Executive Briefings

Risk Management Emerges from the Shadow of Compliance

With new crises seemingly emerging weekly, risk management has taken on a new urgency. Leading companies recognize the importance of a solid supply chain risk discipline, but grapple with scope, ownership, metrics, and ties to other types of strategic and operational risks facing the business.

Taking into account local, national and global requirements, everyone agrees the number and complexity of governance, risk management and compliance (GRC) mandates is on the rise. How will your company keep them all straight? Does it understand potential exposure across seemingly disconnected programs? Are there any links between initiatives that aren't readily apparent? How can your business manage and execute multiple programs simultaneously?

With more than $32bn in planned spend for GRC-related activities, enterprises of all sizes are spending significantly on products and services to address myriad risk and compliance programs. Whereas compliance was the motivator before, structured risk management has now come out from behind compliance's shadow to become the key driver for operations executives as they plan for inevitable bumps on the road forward.

Not surprisingly, companies are in early stages of maturity. Risks are identified within different organizational silos-in many cases, even in departments within a larger organization-then monitored and mitigated without benefit of the bigger risk picture. While all risks can eventually be categorized as enterprise risks, they almost always are sub-categorized as either strategic or operational risks. For example, security and privacy concerns generally fall under operational risk. But when security gaps influence brand identity, as massive consumer data breaches have impacted a retailer's reputation, it becomes an important strategic risk as well.

• As critical business and IT processes are now executed by outsourcers and/or service providers, organizations are developing strategies to mitigate risks if service levels are not achieved.

• Leading companies recognize the importance of a solid supply chain risk discipline, but grapple with scope, ownership, metrics, and ties to other types of strategic and operational risks facing the business.

• While IT risk has historically been defined in terms of security and/or disaster recovery risk, organizations are taking a broader view to evaluate overall effectiveness.

• Financial risk is the current that flows through all other risks. While it's relatively mature-currency, credit, counter-party and regulatory risks have been on the CFO's agenda for decades-the current global economic cycle has put financial risk front and center again as enterprises of all sizes struggle to provide capital just to maintain business operations.

• Other risks, including sustainability, workforce retention and talent acquisition, and legal risk, are recognized as cross-business strategic risks and get visibility at the highest echelons of the enterprise.

The Outlook

Today, risk management and performance management programs are eerily similar but are run and managed as separate and parallel initiatives. AMR Research believes these will eventually fuse into one governance system to strategically guide an organization to its next level of business performance. Take heed from how performance management has progressed in your company, and consider fusing the two programs over time.

Taking into account local, national and global requirements, everyone agrees the number and complexity of governance, risk management and compliance (GRC) mandates is on the rise. How will your company keep them all straight? Does it understand potential exposure across seemingly disconnected programs? Are there any links between initiatives that aren't readily apparent? How can your business manage and execute multiple programs simultaneously?

With more than $32bn in planned spend for GRC-related activities, enterprises of all sizes are spending significantly on products and services to address myriad risk and compliance programs. Whereas compliance was the motivator before, structured risk management has now come out from behind compliance's shadow to become the key driver for operations executives as they plan for inevitable bumps on the road forward.

Not surprisingly, companies are in early stages of maturity. Risks are identified within different organizational silos-in many cases, even in departments within a larger organization-then monitored and mitigated without benefit of the bigger risk picture. While all risks can eventually be categorized as enterprise risks, they almost always are sub-categorized as either strategic or operational risks. For example, security and privacy concerns generally fall under operational risk. But when security gaps influence brand identity, as massive consumer data breaches have impacted a retailer's reputation, it becomes an important strategic risk as well.

• As critical business and IT processes are now executed by outsourcers and/or service providers, organizations are developing strategies to mitigate risks if service levels are not achieved.

• Leading companies recognize the importance of a solid supply chain risk discipline, but grapple with scope, ownership, metrics, and ties to other types of strategic and operational risks facing the business.

• While IT risk has historically been defined in terms of security and/or disaster recovery risk, organizations are taking a broader view to evaluate overall effectiveness.

• Financial risk is the current that flows through all other risks. While it's relatively mature-currency, credit, counter-party and regulatory risks have been on the CFO's agenda for decades-the current global economic cycle has put financial risk front and center again as enterprises of all sizes struggle to provide capital just to maintain business operations.

• Other risks, including sustainability, workforce retention and talent acquisition, and legal risk, are recognized as cross-business strategic risks and get visibility at the highest echelons of the enterprise.

The Outlook

Today, risk management and performance management programs are eerily similar but are run and managed as separate and parallel initiatives. AMR Research believes these will eventually fuse into one governance system to strategically guide an organization to its next level of business performance. Take heed from how performance management has progressed in your company, and consider fusing the two programs over time.