How can we expect that to be different from business operations? The years of simplicity are gone!
Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumber organizations of all sizes. Keeping business strategy, performance, uncertainty, complexity, and change i n sync is a significant challenge for boards, executives, and management professionals throughout all levels of the business
The physicist Fritjof Capra once said, “The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.” Capra was making the point that ecosystems are complex and interconnected and require a holistic, contextual awareness of the intricacy of interconnectedness as an integrated whole – rather than a dissociated collection of systems and parts. Risk and control in one area have cascading effects that impact the entire ecosystem.
Organizations can see the intricate relationships of objectives, risks, and regulatory/legal requirements as they map to controls in business processes and systems. The modern organization operates in a world of chaos. In chaos theory, the “butterfly effect” means that something as simple as the flutter of a butterfly’s wings in the Netherlands could create tiny changes in the atmosphere that have a cascading and growing force that ultimately impacts the development and path of a hurricane in the Gulf of Mexico. A small event develops into what ends up being a significant issue. Organizations need controls not only from the top-down in the organization but also from the bottom-up, deep in operations, systems, and processes.
This challenge is particularly true in the context of regulatory requirements. Organizations face a plethora of regulations and laws that require greater and greater control over the organization's processes, systems, transactions, and data. The inevitability of failure arises when organizations try to manage this array of requirements as single projects that do not connect with each other or in isolated systems that fail to see the complexity of business processes across systems.
Organizations are increasingly exposed to compliance requirements. Adopting innovative ways to assess and manage risk and enhance performance is critical. That’s where data analytics and continuous monitoring are helping to simplify and improve the internal control system, increase operational efficiencies, reduce costs, and detect fraud and errors earlier. Internal controls become a way for organizations to create value.
An enterprise view of risks necessitates an enterprise view of controls. An enterprise view of compliance also requires an enterprise view of controls. As organizations span across differing jurisdictions, it is critical to define a common approach to control automation that can address the majority of the compliance requirements across these jurisdictions. Managing each jurisdiction's requirements separately only leads to more chaos and complexity, a Dante’s Inferno of control redundancy, gaps, weaknesses, and exposures. By taking an enterprise view of controls across jurisdictions, organizations can make control automation more efficient, effective, resilient, and agile in today’s complex and distributed business environments.
An enterprise view of risk and control automation leads to better decision-making that has a symbiotic relationship with the performance and strategy of the organization while ensuring regulatory compliance. Organizations need to understand how to monitor risk-taking, measure whether the associated risks taken are the right risks, and review whether risks are effectively controlled.
This enables the organization to identify, analyze, manage, and monitor controls, and capture changes in the organization’s risk profile as they occur. Mature internal control management and automation is a seamless part of the governance and operations of critical business systems and processes. While that may sound like hard work, organizations that get a good grip on their internal control initiatives have a much better chance of thriving in today’s complex and chaotic business world.
Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of enterprise GRC, GRC technology, corporate compliance, and policy management. With 30+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architecture, and select technologies that are effective, efficient, and agile. He is also known as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester.
Do you have any questions or something to add? Just leave us a message, please! Your message will be delivered by e-mail to us and will not be published.