We have put together a series of blogs that will help you with your automation journey.
This blog explains why use automation for risk management. Most companies in their risk management infancy are happy in the knowledge that their spreadsheets with all their risks listed are enough for risk management. Nothing could be further from the truth, not if you are serious of maturing your risk management function.
While each industry is subject to different regulations, and even organizations in the same industry may have their own approach to risk management, the information below will apply universally to all organizations.
Let’s illustrate the difference between a manual assessment and an automated assessment of a critical process supporting the business.
In this example, let’s start with a request from the business for a supplier to implement a project that has a product and service the supplier would provide. An assessment of the supplier or vendor is conducted (assuming it is a new vendor). A spreadsheet of questions is sent to the vendor and most likely you would get back an incomplete questionnaire. Assuming this vendor is exemplary, and they answered all the questions (not always the case), you must now evaluate the answers and rank the vendor. If there are several risk assessors, each would evaluate the answers differently bringing in subjectivity to a process where you are trying to eliminate it.
Let’s assume that the vendor is approved and is now in the process of implementing their product using their consultants. The project of implementing the product will require understanding the design, ensuring necessary controls are articulated and any gaps or findings are mitigated before the product goes live.
Getting the above process to this point requires several data points that when manually collected, will take a significant amount of time and with business pressures become a check-box exercise that at some point may become a bigger risk event.
So how does this process look with automation?
With an automated system, the business requesting a new vendor would fill out an intake form or vendor request form, answer gated and tiered questions electronically, which help in determining the initial high-level risk score of the vendor. This initial score determines which preset questionnaire from the assessment library is sent via a secure link directly to the vendor. The automation ensures that the vendor cannot send back an incomplete questionnaire and the completed questionnaire is auto scored taking out the subjectivity of the risk assessor. The automation now allows the assessor to spend more time in evaluating the risks as opposed to gathering spreadsheets.
Again, let’s assume the vendor is approved, and they start the design of the project. With automation, you can now pull the risk from a risk register and controls from a controls library that are based on regulatory frameworks and/or internal policies, and the effectiveness of the controls can be instantly used from control testing activities.
The simple illustration above shows how much automation can save a company in efficiency and quality. Automation does not have to be expensive. There is a mis-guided assumption in the industry that smaller companies must make do with spreadsheets and Word documents because they cannot afford the expensive GRC tools.
In the next blog we will help drive the ROI equation for a GRC system.
To learn more, request a demo, discuss a free trial proof of value or simply start a conversation drop an email to firstname.lastname@example.org.
Share This Blog
Risk Appetite vs Risk Tolerance: A journey into integrated risk management
Taking on risk is an accepted component of doing business.Most businesses proactively...
How to prevent Third Party/Vendor Assessment Fatigue
Organizations continue to increase their reliance on third parties for their products...