Latest Post

A New Approach to Risk Oversight: A Lens to Look Through and Levers to Pull

By Bruce McCuaig, Director, GRC Product Marketing, SAP

Originally published on SAP Analytics. Reposted with permission.

Risk management continues to fall short of expectations. Surveys show boards and senior executives believe risk management is important, but also reflect an overwhelming dissatisfaction with the ability of boards and senior executives to effectively oversee risk management.

Risk_1

According to recent research by the NC State Enterprise Risk Management Initiative in a survey of companies: “68% indicate that the board of directors is asking “somewhat” to “extensively” for increased senior executive involvement in risk oversight. That is even higher for large companies (86%) and public companies (88%).”

Recently, with my GRC colleagues at SAP, I’ve been experimenting with a new approach to risk oversight and strategy. Our approach provides a new lens to look though that allows companies to manage risks strategically.

We believe risks can be divided into four broad categories, each of which requires a unique primary strategy. This is the first in a series of blogs, building on comments and feedback we received over the past 18 months as we developed this concept.

With this blog we’re introducing a new iOS app we have developed to categorize risks. Download your early version of the app. It contains a number of embedded videos that expand upon our conclusions about risk management and provides examples of a lens to look through and levers to pull.

In the next few weeks, we’ll introduce an updated version of the app, expand on the ideas and tools we’ve developed, and solicit your comments.

Beyond Heat Maps: A New Lens For Risk Oversight

The diagram below outlines the basic concepts of the approach. The horizontal axis captures risk level as depicted on a traditional heat map. We suggest that risk levels can only be lowered to a finite degree by traditional controls. Beyond that point, risk management strategies must focus on avoiding the risk.

A simple example is that if one relies on fire extinguishers as a primary strategy for fire prevention, then implicitly fires are an acceptable risk. If fires were spontaneous, unpredictable, and unpreventable because of that belief then such a strategy may make sense. But controls are a bad approach for fires and any other similar risk where the necessary precursor events and conditions are known and discernable. If a major risk can be predicted, it must be averted, not controlled.

Similar examples will be provided for each quadrant in future blogs in this series.

The vertical axis captures management’s willingness to accept a risk. Assessing Risk Level and Risk Acceptance Willingness results in risks being placed in an appropriate quadrant. Each quadrant requires specific risk management practices and specific information and solution capabilities.

Risk-Quandrant

Risk Management Strategy Today: One Size Fits All

Risk oversight requires the ability to differentiate risks in a meaningful way and to develop responses appropriate to the nature of the risk. Risk management practices today don’t make sufficient distinctions to provide the necessary diversity in responses.

Most risk management strategies today rely on the use of controls as a primary strategy. Heat maps just don’t tell you what to do. In fact, they are a major source of frustration to boards and many senior executives.

My Questions to Our Readers

I will be exploring and explaining this concept in the next few weeks in this blog, and I’d love to hear from you. My questions to readers are:

  • Does it make sense?
  • Does it make clear how technology can be used?
  • Is it possible to use these concepts to guide risk management practices and to drive an integrated GRC strategy based on risk?
  • Is it useful from a board-oversight perspective?
  • What improvements can you suggest?
  • What are the flaws in this approach?

Interested in pursuing these ideas further? Join the SAP GRC team at SAPinsider GRC in Nice. I will be presenting the latest version of the GRC Strategy Selector app as a tool to bring the Three Lines of Defence to life as well as presenting an approach to using SAP Audit Management to drive costs down and add value. Register here and receive a €300 discount.