According to Google Trends, searches for "business continuity planning" skyrocketed on March 12, around the same time the US declared a national emergency in response to the coronavirus outbreak. The pandemic forced this oft-overlooked back-office function into the spotlight, bringing along with it economic turmoil.
For the first time in a long time, we must shift from managing localized risks within third-party supply chains, infosec, and operations against a landscape of economic growth to managing those issues under much less certain circumstances. If you haven't already, now is the time to build your contingency plan.
Business continuity plans (BCP) — and solid governance, risk, and compliance (GRC) policies, in general — can help businesses prepare for and navigate many disruptive events, including natural disasters, cybersecurity breaches, terrorist attacks, fraud, and embezzlement.
We believe in the benefits of implementing technology to streamline policies, automate processes, and create repeatable workflows so organizations can quantify risk into digestible dashboards to gain a singular source of truth. [Editor's note: The author's company is one of several providers of GRC technology.] Most businesses, we've found, have the same questions about implementing tech to strengthen their GRC programs. So we asked our customer success team, who all come from GRC consulting backgrounds, what they're typically asked.
Here's what they told us.
What should I be thinking about before implementing a GRC tool?
Before spending money on a tool intended to solve an ongoing problem, most businesses want to know what they need to have in place as an organization so the implementation will be successful. Before choosing to implement any GRC technology, it's important that organizations align people and teams to a common goal and define the existing processes surrounding GRC. One of the biggest mistakes we see GRC leaders make during an implementation is overcomplicating a process that should be simple. Don't get distracted by shiny bells and whistles at initial go-live. Instead, nail down your must-haves, build around those, and continue innovating on your processes with agility as the regulatory landscape evolves.
How does my GRC process compare to others?
Even the most sophisticated organizations, with the most beautifully defined processes, want to know how what they are doing compares to what their peers have in place. In a space like GRC, which changes by the minute to reflect industry requirements and government and consumer concerns (most recently surrounding data privacy), no enterprise wants to be left behind. In order to stay agile in response to emerging threats and proactive to prevent new ones, seek out technology that allows you to easily modify policies and procedures in your workflow without the need to pay huge consultation fees. Additionally, lean on your partners to provide templates and best practices for common regulatory or compliance workflows in your industry.
How can my organization work cross-functionally to manage risk?
Building partnerships between organizational silos is key to creating a culture of risk inside your company. A strong culture of risk, from top to bottom, is essential to the overall success of any risk management program — and it doesn't build itself. Start with identifying gaps in the existing risk culture. Involve key stakeholders and create a few core statements about the desired culture, pointing out areas of growth. Commit to those changes, and create policies and procedures that reflect a strong risk culture.
Most importantly, communicate about risk often. Educate everyone in the organization on their individual roles and responsibilities when it comes to risk management. You'll know you have a strong risk culture when all decisions align with ethical principles, and there is clear and consistent accountability of risks throughout the organization.
What should I be doing in terms of risk-scoring methodology?
Because each organization has its own appetite for risk, each organization will have to define methodology for themselves. There are many resources out there about how to score and what kind of calculations to use. A common simple calculation for risk is probability of event x magnitude of loss, where a high probability is between 80% and 100%, and a low probability is less than 30%. At the end of the day, it's up to each individual organization to decide for itself how to score risk.
How can I encourage adoption and help everyone consider risk in everything they do?
Getting the business to buy into the GRC processes leadership has agreed on can be the biggest hurdle, with the potential to completely ruin an implementation months in the making. This is why involving end users early in the build is key. Get their feedback on tool selection and customization, and encourage them to challenge the status quo in GRC. Ask questions such as "Why do we need to centralize risk?" along the way to ensure no stone is left unturned.
Feedback shouldn't stop when the tool is "live" either, as the changing nature of risk doesn't stop evolving just because a tool is in place. GRC leaders can also consider some gamification, as well. Giving users visibility into the data collected can help provide access to the bigger picture and answer questions like, "Which department is clearing the most risk capital?"
With the cost of compliance on the rise, tackling risk can seem daunting. But instead of fearing it, accept it as inevitable and shift your viewpoint to look at risk through the lens of growth. If you were able to quantify and mitigate 20% of the risk associated with running your business, what additional risks would you be able to take on to grow your business?