The risk review nightmare begins with whiteboards, sticky notes, tiresome workshops and extensive administration processes. The whole process sends chills up the spines of risk and compliance teams, directors, and boardrooms around the world.
Every level of an organisation needs to convene on a regular basis to meet governance, regulatory and compliance (GRC) requirements, and global risk reviews can cost upwards of $US25,000. Per cycle.
In the 2020s, it’s imperative that GRC activities have a multi-domain software focus. But out-dated risk reviews are being carried out right now, and they are in serious danger of being defective. Either the wrong risks being identified and actioned, or the right risks are going to go through the same gauntlet, only to come out the other side improperly assessed.
Sure, there’s likely to be an existing risk matrix available as a general guideline, however, a small business is at risk of spending more time dissecting and understanding that than it would investigating and applying a tech solution to help simplify the process.
Let’s look at the current “time in motion” for an eight-person team to undertake just one risk review cycle:
- Getting everyone on board and risk identification (120+ minutes)
The greatest risk to the identification process at this point is lack of awareness. Without risk awareness, the wrong risks can be identified and added to the risk library, which can have far-reaching consequences for the direction and outcome of the assessment.
Cultivating the right mindset for risk awareness will ensure great collaboration. It’s important to make this painful meeting as transparent as possible. - Building a library (240+ minutes)
Every single one of your elements and identified risks needs to be deemed relevant to the business compliance (or not!). On average you are looking at 4 hours plus for your risk input preparation and workshop; perhaps even longer.
It’s often the most difficult and tedious step, but once established, will form the framework into which your GRC assessments and management processes are integrated. - Likelihood and impact time (480+ minutes)
Keep telling yourself that this will be a fun-filled day of lively discussions, fuelled by caffeine, cold water, mints and munchies, as you settle in for your individually facilitated risk assessment for roughly 8 hours (or more).
Things to be checked off are: the companies risk appetite and its alignment to your strategic planning, score fields, applied controls and mitigation. Then the tedious process will continue, with financial, operational and external and public impacts of those risks. Need more coffee? Maybe a pizza delivery? - Analysis & board reporting (120+ minutes)
What the board needs is your powerful and accurate consensus. Loud and clear, alright?
Wrapping up the analysis and reporting will take you around 2 hours (dependant on the data), and you want to hope you are not wasting time with incorrect information as there is a lot more than your time at stake if you are. The total cost of a data breach, for example, can be extensive. - Digital risk hacks, a dream come true?
Our everyday lives – including business and industry globally – are being transformed by data, analytics, and digital and smart technology.
A 2019 Australian Securities and Investment Commission (ASIC) report identified regulation technology (regtech) as having “enormous potential to help businesses build a culture of compliance, identify learning opportunities, and save time and money relating to regulatory matters.” The technology puts the old methods to bed (and shame) and brings the risk management, compliance and cybersecurity process into the modern era to meet the growing demands of regulators worldwide.
Anthony Stevens, Co-Founder and CEO, 6clicks
