) did you give to your rating of those critical risks? What are the parameters for acceptable (or unacceptable) risks that you use to define your organization’s risk appetite? And the agreed upon considerations or limits for risk tolerance?
Assess, Adapt, Monitor, Measure
In addition to providing a place to collect and gather all of the key pieces of information, policyIQ provides excellent reporting ability. You can zero in on a specific metric in cases where you have a concern and you can schedule delivery of information on a routine basis to aid in ongoing monitoring of performance.
Without a doubt, technology will help any organization to more effectively and efficiently manage their ERM program. We have presented some ideas in broad statements here. Contact us to see and discuss, in more detail, how policyIQ will help your organization to mature your ERM program to the next level.