Automating the Flow of Information Across Risk Management

Up-to-date and accurate information is mission-critical for risk management. It was also next to impossible to achieve when Excel, Word, and SharePoint were the industry-standard tools, since documents became outdated almost as soon as they are created. The situation improved with the evolution of solutions such as business continuity software, crisis management programs, emergency notification applications, and the like. These tools often use automation to collect and update data on an ongoing basis.

Unfortunately, solutions all too often exist in silos sectioned off from one another. These walls prevent businesses from leveraging automation to collect, distribute, and analyze information from an end-to-end risk management perspective. This poses a barrier to top-level planning, management, recoverability, and resiliency.

Digital transformation is essential to integrate the full suite of risk management tools and allow automation to thrive across all areas of risk. Consider the following benefits of end-to-end automation:

  • Information can be entered once and applied in multiple areas. People become irritated if they are asked to provide the same information time and again for various risk management functions. But if risk management systems are integrated through digital transformation, people’s expertise can be solicited once and applied seamlessly across systems, greatly increasing operational efficiencies and ensuring data accuracy.
  • Huge and cumbersome once-a-year updates disappear. Massive updates that require the tedious manual review of global information to check for needed changes are eliminated with digital transformation. They are replaced with automated self-checks where the system regularly evaluates existing data across risk domains to identify where updates need to be made and then collects or solicits that information directly or sends an alert about the required update. Automated workflows and approval processes also serve to keep information accurate and up to date year-round.
  • Enterprise-level reporting is made easy. If risk management tools and systems are siloed, global reporting is a challenge. With full integration, reports can be run instantly that provide the data and insight necessary to make strategic decisions about risk management, resource deployment, and organizational resiliency.
  • Gaps that represent risk can be readily identified. It is very difficult for risk management personnel to detect missing, improper, or inadequate recovery strategies when faced with hundreds of different departments, functions, and applications. An integrated risk management system can do so automatically. It can not only identify gaps, but can also prioritize and locate where greater risks exist. For example, the system can differentiate between a critical business process that has gaps in its recovery capabilities and a lower-tier service based on the connectedness of the data.

Ultimately, digital transformation opens the door for automation that fundamentally changes how companies collect, manage, use, and act upon data. This automation enables businesses to work from a common operating picture, strengthen recovery strategies, and respond quickly and confidently to any crisis or incident.

Why Do We Manage Risk?

If it is to identify the potential for loss before it occurs, and be able to take appropriate actions to reduce or avoid loss, then the concept of resilience is fundamental to risk management.

After three or more decades of compliance-oriented risk management driven by regulatory requirements and industry standards, many enterprise organizations are now working to redefine their risk management programs to bring risk and resilience together.

Industry practitioners have found that simply trying to extend a compliance-oriented approach hasn’t worked. Allowing various functional groups or individual departments to develop their own siloed approaches has proven impossible to bring together into a coherent enterprise program after-the-fact. Simply reacting to audit findings is proving less tenable over time as the demands of corporate governance continue to grow.

It is encouraging to see similar recognition across regulators and standards bodies. Last summer, the Bank of England, in conjunction with the Financial Conduct Authority, issued a discussion paper on operational resilience highlighting the need for integrated programs. Other groups are also more formally addressing the challenge – achieving compliance doesn’t necessarily ensure that risk will be managed effectively nor that operations can be sustained at acceptable levels when risks materialize.

In the ever-growing compliance realm, many times what’s been missing is an organization’s ability to achieve and maintain resilience, ensuring that its people, assets, and processes are protected and preserving the trust it has established in the marketplace.

To address these issues and related challenges, Fusion recently hosted an Innovation Day, Fusion’s information sessions that bring leading industry practitioners together to focus on establishing effective operational programs. The common topic is the need to build an “information foundation” that addresses risk and resilience together from the beginning.

Learn more in our latest eBook The Inflection Point in Enterprise Risk Management is Underway.

Building a Comprehensive Management System for Information Security

It is clear increased scrutiny means that a more rigorous and comprehensive process must be in place for assessing and managing risk. There is more pressure on companies to manage third parties efficiently.

That means tossing out the spreadsheets and doing away with legacy GRC solutions in favor of an integrated solution for an assessment and management process that incorporates third parties in broader risk management and resiliency strategies.

The solution must provide third parties with access to information, due dates, and standardized assessment work-streams through a secure portal designed with ease-of-use in mind.

When an organization brings third parties into the solution, with shared information and standardized processes, it establishes a higher level of control over vendor relationships; saves time and effort during the assessment process; significantly lowers risk exposure; enables better decisions and improves accountability and oversight.

Vendors can log in and access questionnaires and assessments that address risk, impacts, dependencies, and compliance. This model provides for easier review, scoring, and analysis of that information so organizations can make the most prudent decisions possible about potential third-party risk.

An example of increasing the efficiency of the assessment and onboarding process is to automate the pre-risk assessment and scoping procedure that evaluates the vendor’s potential risk tier and determines the level of detail which the company should vet that potential vendor.

Some vendors might be put through a complete assessment across many domains (information security, privacy, legal, compliance, and business continuity/disaster recovery) because they are handling sensitive customer or employee data.

Others might not undergo as intense a assessment because they are not involved in the processing or storage of sensitive data. Automating much of this activity speeds the process and let’s internal team members focus their efforts on higher-risk providers.

Regardless of the level of scrutiny, any vendor included in enhanced third-party management allows an organization to develop, test and maintain contingency and crisis responses that consider impacts from any disruptions to those partners.

It dramatically increases visibility by providing metrics and reports that identify what processes are effective, and which require more attention. It also allows various departments within an organization to seamlessly collaborate on risk assessments across information security, legal, compliance, finance, and IT.

