Enterprise risk management is taking on a new dimension in publicly traded companies as they face greater regulatory responsibilities and increased public scrutiny. Companies are now devoting the same kind of attention and resources to controls for mitigation of regulatory, operational and reputational risks as they are to their more traditional risk management tactics. In this new era of risk management, a company's risk mitigation processes, procedures, applications and data are an essential remedy.
Today, every business must have a documented set of rules that control how data is generated, manipulated, recorded and reported. That sounds simple — but it's not. After all, those rules must effectively support everything from the accuracy of financial statements to the protection of the business from a continually changing set of risks. So business unit managers have many factors to consider if they're going to ensure that their data controls fulfill all of the governance, risk and compliance objectives for which they are responsible.
So how do you monitor and maintain your controls program across the enterprise to achieve optimal value and risk mitigation?
Good governance starts with establishing business objectives, and it continues with a closed loop of measuring and comparing results and refining activities and goals. The specific function of risk management as it relates to the IT department and to governance is in protecting the strategic objectives of the business against technology failures. And because a successful governance program is a continuous process, organizations must implement a comprehensive controls program, complete with testing, repeatability, visibility and automation.
An integrated approach can pay high dividends
The proper design and implementation of automated controls helps minimize exposure to risk. To achieve the necessary risk mitigation and return on investment, individual controls should be integrated as part of an overall enterprise controls framework. Such an enterprise-level approach starts with a comprehensive, high-level understanding of risks and risk mitigation requirements. This ensures that an organization's control strategy is tightly aligned with its business risk environment – which is often a complex combination of regulatory, operational and reputational concerns.
This strategy lays the foundation for governance, risk and compliance with continuous, proactive monitoring and reporting, independent of any specific need, requirement or regulatory driver. It allows companies to effectively:
- Track and measure IT risk as a component of the broader business risk
- Monitor IT risk mitigation at every level within the organization
- Provide information before a regulatory audit
- React to and grow with changes in the risk landscape
Automation is key
In developing controls, many organizations have focused on passing audits and achieving compliance for specific guidelines and governing bodies. While this approach addresses immediate needs, it doesn't promote a real long-term strategy. It can also lead to duplicated efforts and failure to adequately correlate risk management with organizational control. Moreover, it defines results of a controls program based on a specific moment (the result of the assessment/test) and creates a situation where cyclical and manual maintenance are the norm.
Organizations that resort of this approach are constantly "reinventing the wheel," because there is little or no automation, and regulatory relationships aren't well-defined. As a result, there is no mechanism by which the company can easily identify and address new and applicable risks, regulations or requirements. What's more, testing, repeatability, visibility and remediation are costly or non-existent.
When a company implements an integrated and strategic approach, however, automation of controls testing is seamless and transparent. It can be based on technologies that facilitate rapid reporting of operational activities against regulatory or business drivers. And it can also include federated monitoring and reporting of objectives among entities, partners and regulatory bodies, as well as applicable maintenance and repair.
Companies should therefore be careful not to allow their approach to risk management to become fragmented as they respond to new regulatory and market pressures. Instead, they should develop a strategy and implement technology that enables them to manage all of their risk management activities under a common rubric. Only by taking such an approach can they fully minimize business risk while controlling the costs associated with risk management.
— Margaret Brooks is vice president of strategic solutions for North America sales at CA.