ACL EBOOK

7KEY TRENDS IN
ENTERPRISE RISK MANAGEMENT
A guide to enhancing strategic performance with smart ERM
By John Verver, CPA CA, CISA, CMC
Contents
Defining ERM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
How do you spell success? E…R…M. . . . . . . . . . . . . . . . . . . . . . . . . 6
An ongoing journey: ERM capability model. . . . . . . . . . . . . . . . . . . 8
7 key trends in the “era of ERM”. . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1} Move beyond a compartmentalized “silo”
view of risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2} Provide management with a whole new level
of quantified insight into risks—and do it efficiently. . . . . 12
3} Capitalize on big data and smart analytics for
fact-driven, real-time risk monitoring. . . . . . . . . . . . . . . . . 13
4} Take a whole new cost-effective, analytics-driven
approach to internal controls . . . . . . . . . . . . . . . . . . . . . . . 14
5} Data-informed decision making
= smart risk management . . . . . . . . . . . . . . . . . . . . . . . . . . 15
6} Integrate risk management into
daily business activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
7} Bridge the gap between business
and risk professionals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
6 key characteristics of performance-enhancing ERM . . . . . . . . 18
1} Meaningful, centralized risk identification. . . . . . . . . . . . . 19
2} Linking OF strategic risks to control objectives,
processes and policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3} Continuous monitoring and data analytics
lead to continuous risk assessment . . . . . . . . . . . . . . . . . . 21
4} A consistent* enterprise-wide approach . . . . . . . . . . . . . . 22
5} Reporting the things that matter…
and responding with action. . . . . . . . . . . . . . . . . . . . . . . . . 23
6} Reporting the things that matter…
in the right way to the right people . . . . . . . . . . . . . . . . . . 24
ERM Process Flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Take this simple test:
Are you making these common (and risky)
enterprise risk management errors? . . . . . . . . . . . . . . . . . . . . . . . . 26
What now? Next steps to getting started
on the journey to performance-enhancing ERM… . . . . . . . . . . . . 28
Struggling to bridge the chasm between ERM and
performance of your organization’s strategic agenda?. . . . . . . . . 29
Excellence in enterprise risk management (ERM) practices is key to business performance success and involves
embracing risks to fully realize business opportunities. It means that the full spectrum of risks across the
enterprise—including strategic, operational, financial and compliance—must be seen in the context of achieving
corporate objectives and maximizing operational performance. It also means having constant insight into what
is actually happening (both inside and outside the organization), and what requires action and response to
achieve these objectives.

Is excellence in ERM practices easy to achieve? Of course not. If it

was easy, all organizations would already be doing it.

The reality is that it is not always easy to align and compare ERM
processes in ways that convey the significance of relative risks to
executive management. It can be challenging to align and relate
differing industry standards within a common risk management
framework, such as COSO or ISO. Organizations struggle to
objectively quantify risk and to dynamically monitor risks in a way
that clearly indicates the impact on corporate performance and
objectives. It often proves difficult to obtain clarity from ERM
processes around what should be the priorities for response
actions in operational departments.
Poor risk management can spell disaster for an organization.
Just look at the impact on brand and share price of Wells Fargo’s
phony account scandal, or Volkswagen’s vehicle emissions fraud.
And it is not just an issue for the private sector; government
agencies can lose trust and credibility when they fail to address
risks, such as the levy failures during Hurricane Katrina, which in
turn led to many deaths and widespread misery.
Taking a smarter approach to managing risk and compliance
processes at all levels makes good business sense. What is clear is
that the benefits of an integrated enterprise approach to risk
management cannot be achieved through traditional, often
retrospectively-driven activities, using traditional technology.

In this eBook, we unpack what it means to perform successful risk management based on
work with thousands of organizations. Learn about 7 key trends in ERM and several
common risk management challenges—as well as best practices in overcoming them. We also
reveal 6 characteristics of data-driven ERM to enhance organizational performance and
help avoid the common ERM mistakes that organizations often make.

