Debunking Integrated Risk Management Assumptions: Part 1 – Ensuring User Participation and Using Existing Toolsets

By Will Whitaker

Integrated Risk Management

If you are currently formulating an integrated risk management implementation strategy and weighing various technology options, assumptions, and realities, the best practices outlined in this series will help in your quest to find the right solution for your organization. We’ll focus on the key issues surrounding both implementation and rollout to ensure alignment between people and processes, which will increase your chances for success.

Buyers new to integrated risk management deployments often make assumptions to support their business case and technology selection criteria. On the surface, each of these assertions makes logical sense. However, the seemingly logical choice is often riddled with hidden costs and in some cases, show-stopping complexities.

Let’s dive into the first two assumptions.

Assumption: Users Will Actively Participate After Integrated Risk Management Solution Implementation

Reality: The rollout of integrated risk management software will not magically create the user engagement that’s needed to drive more risk-conscious behavior and better risk-remediation outcomes for your organization.

As tempting as this assumption is to believe, the act of buying a tool will not solve what is fundamentally a human problem. People naturally resist change, especially when asked to both expose their own shortcomings within policies, risks, and controls and proactively communicate their risk weight loss plans and due dates. Risk management processes enforce a level of discipline many business users find foreign. Quite obviously, technology cannot remedy issues around people circumventing process or feeling a natural aversion to risk management activities.

Best Practices:

  • Do not underestimate the amount of end-user training, marketing, and selling of risk management that your risk management program will require. When business users buy in to the “why,” resistance to the “what” and the “how” dissipates.

  • Partner with those who have real-world experience implementing risk management solutions, as they can help you prepare a roadmap that includes a calculated strategy for end-user adoption. Is the candidate IRM solution a new entrant to the integrated risk management space? Can your solution partner share lessons learned from previous integrated risk management implementations?

  • End-user participation and alignment should always supersede a technology turf war, so ensure that your integrated risk management solution can provide flexible means to bring data and decisions to your end user. This flexibility may include online and offline data gathering, workflow integration within email notifications, flexible data ingest methods, and intuitive ad-hoc reporting capabilities. Be open to soliciting risk treatment plans from your end users where they are comfortable doing business (email, separate ticketing system, etc.) instead of insisting on a one-stop shop within a singular technology.

  • Consider an integrated risk management solution that can provide you with a baseline capability and an implementation methodology designed to get you live quickly. Experience shows that most organizational changes must be rolled out in multiple phases (and not all at once) to achieve the ideal future state.

  • Ask your candidate integrated risk management solution provider how they will stay vested in your success with end-user adoption and platform usage throughout the life of the business relationship.

Assumption: Integrated Risk Management is Most Efficient When Using Existing Toolsets and Source Information

Reality: The assumption that you will efficiently implement IRM using only existing tools and resources by easily sharing data between them is bound to disappoint.

While there is often surface-level logic to integrate data sets using the various tools the organization is already licensing, in most instances, these tools were not designed with integrated risk management in mind. They are not flexible or feature rich in their ability to ingest or share information with other tools. 

In virtually every IRM implementation, the classic adage of “garbage in, garbage out” rears its ugly head. Source information must be accurate, complete, relevant, and kept up to date to be useful. 

Let me provide a real-world example: An existing ticketing application may house a partial list of the organization’s IT assets. Making efficient use of this IT asset inventory for the purposes of integrating it with other risk management data—policy statements, data classification assignments, control activities, risks, issues, or audit findings—introduces a huge dependency on data quality. It will necessitate a separate project to both clean up this data and implement procedures to keep it accurate.

Best Practices:

  • Ensure that your IRM capability is flexible enough to import any disparate data set from a wide variety of formats and methods (e.g., Excel import, CSV, XML, direct DB, API, ingest from structured emails, scheduled imports, etc.) and that these import mappings can be configured and don’t require custom coding or advanced development expertise for you to benefit.

  • Identify and evaluate every desired source of information for each planned integrated risk management use case, and perform your own readiness assessment as to the usefulness of the current data set. Consider other dependent processes that may be needed (and that are likely not yet in place) to keep the data complete, accurate and timely for your consumption.

  • Acknowledge that your IRM strategy cannot—and should not—wait for source data to always be ready. Creating the data set manually is often the quickest win and fastest time to go-live and deliver business value. A competent IRM solution provider can help recommend a phased approach and solution architecture that still accommodates both present and future states.

  • Be a good internal partner with those whose data you depend on and who may depend on your program output. Meet regularly about your shared goals and objectives.

  • Start the data mapping process as early as possible for any planned integrations; the devil is always in the details, and understanding what data and methods are available to you at the source will help you understand the level of effort for the integration and ultimately which IRM solution can accommodate your requirements. 

In Part 2 of our series, Debunking Integrated Risk Management Assumptions, we’ll examine the risks around underestimating total cost of ownership.