×
Blogs

Resilient by Design: The Art and Science of Managing Interconnected Risks with a Connected Approach

blog-dsk-Weekly-Blog-Upload-Feb-10th-2024
6 min read

Introduction

Most organizations today are looking to improve their risk management strategies to be able to keep pace with the rapidly evolving risk landscape. We now know that for a risk management program to be successful and effective, it requires participation from functions all across the organization.

But what does it take to build a risk-aware and resilient organizational culture; how can organizations address the challenges posed by interconnected risks, and how can they build an integrated and unified risk management strategy? These were the questions that a panel of GRC experts sought to address at a panel discussion on Building a Culture of High Performance and Integrity: The Crucial Role of Integrated Risk, Compliance, and Audit by Design, at our recent GRC Summit.

The panel had a diverse panelists- from second and third line of defence to technology enabler:

  • Claudia Iacobucci, Head of Assurance, Risk and Controls, ABB
  • Somkant Mishra, Senior GRC Manager, CRH
  • Bilal Javed Mahmood, Senior Director Risk Management, Hitachi Rail
  • Bhaskar Dasari, CEO, Vivid Edge Corp

Here are the key takeaways from the interesting session.

Watch the video: Building a Culture of High Performance and Integrity: The Crucial Role of Integrated Risk, Compliance, and Audit by Design

Building a Resilient Risk Management Framework

To be effective, risk management plans must be aligned with the organization’s business objectives as well as strategic priorities. This means that risks must be identified, evaluated, and their potential impact effectively communicated. At the heart of organizational risk management strategy is a resilient risk framework that combines enterprise risk management with resilience planning to focus on not just risk assessment but also risk resilience:

  • Standardized methodologies and centralized platforms for risk data aggregation are critical.
  • This should include a unified risk universe that:
    • Is central repository to store risks and controls
    • Establishes common taxonomy and reporting structures
    • Includes data models and governance structures
  • Automated systems for risk identification can significantly reduce errors and improve response time while maintaining data consistency.
  • Compliance can be integrated into the risk management strategy to identify and address cross-functional risks effectively.
  • The risk and resilience management effort must also include regular reviews of emerging risks to identify and address them.

Cross-Functional Collaboration for Integrated Risk Management

Risk Management vs. Compliance and Audit: As organizations focus on integrated risk management strategies, they must consider cross-functional collaborative approaches that involve key stakeholders. The first step towards this lies in awareness of the nature of risks and how risk management differs from compliance and audit processes:

  • Risk is nebulous, and risk management operates in uncertainty in an environment that is fluid and where outcomes and priorities can change quickly.
  • Risk management must be constantly engaged and assess how external factors, ranging from regulatory change to political upheavals, can impact business decisions and strategies.
  • Compliance and audit on the other hand, are structured processes that operate within defined boundaries. 
    • For example, the US election results may not have an immediate impact on regulations, and compliance teams may not need to take immediate action, but risk management teams must anticipate and prepare for the impact of the election results on geopolitical landscapes, policies, and strategic direction.

The onus is on the risk management teams to communicate with compliance and internal audit functions on how risk operates differently and needs dynamic management approaches. The risk team must drive the collaborative integrated risk management process, and communicate emerging risks in clear, actionable terms. This will help compliance and audit align their efforts with the more significant risk management objectives and ensure that all functions understand their separate but interconnected roles. Research and data-based tools like competitor analysis, annual reports, and industry trend studies can help provide a context for teams and uncover unique risks and opportunities.

Structured cross-functional engagement and collaboration: A comprehensive enterprise-wide risk management and resilience strategy can only work if every key member across diverse teams is on board with the strategy:

  • Varied priorities must be addressed with a unified and shared GRC ecosystem that respects team boundaries and autonomy and facilitates collaboration, customization, and flexibility.
  • Shared KPIs can motivate teams. However, this is only a temporary measure, and the long-term focus must remain on establishing clear objectives and key results to ensure successful collaboration.
  • RACI models and compliance structures can help guide discussions and process alignment efforts. 
  • Engaging teams to solve challenges or risk-based puzzles can be a simple but effective way to secure participation. For example, diverse teams can come together to assess the possible impact of AI risks and even suggest mitigation strategies. This not only helps them think beyond their roles, but also gets them actively involved in the risk management process. It also facilitates the sharing of diverse perspectives and ideas.