7 key trends in enterprise risk management 3

DEFINING ERM

First, let’s define what we’re talking about.

The Risk Management Society provides the following definition:

Enterprise Risk Management (ERM) is a strategic business discipline that supports the achievement of an organization’s objectives by
addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.

ERM represents a significant evolution beyond previous approaches to risk management in that it:
01  Encompasses all areas of organizational exposure to risk
(financial, operational, reporting, compliance, governance,
strategic, reputational, etc.).
02  Prioritizes and manages those exposures as an interrelated
risk portfolio rather than as individual “silos.”
03  Evaluates the risk portfolio in the context of all significant
internal and external environments, systems, circumstances
and stakeholders.
04  Recognizes that individual risks across the organization are
interrelated and can create a combined exposure that differs
from the sum of the individual risks.
05  Provides a structured process for the management of all
risks, whether those risks are primarily quantitative or
qualitative in nature.
06  Views the effective management of risk as a competitive
advantage.
07  Seeks to embed risk management as a component in all
critical decisions throughout the organization.
7 key trends in enterprise risk management 5
HOW DO YOU SPELL SUCCESS?  E…R…M.
ERM can be the “silver bullet” that takes an organization from good to great—
enabling a scientific approach to systematically dealing with the obstacles to
success and driving performance excellence.
The most successful, high-performing organizations have ERM processes that share the following characteristics:
✔✔ Roadmap to excellence—take a phased approach to evolve the
program.
✔✔ Driven by data—built on a foundation of the facts of what is
actually taking place, by accessing and blending data in unique
ways to identify risk trends and indicators.
✔✔ Dynamic—responsive to ever-changing risks and related events.
✔✔ Continuous—provide constant and timely insights in real time.
✔✔ Comprehensive—consider all aspects of all forms of risks, and
their impact on each other, and in aggregate.
✔✔ Collaborative—ensure that all three lines of defense are working
in an aligned way around their respective responsibilities.
✔✔ Forward-looking—provide notification of what is happening,
what is likely to occur and what must be done in response.
✔✔ Action-oriented and time-bound—ensure that appropriate
responses are identified and take place within a critical time
frame.
✔✔ Contextual—provide insights that are relevant to the function of
managers at different levels and with different roles as relevant
to achieving overall corporate objectives.
✔✔ Highly efficient—driven by technology that is designed
specifically for achieving all of the above.
7 key trends in enterprise risk management 7
 AN ONGOING JOURNEY: ERM CAPABILITY MODEL

For most organizations, achieving optimal practices in risk management takes time and involves progressing
through various levels of capabilities. The important thing is that all those involved—in all three lines of
defense—are aligned around the ultimate objectives and understand their respective roles.
How mature
The reality is that there is a learning curve as management in the In fact, based on our engagements with organizations in all
are your front lines of business, as well as those in formal risk management industries in 150 countries around the globe, a phased approach is
organization’s and compliance roles, along with audit, transform their processes the most effective way to introduce and mature effective risk
and learn the most effective methods of collaboration. management. The snapshot below is the typical evolution of ERM
ERM in most organizations, which can be used as guidance for planning.
capabilities?
Industry Best Practice
VALUE CONTRIBUTION

Differentiated Program

ERM Integrated
with Strategy &
Optimized Performance -
Industry Best Practice
Risk ROI - Value
Baseline Program Creation
Value
Protection
Integrated
ERM across
Lines of
Defense
ERM
Driven by
Data
Centralized
ERM

PHASE PHASE PHASE PHASE PHASE

01 02 03 04 05 MATURITY

Figure 1: ERM roadmap: ACL’s ERM capability model

7 key trends in enterprise risk management 9
7 KEY TRENDS
IN THE “ERA OF ERM”
ERM is evolving fast, in response to a more dynamic risk landscape and the compelling opportunities (and
threats) afforded by the digital transformation. Organizations that embrace it are winning the race (be it for
revenue, service or whatever their driving objectives). An intelligent and integrated approach to ERM is the
number one secret sauce differentiating performance outcomes today.

