Can we actually manage risk? How three companies used risk and compliance management for regulatory and business value

After the deep recession that was much the result of cavalier decision making of some executives, who supposedly used risk models to rationalise their investment decisions, it is hard to come to terms with the idea of pro-active risk management.

Rapid changes in both internal and external environments with mounting regulations are exposing organisations to increasing risks.   Risks have grown and they come in various guises including Strategic, Environmental, Market, Credit, Operational, Vendor and Compliance Risk.   These exist everywhere but need to be identified and managed effectively. The impact of failure can be crippling.  Regulators are now asking institutions to significantly broaden their risk assessment of critical assets, especially of their critical business applications.

According to Milan Solutions’ director of GRC Practice, Anil Jogani, ‘organisations need to have comprehensive risk management processes in place; Risk Governance, Risk Response and Risk Evaluation. They must ensure that risk awareness and management practices are embedded in the culture of the organisation.’  The CEO is in the spotlight.
      
Director of Outsourcing Practice at Milan Solutions, Saranjit Arora pointed out the operational risks in outsourcing.  According to him, ‘organisations outsource for competitive advantage but they need to recognize and manage the risks involved.’

The Governance, Risk and Compliance Solutions marketplace is perfectly positioned to support today’s enterprises in meeting these needs.  At its highest level, these automated solutions enable organisations to align controls with departmental and corporate policies, regulations, and other binding requirements, measure the state of the controls, and evaluate and monitor risks.

Milan Solutions offers consulting services and automated solutions for GRC management.  It is an Agiliance partner for their RiskVision Platform.  The following case studies highlight how leading companies streamlined risk and compliance processes and achieved savings of 50% to 70% in time and money using Agiliance RiskVision.

Case Study 1: Reducing decision risks by aligning business risks to controls

One of the biggest grocery chains in the USA wanted to create an efficient, sustainable, and repeatable GRC programme with following objectives:-

•     Efficient and economical GRC program.
•    Ability to link business risk to the controls.
•    Eliminate redundancy in control testing. (SB1386, PCI, and SOX)
•    Measure and monitor and report risk and compliance trend for their multiple regulations.

IT control automation enabled retail stores to connect deep into its IT infrastructure and security products (Vulnerability Management, CMDB), allowing them to report on risk and compliance to IT controls. Business process automation combined with IT automation allows the organisation to view risk due to process deficiency along with the risk due to IT control failures. Since every control is mapped to the business risk, it allows key stakeholders to identify potential impact on their business by monitoring risk and compliance trend.

The different regulations and control frameworks have anywhere between 30-60% overlap, by eliminating redundancy in these controls, the organization reduced the compliance effort and budget in half while improving efficiency, transparency, and effectiveness of the GRC program.

Case Study 2: Reducing Compliance Risks

One of the biggest gaming companies in Europe was haunted by multiple gaming and privacy regulations along with PCI. This huge gaming operation has many complex processes. It needed to implemented a GRC solution which would plug in seamlessly without disturbing their existing complex IT environment and able to report risk and compliance trends along with the potential business impact to measure, track and remediate the risk due to non-compliance or incidents.

It implemented such a solution and the benefits were:
•    By converging data and testing controls against the data from different vulnerability management, configuration management, incident management and configuration management solutions allowed them to view their risk landscape across applications, Operating Systems, and processes.
•    By eliminating redundancy between the controls from different regulations, the company was able to comply with PCI in less than 10 weeks with far more ease.
•      Automating 40% of PCI controls reduced the probability of human error in control testing and time and effort required for compliance testing.
•    Test once and report on many regulations allowed easy and efficient approach in dealing with auditors.

Case Study 3:  Streamlining Risk Assessments for Regulatory and Business Value

This leading investment services company has more than $1trillion in total assets under management. It provides a range of services spanning the entire investment spectrum, including research, investment management, trad¬ing services and investment servicing.  It has over 15,000 employees around the world, operations in more than twenty countries, and a network reaching over 100 markets. Post Government directives, risk assessment of critical assets, especially business applications. With more than 1000 applications, some 400 business owners, 800 experts across the globe, the assessment task was formidable.

By using RiskVision’s end-to-end set of tools for building and managing self-assessment surveys and its ability to assign risk measures to ques¬tions uniformly, the management could:
•    Know which risks really matter
•    Capture consistent, correct and timely information through automated work¬flows
•    Reduce the time and effort needed to complete assessments and audits even as the number of assets and regulations grow.
•    Order and prioritize efforts based on risk ratings
•    Provide visibility at all levels to inform decision-making
•    Meet growing regulatory requirements with less pain and cost
The time and cost required for risk assess¬ment had shrunk by more than fifty per cent!

Going forward

The organisations mentioned above can now build on a quality information baseline and common control framework.  As the solution provides a flexible, easy-to-inte¬grate set of end-to-end tools, in the next phase they will complete the foundation for continuous compliance with automated control functions and meet its future risk management needs without requiring expensive customization work, saving time and money

Conclusion

From the experience of these and many other companies, it is clear that it is only with automation that managers have a fighting chance of delivering higher value while managing risks effectively -of steering the ship with less uncertainty and more hope!