May 06, 2022
May 06, 2022
Contributor: Malcolm Murray and Laura Reul
Organizations are still fighting 21st-century threats with 20th-century tools — and that's risky.
The window is open right now for sewing software and analytics into the fabric of risk governance.
First, this kind of spending is high on some powerful agendas: 83% of CEOs plan to increase investments in digital capabilities over the next year, and 71% of boards name digital technology initiatives as a top priority coming out of the pandemic. Second, the time is ripe for a major overhaul of the way enterprises defend against risk, and a digital-first mindset is central to the change that’s needed.
The predominant model, known as the three lines (3L), divides up risk management responsibilities based on the typical role of a function rather than the actual activities that need to happen and who is best placed to perform them. For more than a decade, organizations have tried to tweak the 3L with aligned assurance — all risk and assurance functions coordinating their work and avoiding duplication while making sure nothing falls through the cracks. Yet organizations still struggle to reap the benefits.
Download now: The Top Emerging Risk Trends To Mitigate and Monitor
Our alternative framework, which we call dynamic risk governance (DRG), breaks down functional boundaries, assigning authority by risk and activity rather than by role. This model is statistically proven to drive high-quality risk behaviors, such as leadership striking the right balance of opportunities and business managers having the knowledge to make more risk-informed decisions.
To achieve timely, collaborative and efficient risk management, you’ll need to build digital solutions at the same time you construct a full DRG framework. It’s a virtuous cycle: Sharing is required to go digital; digital is necessary for faster action; and DRG, in turn, begets closer working relationships for handling risks as swiftly as they occur — enabling yet more cooperation.
Companies told us about three methods they’ve taken to modernize and speed up their risk management processes. Each one involves collaboration between several functions and the sophisticated use of data and automation:
Learn more: Your Ultimate Guide to Data & Analytics
Functional leaders have made substantial progress in the last few years when it comes to assessing risk in a more systematic and data-driven way. However, separate functions tend to develop their own analytics, relying on their own datasets. Perhaps they are protecting their own turf or perhaps they simply aren’t aware of the benefits of exchanging data assets and skills.
To solve for this challenge, the internal audit team at The Kraft Heinz Company created a risk monitoring center of excellence. The goal: Encourage the business to use a tool that tracks more than 100 key risk indicators (KRIs) across four business processes (order-to-cash, procure-to-pay, accounting-to-reporting, and manufacturing-to-inventory).
Timing was critical; the information had to be available when action was required. The tool conducts continuous analysis of data stored in a central ERP system and creates Tableau dashboards that illustrate risk drivers, red flags, control gaps or process inconsistencies.
To launch this tool, the center of excellence served two purposes:
On the operational side, the center familiarized the business with the tool. The team started by identifying important stakeholders in the business and inviting them to see and use the tool in action.
“We are partnering with the business to ensure KRI monitoring is embedded within the first and second lines of defense,” said Fernando Garcia Bueno, VP and global head of internal audit. So, the training didn’t stop there. The center also developed risk analytics insights memos with recommendations that demonstrate the relevance and utility of the tool.
With support, business executives now track critical enterprise risks on their own. “The implementation of the risks analytics solution at Kraft Heinz is a very good example of bringing to life our ‘digital decisioning’ aspiration,” said Corrado Azzarita, the global CIO. “I firmly believe that data-driven decision making can become a reality in several business domains, improving both effectiveness and efficiency.”
Discover Gartner BuySmart™: Reduce risk and optimize spend on your next tech purchase.
The internal audit team at Royal Bank of Canada (RBC) set off on a mission similar to the one at Kraft Heinz: Produce a continuous monitoring tool that provides the entire organization with up-to-date risk information for critical business processes.
But RBC took a slightly more complicated tack. Instead of sending details amassed in one place out to the rest of the business, the bank’s internal audit team pulled together company and external datasets. To build this digital solution, internal audit collaborated with the business to define relevant information and metrics to measure KRIs and key performance indicators. They called their creation the Risk Assessment Planning Tool and Organizer, or RaptOR, Kanika Vij, the senior director of data science and automation, told us.
Because RBC’s internal audit team worked closely with management from the beginning, the business unit leaders felt comfortable granting access to internal audit for data that could support risk monitoring, according to Vincent Huang, the director of data science and automation.
Once permission was secured, the bank sent more than 38 automatic feeds from capital markets and commercial banking to the portion of the company’s data lake that serves only the internal audit team. Data continuously flows to the internal audit portion of the lake, meaning the monitoring is always up to date.
Next came dashboard development, which spanned six months. Internal auditors, data scientists/data engineers, DevOps, UX/UI designers, project managers and quality assurance developers combined statistical analyses on the back end and Tableau visualizations on the front end to highlight live risk information. With access to this dashboard, functional leaders at RBC enjoy three benefits:
Another example of using a variety of data sources to save time with automation comes from Standard Bank Group, based in South Africa. In this case, the internal audit team named their platform after themselves: Gina (group internal audit).
Along with a complete view of the organization’s control environment, Gina can predict future risks based on internal and external data sources.
According to Hema Chetty, the chief operating officer of internal audit, Gina performs daily automated tests for the processes scoped on the bank’s South African branch locations. Gina runs the tests and uses the results to address disparities between anticipated and actual risks, making swift adjustments to the audit plan. Before Gina arrived on the scene, the audit team would deploy 18 auditors to 40 branch locations — a process that took about three months.
The business also appreciates how Gina provides greater visibility into the control environment and the decreased number of interruptions poised by manual audits.
And this is only the beginning for automated assurance. As organizations adopt DRG, they will think strategically about automating controls to forge better partnerships. And that increase in collaboration will deliver better risk management.
This article originally appeared in Gartner Business Quarterly in Q3 2021. Download the full issue here.
Join your peers for the unveiling of the latest insights at Gartner conferences.
Recommended resources for Gartner clients*:
Dynamic Risk Governance Is the New Risk Mandate for Executive Leaders
Dynamic Risk Governance Starts With Shared Data
Ignition Guide to Piloting Dynamic Risk Governance
*Note that some documents may not be available to all Gartner clients.