Read on to find out what you really need to know—and do—to get up to speed in the “era of ERM.”
1}  MOVE BEYOND A COMPARTMENTALIZED “SILO” VIEW OF RISKS

It has become obvious that failures in risk management processes can cause serious damage to an
organization. Frequently, this is due to an inability to see both the “big picture” issues at the same time as a
multitude of apparently minor risks.
Executive management may have little interest in regulatory On the other hand, a more advanced risk management process
compliance risks if historically a compliance infraction has simply enables early recognition of the potential risk—and the ability to
meant paying a relatively small fine and moving on. Similarly, a respond in a timely fashion to the early warning indicators revealed
breakdown in a financial control that allows some fraud to take through trend analysis and risk aggregation. The solution is to
place with negligible impact on corporate results will barely register implement a framework and an efficient oversight system for
on the radar. relating risks to each other, and a consistent way of measuring risk
Business managers responsible for operational risks in one impact on the achievement of corporate objectives by aligning key
business area may have no insights into patterns of operational risk indicators (KRIs) with key performance indicators (KPIs).
and compliance failures in another area. They may also be focused
heavily on their own mandate, without the context of impact on
overall corporate objectives.
Each risk area, when viewed in isolation, may not be cause for
concern in terms of achieving corporate objectives.
Then, seemingly from nowhere, a combination of events turns out
to create a major problem. All of a sudden, for example, a series of
apparently low impact compliance failures can attract the attention
of regulatory authorities and then the media, resulting in what can
turn out to be major damage to brand reputation, financial
penalties and a long-lasting impact on share price. The root cause
of the problem is often the inability to determine the impact of
combining and aggregating different categories of risks.

7 key trends in enterprise risk management 11

2}  PROVIDE MANAGEMENT WITH A WHOLE NEW LEVEL OF QUANTIFIED
INSIGHT INTO RISKS—AND DO IT EFFICIENTLY

In a traditional approach, getting an overview of the current state of risks faced by the enterprise is often a
cumbersome and highly subjective process. Assessment of different types of risks is often managed with
disparate processes in separate parts of the organization. Attempting to consolidate the multiple reports and
spreadsheets that are typically used is a resource-intensive process—and is frustrating for executive
management, who end up trying to make sense of a typically confusing attempt to mix the apples and oranges
of different risk categories and assessment processes.
Subjectivity and bias in risk assessment can also create a
fundamental flaw in risk management processes, especially in
cases where business managers are responsible for completely
different business lines and there is no effective mechanism for
comparing and normalizing risks in a meaningful way. Fact-based
analytics can overcome this weakness by normalizing risk
assessments, to provide more valid quantified risk comparison and
aggregation. Current trends rely on technology to enable re-
engineered processes that are simpler and more reliable. ERM
technology provides management at all levels and across all three
lines of defense with the ability to review up-to-date dashboards
reflecting the most current and quantified state of risk assessment,
allowing immediate and more informed decision making.

Behind the scenes:

How multiple departments at ACL use ACL technology.
Learn how ACL uses ACL technology and ERM solutions as a GO »
corporate “crystal ball” for never-before seen, real-time insight.
3}  CAPITALIZE ON BIG DATA AND SMART ANALYTICS FOR FACT-DRIVEN,
REAL-TIME RISK MONITORING

Big data can too easily mean “massive overload” and lead to “analysis paralysis.” However, the intelligent
analysis of data from multiple sources provides a uniquely scientific and objective ability to put all levels of risks
into context. Millions of daily operational and financial transactions can be monitored to determine whether, in
aggregate, risks are increasing to a point where action must be taken.
The ability to continually monitor what is actually happening within
multiple business processes over time allows management to
identify the critical trends that need to be addressed and acted
upon before relatively small issues turn into major problems.
Analytics can also provide insights into new and emerging risks:
ones that would never be noticed until it is too late when relying
on traditional risk management approaches.
The world of big data is also constantly growing and changing.
McKinsey reports, for example, that 90% of data did not exist two
years ago—and yet only an incredibly small 1% has actually been
analyzed1. This means that the potential for data-driven risk
assessment and monitoring is enormous, using new and different
types of data and analyzing data in ways that were just not
possible previously.
As organizations mature their risk management processes and
capabilities, they typically move from a retrospective and defensive
point of view on risk to a more forward-looking one that enables
smarter decision making. When this point is reached, risk
management practices can enable the organization to perform
better and drive at higher speeds, owing to the ability to both spot
likely obstacles that need avoidance steering and to accelerate as
fast as possible.

