• Votes for this article 16 people voted for this
  • Dashboard Insight Newsletter Sign Up

GRC Dashboards (Part 2 of 2)
Turning Risk Into Reward

by William Laurent, William Laurent, Inc.Tuesday, October 14, 2008

The first part of my of my discussion was on the convergence of governance, risk and compliance methodologies into what is now referred to across industries and businesses worldwide as “GRC.” The second part of my discussion covers what the main components of a GRC dashboard should be, the benefits and challenges around risk management and the importance of focusing on IT GRC.

Once implemented, companies will have control over many different dimensions of risk (financial risk, currency risk, political risk, compliance risk, etc.) at all levels of the enterprise. The goal is not only to manage and mitigate risk, but to turn risk into reward. From a bird’s eye view, the transmigration of risk into reward will be achieved by a dashboard that capacitates three fundamental functional precepts:

  1. Means to properly identify primary instances of risk
  2. Ability to classify risk (Risk Identification Hierarchies) in order to evaluate its potential impact
  3. Capability to allocate resources to address the risks and rectify/mitigate them

Because GRC dashboards are many times an outgrowth of risk management dashboards, it is quite valuable to understand the fundamentals and nuances of risk-centered BI. If one is familiar with the many issues encountered with respect to this discipline, then they should be in an outstanding position to add both compliance and governance components to the GRC mix.

Unfortunately, the dashboarding of risk is fraught with peril due to a fundamental inability of risk managers to get over deep-rooted personal biases and break out of outdated conceptions of risk. There is still a deep level of fragmented information and knowledge about risk. It is encouraging to see that new GRC standards are attacking and addressing these deficiencies so that the measurement of risk does not remain a troubled science or black art, with risk managers often relying on the same old financial-centered formulas that have taken root in their corporate culture for decades. Even when companies understand their risks pretty well and know how they mesh with their appetite for risk, obsolescence can set in quickly as risks mutate, disappear, or spring forward in new forms — the more dynamic the marketplace, the faster the pace of change for risk will be. Some very acute problems with risk management in its current form include:

  • Because of the stalling of innovation in many industries, there is a push to package risk (and repackage it) in such a way that the original risk becomes obtuse and hidden
  • Risks are not properly ranked into Risk Identification Hierarchies (RIH); therefore making it impossible to quantify, weigh, and prioritize risk
  • Risks are not understood well enough on an inter-department basis
  • Corporate assets at risk are not properly accounted for nor mapped to mission-critical business processes
  • Poor change management: latency in keeping abreast of new flavors of risk--like political risk, or brand loyalty risk
  • Risk assessment is often biased and not based on reality
  • Inability of various domain experts to message risk out of their individual business silos
  • Failure to create effective key performance indicators around risk mitigation
  • Inadequate development and administration of training and learning

Business problems aside, let us examine the technical side of things, specifically what works. A dashboard that deals with risk in any fashion will implement a plethora of details to insure a well-rounded BI solution:

  • Risk information must be easily shared and distributed via electronic means to ensure maximum accountability and transparency
  • Responsibilities for different types of risk must be easy to delegate and define through a user interface
  • All measurements and indicators of risk must adhere to a semantic standard if true consistency in communication is to be realized
  • Unstructured data sources often contain very important and relevant information about risk. A solid risk dashboard should have some mechanisms in place to parse and extract this data and make it easily consumable and understandable
  • The lifecycle of a granular element of risk will be tracked through various stages in its lifecycle—from gestation to retirement
  • Risk heritage and ontology will be made clear so that users can understand how one risk is dependant on another, how it influences other risks, and comprises larger components of peril
  • A system of thresholds and alerts will be instituted in order to raise conscious and awareness when a particular risk condition reaches a critical mass
  • A proven risk scoring methodology will be in place that allows for the prioritization and ranking of risk (i.e. RIH)
  • Reporting on compliance and risk for all levels of management will be automated

Tweet article    Stumble article    Digg article    Buzz article    Delicious bookmark      Dashboard Insight RSS Feed
 Next Page
1 2 3
Other articles by this author


No comments have been posted yet.

Site Map | Contribute | Privacy Policy | Contact Us | Dashboard Insight © 2018