For many years software vendors have been flogging risk management software solutions and customers have been scratching their heads wondering why it hasn’t provided optimum benefits for their organisation. I believe there’s a very simple reason for this. Let me explain.
We all accept that risk management is a fundamental element for successful corporate governance and assurance. There are many references to support this notion. AS8000 2003 Good Governance Principles states one of the objects of good corporate governance principles is to: (ii) Understand and manage risks to minimise the negative aspects and maximise the opportunities.
HB158 2006 Delivering Assurance based on AS/NZS 4360:2004 Risk Management refers to “linking risk management to assurance”. The ASX Principles of Good Corporate Governance and Best Practice Recommendations include risk as an essential element: “Principle 7: Recognise and manage risk – Establish a sound system of risk oversight and management and internal control.”
Even in its introduction, the draft international risk management standard (commonly referred to as ISO31000) states: “To be effective within an organisation, risk management should be an integrated part of the organisation’s overall governance, management, reporting processes, policies, philosophy and culture.”
It seems clear to me that governance, risk and assurance are the pillars for building a resilient organisation. You might have the best governance, risk and assurance processes in the world, but unless they are integrated so that they directly link with each other and “feed” off each other, you will never achieve optimum results.
How can you have effective risk management in place if your audit program isn’t based on your risk profile? How will you deliver organisational efficiencies without mitigating your governance risks? How do you assure the organisation that its strategy is sound without a rigorous assessment of the leadership and its capabilities?
These are some reasons I think vendors came to the realisation that selling a risk management software solution in isolation to its governance and compliance or “assurance” counterparts wasn’t meeting the needs of the market.
GRC or GRA is, therefore, market-driven. It’s not a con or a fad, it’s absolutely essential if you want to build a resilient organisation that capitalises on opportunities during the boom times, and quickly bounces back after times of crisis. After all, isn’t that essentially why we spend so much time, effort and resources on all this GRA stuff anyway (apart from the regulatory compliance obligations)?
Consolidation is the name of the game. The RMIA, IIA, ACI, AICD and others have the same objectives – to help professionals and their organisations build business resilience.
My vision for the future is that one day all professional organisations will help each other and their members achieve true business resilience, based on an integrated and fully effective governance, risk and assurance model.
After all, I’d rather be lying on a beach in the Cook Islands or travelling through Europe than stuck in an office talking about issues we already have the capacity to resolve.
Grant Whitehorn is the CEO and principal consultant of Risk Management Innovations Pty Ltd, and president of the Risk Management Institution of Australasia.
The opinions and views expressed here are those of the author’s, and are not necessarily those of the RMIA, its board of directors, its management or staff.
News