By Neer Rama, Force Solutions Product Manager at thryve Canada
There is a bit of a furore in the risk-management world. Advisory firm Gartner has thrown a cat among the pigeons by creating a new category for integrated risk management (IRM), away from its governance, risk & compliance (GRC) category. This may seem like a basic distinction, except that rival advisory firm Forrester coined the GRC definition back in the early 2000s.
It’s essentially a debate about what defines modern risk management and I can see why the controversy has gained so much traction. After all, what is modern risk management? To answer that, we should look at what traditional risk management is not.
Traditional risk management isn’t very strategic. It’s meant to be – any good business strategy course delves into this relationship. What else is a SWOT analysis than weighing positive and negative risks towards a strategy formulation? I am simplifying this a little, but my point is clear: risk and strategy are peas in a pod, or at least meant to be.
So why aren’t they? Put that down to the daunting task of risk management. You have to gather, pool and weigh information from different parts of your organisation, then use it to create reports that are often very high-level and mitigating actions that tend to be very specific.
All this takes a lot of time, liaising with stakeholders, conforming to policies and channelling through different procedures. By the time you are done, the strategic significance of the risk analysis has become less impactful on strategic conversations. Often risk analysis is just applied retroactively to an existing strategy or worse, relegated to a compliance checkbox. It’s why risk is more often seen in the guise of a risk register than a strategic pillar.
But modern technology is enabling risk data to flow more freely yet securely. A risk platform such as Riskonnect, integrated with different company systems, provides a current flow of information that feeds into the risk data pool.
Different departments engage more closely with risk activities through tailored interfaces that reflect their workflows, not that of the risk department. The platform intuitively balances this so that neither side has to bend too far back for the other. This is specific: a four-point scale on one end can become a five-point scale on the other through automated processes that match the company’s chosen risk framework.
The dynamic flow of risk information can be presented in dynamic reporting structures, such as digital dashboards or ad-hoc generated reports. That annual risk report is still in the mix, but risk information takes on a new dynamic that the rest of the organisation can use for their plans. Ultimately, strategy can be decided with relevant, even real-time risk information on hand.
What I describe above is called IRM, hence the confusion. Is IRM separate to GRC or is it an evolution of GRC? I have to ask: does it matter? Isn’t it more interesting that we can finally wield risk as it’s often envisioned in business theory: a living and relevant advisor to strategy?
I’ll be at the RIMS Canada conference, 8-11 September 2019 in Edmonton, to learn about this and many other exciting things happening in the confluence between risk, technology and the modern world. Drop by, grab a coffee with thryve and let’s chat about the possibilities. You’ll be surprised what risk can do for a modern organisation of any size, thanks to the power of platforms such as Riskonnect.