Simplified, Intuitive, and User-Friendly Systems: Key to Successful Integrated Risk Management

Collaborative effort on integrated risk management must be simple:

  • Systems and processes must be built with the end user in mind, particularly the front line that will interact with the systems.
  • Overly complicated or technical processes and systems will prove counter-productive in the long run as people on the ground may lack the technical expertise or specialized skillsets to use them correctly.
    • For example, if a facility manager has to execute complex controls, they are likely to do the bare minimum, leading to non-compliance, lack of data, and system failure.
  • Collaboration is also not a one-time effort but an iterative one that must comprise small, deliberate steps. 
    • For example, an organization can begin the process with functions that apply to all departments, like policy and document management systems. Once these are addressed, they can move on to more complex areas like internal audit.

A Step-by-Step Guide to Implementation

Collaborative GRC implementation must follow a structured methodology to be successful:

  • Listen to the organization’s requirements and needs and understand their vision and objectives for the GRC program as well as overall business goals.
  • Educate them on how to best leverage existing investments – technology and tools – for maximum value. 
  • Collaboratively plan by listening to all stakeholders. This fosters a feeling of ownership and involvement.

Leadership Support and Direction

Effective collaboration in GRC requires strong leadership commitment and executive sponsorship. CXOs must take the lead in championing GRC initiatives to ensure consistency, alignment, and long-term success. Key leadership actions include:

  • Championing Collaboration – CXOs must actively promote GRC collaboration and drive its adoption across the organization.
  • Ensuring Strategic Alignment – Leadership involvement ensures that GRC efforts align with business objectives and long-term strategies.
  • Optimizing Resource Allocation – Executive support secures the necessary resources for implementing risk management and compliance initiatives.
  • Driving Momentum – Leadership commitment sustains engagement and accountability in executing GRC strategies.
  • Linking Risks to Business Outcomes – Clearly connecting risks to organizational objectives helps secure leadership buy-in for an integrated GRC approach.
  • Directing Resources to Critical Risks – Leaders must ensure that the right resources are allocated to address the most pressing risks effectively.
  • A robust, resilient, and integrated risk management program is an iterative process that takes time, leadership vision, and cross-functional collaboration to develop and implement. Risk awareness and management in this challenging environment can no longer remain the sole purview of the risk and compliance department and must be embedded into every level and hierarchy of the organization. By strategically integrating risk management, compliance, and audit by design, organizations can create robust frameworks that drive accountability, operational resilience, and risk mitigation.

Interested to watch the entire session? Watch the video

 

Liked this recap? It’s just a glimpse of the many discussions featured at MetricStream’s biggest event, the GRC Summit. The GRC Summit has been a key platform for the GRC community to come together, share knowledge, exchange best practices, and explore what's on the horizon for GRC. Whether it's new technologies, evolving processes, or upcoming regulations that could reshape your business, you’ll discover it all at this event.

Register now for the next GRC Summit in London on June 10th-12th, 2025.

Our ConnectedGRC product streamlines governance, risk, and compliance processes by integrating real-time data. It provides a centralized platform for managing risks, ensuring compliance, and driving business resilience across the organization.

To learn more about how MetricStream can help with ConnectedGRC and an effective Enterprise Risk Management strategy, request a personalized demo today!

Sumith_Sagar_new

Sumith Sagar Associate Director, Product Marketing

Sumith Sagar is a proven product marketing professional, specializing in software product positioning, product-led growth marketing, presales and sales enablement. With over 12 years of risk management solutioning experience ranging from Governance, Risk and Compliance (GRC), Commodity Trading & Risk Management (CTRM) and cybersecurity, she has been instrumental in driving BusinessGRC product marketing at MetricStream.