1
McKinsey & Company. How to win in the age of analytics.
7 key trends in enterprise risk management 13
4}  TAKE A WHOLE NEW COST-EFFECTIVE, ANALYTICS-
DRIVEN APPROACH TO INTERNAL CONTROLS

Internal controls often have a bad reputation among business operational managers. They are seen as
impediments to “getting the job done” and meeting performance objectives. These views are sometimes
justified, especially when controls become expensive to maintain and negatively impact productivity despite
the risks being relatively low. Yet, allowing a culture in which controls are routinely bypassed or ignored is
unhealthy at best, and catastrophic at worst.
The answer is (for some forms of risks at least) to rely on analytics
to monitor activities continuously. Instances of regulatory non-
compliance, fraud, waste and abuse can be monitored so
appropriate responses can be made as necessary.
Instead of preventing every single possibly risky transaction from
ever occurring with endless controls, the objective is to zero in on
the bad stuff that is actually happening. If the risk exposure or
financial impact is relatively low, it may be sufficient to simply
monitor for instances that violate controls or risk thresholds. And if
the risk, or impact, is high, transactions can immediately be
red-flagged—to inform which specific controls can be implemented
to prevent critical issues arising in the future.
As long as individual employees know the policy that is in place
and know that adherence is being monitored, traditional and often
expensive control approaches become unnecessary. Data analysis
and transaction monitoring allows the fine-tuning needed to build
a system that is neither over-controlled nor under-controlled.
5}  DATA-INFORMED DECISION MAKING = SMART RISK MANAGEMENT

The traditional approach to risk management emphasized risk avoidance, with multiple processes and controls
designed to reduce the risks of poor decisions, poor performance or failures in compliance.
Some executives and business process managers may take the view
that ERM is making a big deal over something that they do
instinctively, as part of their jobs. They take risks and opportunities
into account whenever deciding a course of action around achieving
corporate objectives. But a word of caution: change is constant—
both within and outside the organization—and even the smartest
business manager struggles to keep informed of everything that is
happening and respond effectively, at the right time.
There is now widespread recognition within high-performance
organizations that risk management is not so much about avoiding
risks, but about making the most of opportunities. Information is
key to this; and using technology to make sense out of masses of
data is an essential tool in this process.
It is never practical to completely eliminate risks, nor is it usually
important to do so. What is important is to understand what is
currently happening and the most likely impact on opportunities,
strategic objectives and the impact of different courses of action.
It is this intelligent and highly informed culture of risk-taking that is
now understood to be key to exceptional corporate performance—
one that nearly always outperforms a traditional risk-averse culture.
At this stage in ERM processes, it becomes more apparent to all
stakeholders that instead of all risks being considered as inherently
bad, there are many forms of risk that are important to take (and to
manage intelligently), as healthy risk-taking is fundamental to
superior business performance.

7 key trends in enterprise risk management 15

6}  INTEGRATE RISK MANAGEMENT INTO DAILY BUSINESS ACTIVITIES

An awareness of the overall benefits of seeing opportunity and risk as two sides of the same coin should lead
to an important outcome: driving an intelligent approach to risk management into day-to-day decision making
throughout the organization.
A smart, risk-intelligent culture means that employees understand
the impact of their decisions on the achievement of overall
corporate objectives. It also means that employees seek to be
continually informed about both the risks and the opportunities
within their area of responsibility—and take a proactive approach
to managing both.
A culture that addresses risk and opportunity in a smart way
results in employees that feel empowered to take on informed
risks, rather than focusing on an expectation that their
performance is measured on how much risk they eliminated.
Scenario analysis and the use of risk visualization dashboards
become a standard part of management practices.
7}  BRIDGE THE GAP BETWEEN BUSINESS AND RISK PROFESSIONALS

