Risk-Based…Well, Everything, Really!

Thomas Frénéhard

Part 10 in the “Controls and Risk Management” series

Since I started working in GRC software, and actually even sometime before, when I was working on audit topics, a recurring concept has been risk-based auditing or similar denomination. The intent here is to focus the audit function on the riskiest parts of the company to ensure that all high-profile risks are reviewed regularly, correctly monitored, and so on to protect the business from operational surprises.

Nevertheless, audit isn’t the only function that focuses its efforts on high-profile risk areas. Internal control and compliance departments have a similar approach, but call it risk-based compliance, applied notably when performing a scoping exercise before launching assessments.

When taking a broader perspective within a company, many departments use the same risk-based approach, such as: business continuity; fraud management; environmental, health, and safety; and even finance for risk-adjusted planning and budgeting. Indeed, most departments have to ensure that they reach their objectives and that they don’t leave behind threats that could endanger their achievements and prevent the company as a whole from succeeding.

What does this tell us? I’m not going to enter the “it’s all about risk” debate. Actually, quite the opposite. I personally think that it’s all about other departments.

Risk management has, for a long time, benefited greatly from the work of other departments: leveraging investigations and findings to identify new risks, using existing controls from compliance as well as continuity plans to monitor and mitigate identified risks, etc. Now I believe it’s time for risk-management departments to stand up and be key contributors to their companies’ success.

There are many ways in which risk management departments can do this, but I’d like to highlight two.

Help the company focus on upsides: the opportunities

As I’ve discussed in previous posts, I’m a strong believer that any new project, product, or investment inherently carries risks of failure, of course – but more importantly, opportunities for success. Risk management has all the information necessary to define a “SWOT profile” and help the business make the best budget-allocation decision.

Be a lighthouse for the business

When contextual changes occur, risk management should be the first area to have up-to-date revised information and, therefore, be able to shed light on the new risk profile: potential negative impacts, the chain of probable events that could be triggered, and so on. If this department is able to communicate these changes and associated outcomes in a consumable and timely manner to compliance, business continuity, HR, finance, or any other departments impacted by a new risk context, then truly proactive decisions could be made.

Currently, this communication happens most often when these departments do their annual review and pull risk-management information, so very much in a passive, ad hoc manner. Conversely, pushing relevant information regularly would make the business more agile and enable faster and more relevant resource and budget allocations.

What about you? Do you see the role that risk management plays within your company changing? I look forward to reading your thoughts and comments on Twitter @TFrenehard.

If you are interested in hearing more about this topic and discussing it, then have a look at the SAP Conference on Application and Information Security – Building Digital Trust, taking place October 20 and 21, 2020 in Dublin, Ireland.

Learn more about SAP software for enterprise risk management. This article originally appeared on SAP Community and is republished by permission.

Follow SAP Finance online: @SAPFinance (Twitter)LinkedIn | FacebookYouTube

Thomas Frénéhard

About Thomas Frénéhard

Thomas is part of the Global Centre of Excellence for Finance and Risk solutions where he has a focus on Governance, Risk, and Compliance topics. Prior to that, he was a Senior Director in the Governance, Risk, and Compliance Solution Management team. His particular responsibility was with Risk Management but other functional areas of focus were in Internal Control & Compliance Management and Audit Management. He is also a regular contributor on social media and presenter at various SAP and non-SAP conferences on GRC matters.