Between malicious hackers and rigorous privacy regulations, today’s business climate is fraught with risk. Now more than ever, companies must overcome challenges associated with managing third-party relationships that can result in unforeseen operational and compliance risks, threats to business resilience and loss of revenue and credibility.

A company cannot simply have internal risk management and resiliency measures in place and assume they are protected. Industry has seen time and again that third parties who are not fully vetted, and do not undergo a rigorous risk assessment process, can do as much damage to a company as an internal failure.

Accountability does not stop within the walls of an organization — it can extend to a partner on the other side of the world. And, if the security and data management processes of third-party service providers are not complete, consistent and compliant, then neither are an enterprise’s.

Check out how Fusion can help make your vendor risk management a reality.

Extend Your Community with Fusion

Communities of occasional users can provide meaningful information and act far faster when the right system is put in place. These communities are made up of the knowledge experts and are the operational specialists. These are the trusted vendors that are part of your extended organization.

The occasional users will thrive when you provide a personalized experience that only gives them what they need. The result will be subject matter experts and frontline workers contributing key information directly that allows you to fully understand the organization and manage effectively.

But for a community to be trusted, the information pathway must be secure. And of course, information must be easy to contribute and retrieve to encourage broad groups to contribute easily without any friction. Automation must drive action to keep a diverse community operating as a unit.

The whole system must seamlessly connect your communities to the information foundation you are building. By integrating information directly, you can reduce effort and errors in translating or reentering data. This also allows you to trigger immediate responses automatically to mitigate risk and drive action with ease, as no time is lost with information immediately available in your core system.

With the right technology at the center, risk managers, business continuity managers, and IT managers are reaping the benefits of extending access to key information to various communities that contribute and share information to better manage risk in a completely secure way. And by building on the central information foundation, each community can interact across communities when it makes sense.

Communities that are important to a risk manager can come in many forms, and constituents may be part of multiple communities at once:

  • Vendors who are looking to achieve or maintain trusted vendor status
  • IT disaster recovery exercise participants
  • Departmental business continuity plan users
  • The entire enterprise who needs a way to share situational intelligence or receive alerts related to safety and security
  • Executives and managers who need to approve program deliverables on a timely basis

A large banking customer has defined a community encompassing their vast IT organization as occasional users of the risk system targeted at participating in full-day IT recovery exercises. The community can contribute to plan building and submit issues or improvement suggestions and can even be assigned follow-up work so improvements are tracked and completed.

Another consumer financial services company has defined a community around policy adherence, allowing two-way communications through a simple application when policy managers need to communicate about specific findings. Data flows directly to the core risk system to trigger workflows and impact metrics.

A major retailer has established a vendor community as part of their third-party management program where vendors respond directly to security assessments and then stay engaged once they are approved. Engagement beyond the initial assessment includes receiving and electronic sign-off requests on adherence to changing policies, participation in business continuity exercises, and getting called to action during an incident to keep the companies operating successfully together. Because everything is integrated, important changes can be alerted to exactly who needs to know virtually immediately.

Establishing these communities meant configuring a portal to access controlled pieces of the risk system directly and integrating selected capabilities and building blocks to fit each group’s needs. Having the right system makes the process easy and creates an engaging experience so users contribute and receive information easily. The result for the risk manager is much greater insight and the ability to impact outcomes with more complete information. The alternative is going backwards and ignoring the importance and power of engaging communities directly.

Ready to learn more about how to engage your communities? Check out our Community Connector.

6 Keys to Success for the Continuity Risk Management Practitioner

For decades, “having a plan” was synonymous with business continuity success. There are many reasons why that notion came to be the accepted standard. Unfortunately, it wasn’t true then, and it certainly is not true today. Business continuity management is the business process of managing and responding to risks that can result in the disruption of an organization’s ability to continue to deliver its products and services to the market. It’s hard to imagine a “plan” suffices in support of something this fundamental.

The illusion has been that a plan equals being prepared. The reality is that few people report using a plan “as planned.” The primary value of a business continuity plan is that, in theory, it contains the information and guidance necessary to support and direct response activities. Unfortunately, a “plan” has taken the form of a document that is too often outdated, inaccurate, or too cumbersome. A document is an ineffective organizing principle for capturing and accessing the information necessary to support a leadership team, especially at a time of crisis.

Business continuity success depends on first embracing the concept of preparation over planning. Similarly, a successful business continuity manager is more valued because the product of his/her work effort is an organizational capability and strength rather than a document. There are six keys to success for any business continuity manager individually and for the company they represent:

  1. Knowledge – Very few people truly know how an organization works, how it might break, and how it can be protected. Information is at the core of knowledge, and the successful business continuity manager has the facts at their fingertips.
  2. Organization – It can be difficult to put knowledge to work if you are not very organized. Organization is a force multiplier. It sets the foundation to leverage knowledge more effectively and efficiently.
  3. Resourcefulness – Resources are always limited. Even more so at a time of crisis. There is a huge difference between resources and resourcefulness. The resourceful business continuity manager is more creative, innovative and effective. They’re more about getting things done with what they have than letting a shortage of resources paralyze them.
  4. Judgment – By definition, risk management initiatives often run counter to the prevailing energy of the organization. Successful business continuity managers are realistic and use sound judgment, careful to use limited funds and resources wisely.
  5. Emotional Intelligence – There is a place and time for everything. The successful business continuity manager is able to engage stakeholders because they have been able to fit their agenda more effectively into the primary motivation of their constituency.
  6. Communication and Collaboration – Organizations are complex organisms, and it can be very difficult to communicate in the best of times. At a time of crisis, collaboration is at a premium, and the successful business continuity manager has cultivated the relationships to become uniquely qualified to bring the organization together, leveraging their knowledge, organization, resourcefulness, judgment, and emotional intelligence.