Another common challenge to successful ERM in many organizations is the divide between risk management
professionals and business management. Risk professionals often lack the business context to fully understand
risks, and business managers lack practical understanding of the role of risk and compliance control
frameworks.
The solution is to achieve an integrated approach in which risk Integrating these stakeholders as part of a single program, and on
management frameworks, regulatory requirements, controls and a single shared platform, transforms the traditional, disjointed,
compliance processes are all linked together in ways that allow siloed approach into unified oversight—and gets the entire
both business managers and risk management professionals to see organization working together in the same direction: achieving
the world through a similar lens and context. objectives and driving performance.

7 key trends in enterprise risk management 17

6 KEY
CHARACTERISTICS
OF PERFORMANCE-
ENHANCING ERM
What does smart ERM look like? Think data-driven and technology-enabled…
In light of the trends we are seeing in the era of ERM, let’s next examine the six key characteristics of smart,
performance-enhancing ERM.
1}  MEANINGFUL, CENTRALIZED RISK IDENTIFICATION

In order to manage risks in a smart way you need to know, of course, what the risks are—as well as how likely and
how extensive they are. You also need to know how they compare and relate to each other. Most importantly,
they need to be put in the context of impact on the achievement of strategic and corporate objectives.
One of the typical characteristics of a traditional siloed approach
to risk management is that risks are viewed in isolation. Regulatory
risks may be managed by a compliance team and financial risks by
the CFO’s team. And there may be no specific process to assess
and manage operational and strategic risks; they are just part of
the job for various business areas and executive management.
A better approach is to clearly categorize risks by type, such as
strategic level and process level risks—and show how they relate to
each other and, ultimately, impact corporate objectives. This
provides all three lines of defense with a centralized system in
which to perform their respective roles and collaborate. In
addition, it forms the basis for a combined and aggregated view of
risks that enables the organization to manage risk overall in a far
more intelligent and informed manner.

7 key trends in enterprise risk management 19

2}  LINKING OF STRATEGIC RISKS TO CONTROL OBJECTIVES,
PROCESSES AND POLICIES
Strategic risks are assessed, prioritized and a response determined. Responses are assigned to responsible
individuals and mapped, where appropriate, to relevant control objectives and the processes required to meet
those objectives.
A risk and compliance framework is established and applied
throughout the organization to define control objectives and
processes at multiple levels and across multiple functional areas.
The framework includes a repository of control objectives, in which
risks, key controls, processes and compliance requirements are
detailed. Whenever relevant, different risks and control objectives
are linked to each other, as well as to different strategic risks.
The control objectives can be used to determine risk responses
across regions, time periods, business lines and assurance teams in
the three lines of defense. Using a central repository of control
objectives enables a single objective to be applied across multiple
entities and supports effective aggregation of risks and responses.
3}  CONTINUOUS MONITORING AND DATA ANALYTICS
LEAD TO CONTINUOUS RISK ASSESSMENT
Risks are assessed and ranked on an ongoing basis through multiple means, including determining the impact
of control weaknesses and failures identified through monitoring transactions that flow through all key
operational and financial processes.
Data analytics also play a key role throughout the risk assessment Automated questionnaires and surveys of management provide
process, from examining data to determine the existence of risks important additional data-driven input into current risk
the organization may not even be aware of, to assessing and assessments, as well as up-to-date confirmation of the
quantifying both inherent and residual risks. effectiveness of policies and control procedures. Employee
Analysis of data from within and outside the organization plays a hotlines provide yet another means of obtaining important data on
key role in the continuous assessment of risks. actual and potential risks.
An increasingly data-driven approach, employing data from
multiple internal and external sources, injects a fact-based and
scientific approach to ERM processes, which is often missing when
assessments and decision making are based on the purely
subjective views of those involved in risk management.

