Our firm, RGP (Resources Global Professionals), has been on the road presenting in cities around the country on the “Keys to Success in Enterprise Risk Management”. We’ve had some terrific conversations with Risk, Finance, Legal, Compliance, Security and Audit professionals and facilitated conversations drawing from everyone’s experience to address the hurdles that different companies are facing. These exchanges and new partnerships are invaluable!
Among the keys to success, one that has been identified is the value that technology can bring to several phases throughout the ERM implementation process. If you’re a reader of the policyIQ blog or are a part of the RGP community, you have likely heard that policyIQ is often used for Risk and Compliance documentation, audit, policy management and related process automation. This includes Enterprise Risk Management!
Capturing the full ERM cycle of information in one place helps to ensure that everyone has easy access to the information—the ability to grab a pulse on various aspects of the program in real time from anywhere. This is also of chief importance to a successful program: keeping ERM accessible and an ongoing part of every strategic conversation.
To give some examples:
Questionnaires or surveys
policyIQ provides tools to make the administration of any collection of information more efficient. At your fingertips, you can see who you have heard from, who still has a questionnaire outstanding and you can automate the reminder to those with outstanding surveys or questionnaires.
With that, our tool is utilized to help organizations better understand their risk culture by gathering opinions from strategic members of the organization by conducting a survey—one that might even allow anonymous submission of responses to encourage the most candid feedback possible.
This same functionality is applied to gather an initial and to capture principals’ thoughts on the priority of risks.
Key Documentation and Support
It is critical that a solid ERM process include a number of discussions and agreements among the organization’s risk owners as a matter of course. What conclusions were drawn from the culture assessment? What risks bubbled up to be considered the most critical? What definition (thresholds in dollars, numbers, events, etc.) did you give to your rating of those critical risks? What are the parameters for acceptable (or unacceptable) risks that you use to define your organization’s risk appetite? And the agreed upon considerations or limits for risk tolerance?
Assess, Adapt, Monitor, Measure
In addition to providing a place to collect and gather all of the key pieces of information, policyIQ provides excellent reporting ability. You can zero in on a specific metric in cases where you have a concern and you can schedule delivery of information on a routine basis to aid in ongoing monitoring of performance.
Without a doubt, technology will help any organization to more effectively and efficiently manage their ERM program. We have presented some ideas in broad statements here. Contact us to see and discuss, in more detail, how policyIQ will help your organization to mature your ERM program to the next level.
The IIA put on another impressive General Audit Management (GAM) Conference again this year. Below is a quick twitter-review of some 2015 #IIAGAM highlights. Remember that RGP is a Professional Services Firm with expertise in:
- Human Capital
- Finance & Accounting
- Information Management
- Governance, Risk & Compliance
- Supply Chain
- Legal & Regulatory
- Corporate Advisory & Restructuring
- Strategic Communications
We are particularly strong in cross-functional support, listening, helping to identify the common threads and root issues, and guiding an organization with a team of experienced professionals who will walk alongside your employees and leave them more knowledgeable and ready to make progress and gains than before we arrived.
Reach out to us and we’ll connect you with an RGP representative in your area.
Now, on to the GAM highlights!
Lots of speakers addressed the more prominent role of Internal Audit in the heavy activity of Mergers and Acquisitions.
If they were not already making it a top priority, I’d bet 1,400 audit professionals attending GAM took the message back to their colleagues that they need to give cyber-security more attention
Of course, Risk Management continues to be a hot topic.
Don’t underestimate the work involved in preparing to comply with the Revenue Recognition Accounting Standard.
These were just a few of the key topics discussed at the GAM Conference this year. You can gather more information from the IIA website, Twitter and other social resources and, you can join the conversation next year! We’ll look forward to visiting with you at the RGP booth!
I am just returning from Compliance Week’s 2014 conference, held in Washington DC this past Monday through Wednesday. I’m leaving with a new tote bag, a t-shirt, 36 pages of notes taken during the sessions and a head bursting with ideas that I want to share with all of you. I participated in CW 2014 strictly as an attendee, to learn from the best in class compliance officers. 8 breakout session panels, 7 key note addresses and a whirlwind of conversations later – I’m happy to report that I accomplished that mission.
While there are some specific topics that we’ll dig into deeper in the coming weeks (after I’ve had a chance to digest those 36 pages of notes), I wanted to provide a couple of highlights in time for our May newsletter!
Cyber Security is a Hot Topic
For many compliance executives, it doesn’t feel like cyber security should belong in the compliance department’s realm. Alan Brill, Senior Managing Director at Kroll, agrees that the domain of cyber security is unclear, but stresses that it is a compliance issue. He suggests that compliance teams and IT security teams partner more closely in this age of “everything cyber” to put compliance tools in the hands of the IT resources who need them.
One very practical suggestion made by Mr. Brill was to partner with IT to issue employee communications about good data security practices, using the compliance mindset to provide guidance and understanding of why the topic should be taken seriously. (The example used was the number of employees who likely have a personal DropBox account, where they store work in progress to be accessible from multiple locations.)
My takeaway: How can we help organizations to push their compliance processes-controls, testing, reporting, employee communication-to the IT security side? In some cases we already work with both financial compliance and IT compliance, but where we don’t, can we help to foster more coordination?
Third Party Risk Management is Critical
It is surprising, to be honest, how many organizations are still underestimating the exposure they face due to third parties. The actions of suppliers, partners, contractors and sometimes even customers can bring risk onto your organization. The need for effective – and efficient – third party risk management and due diligence was a key theme through many Compliance Week 2014 sessions.
How to do third party due diligence and risk management in a reasonable, cost-effective and resource-efficient way was a matter of much discussion – both during panel events and in the hallways over breaks. Panel experts stressed the need to push the due diligence process down to the business units and owners of the third parties, while having compliance oversight – and audits – to make sure the process is working.
My takeaway: policyIQ can help organizations to build a 3rd party due diligence process. Over the next couple of months, we should illustrate more specifically so that our clients can see the process in action in a practical – and cost-effective – way.
Compliance Should Be Embedded in the Business
This theme ran through virtually every session at the conference – and while it is definitely a desire of most attendees, there did seem to be some skepticism about how to accomplish it.
One session specifically focused on “Tone at the Middle”, taking the common idea of “Tone at the Top” to a new level. It is the middle-managers that are closer to the majority of the workforce, and the commitment to compliance and ethical conduct at this level can be even more critical. (Of course, it is clear that “Tone at the Top” is critical to THIS level of commitment.) The idea boils down to the concept that if you have an ethical environment that is committed to compliance, compliance shouldn’t feel like a hurdle that has to be overcome.
The other side to this coin is the concept that in the ideal world, compliance can be seen as a revenue positive activity. Compliance departments can work within the business to identify opportunities for process improvement – in line with compliance initiatives. Risk management and issue management can also be viewed within a revenue-positive light.
Practical advice on this subject was a bit thin, however it is clear that everyone wants compliance to be seen as a positive force, rather than a revenue-restriction.
My takeaway: How can we talk about processes like risk management and issue management in revenue-positive language? Consider ways to identify opportunities rather than issues.
So much more…
I have notes on issue management, creating a positive “speak up” culture, ideal issue escalation processes, risk-focused issue management, suggestions for creating better relationships with regulators, and much more. Stay tuned for more notes and ideas! If you have a specific question or if you are curious about a specific area, don’t hesitate to reach out to us.