“Technology can be the key driver to

GRC integration and collaboration
and to make sure everyone is
following one standardized,
optimized process.”
−−Big 4 leader of risk management services

7 key trends in enterprise risk management 21

4}  A CONSISTENT* ENTERPRISE-WIDE APPROACH
Risk management and compliance processes scattered across different teams that evolve over time in distinct
ways, driven by different priorities and approaches rarely, if ever, work well as part of an enterprise-wide risk
management approach. On the other hand, forcing every team involved in risk and compliance management to
follow an identical approach often results in attempts to fit square pegs into round holes.
The key is to recognize what needs to be standardized and
consistent, in order to be able to generate a consolidated and
integrated view of enterprise risks—while also supporting risk
management and compliance activities that vary widely from, say,
operational manufacturing processes to financial processes.

*With the understanding that one

size does not fit all processes.
5}  REPORTING THE THINGS THAT MATTER…
AND RESPONDING WITH ACTION

One of the most important benefits of a technology-enabled and data-driven approach to ERM is the ability to
get insights into what is likely to happen—and to be able to do something about it, on a timely basis.
Continuous monitoring and analytics produce trend reports that Trends relating to risks can be shown in multiple dimensions (e.g.,
are critical to identifying areas of concern from a risk perspective, by time, business area, geography, risk and control type). The value
as well as areas of opportunity. This makes it possible to respond of trend reporting far surpasses a traditional retroactive, point-in-
quickly, and change a process or a control procedure that is not time assessment of risk.
working effectively. It also enables the ability to spot a business
opportunity or a process improvement that would otherwise not
have been apparent.

7 key trends in enterprise risk management 23

6}  REPORTING THE THINGS THAT MATTER…
IN THE RIGHT WAY TO THE RIGHT PEOPLE

Among the common weaknesses in traditional risk

management approaches are the limitations around
reporting. Executive managers often don’t (can’t) care
about the detail of compliance activities and individual
failures. Control process owners may not care about—
or perhaps should not have access to—reports on
overall corporate risks. What everyone should have
are meaningful reports for each individual’s area of
responsibility, put into the context of achievement of
overall corporate and strategic objectives.
Current, real-time reporting dashboards, driven from a
comprehensive integrated risk management system, provide
multi-layered reporting that is immediate, efficient and relevant to
the individual recipient.
 ERM PROCESS FLOW
Respond through
2 3 4 5 control objectives 6
1
and processes

Identify Monitor
and Analytics
Assess
Modify Data
Analytics
Control Control
Risks Objectives Frameworks
Data from within and
Policies and Regulations outside the organization
Processes Analysis
Results
16 8

Manage Responses

15 14 13 12 11 10 9

Report Updated Assessments

Identify and respond to risks Monitor and continuously assess risks and controls Report results and update assessments
01  Create a registry of risks, including both strategic and 06  Assess the risk of control weaknesses and failure to 11  Use the results of monitoring and exception
operational risks. comply with policies. management to produce up-to-date risk assessments.
02  Assess risks and define responses to risks, including 07  Monitor the effectiveness of controls and compliance 12  Identify new and changing risks regulations as they
assigning ownership. activities through transaction monitoring. occur and update repositories, and control and
03  Define control objectives and control processes.   08  Assess changing risks and identify new risk trends compliance procedures.

04  Link risks to relevant control objectives and processes. through data analysis.
09  Obtain up-to-date confirmation of the effectiveness of
05  Link related risks to strategic risks and to each other.
control and compliance activities from owners by
means of automated questionnaires and, where
appropriate, verification of adherence.
Manage results and respond
10  Manage the entire process of responding to results and
exceptions generated from analytics monitoring and
from questionnaires and verifications.
13  Report on the current status of risk management
activities from high to low detail levels.
14  Produce dynamic risk assessment dashboards.
Improve the process
15  Identify duplicative processes and enhance procedures
to combine and improve controls and compliance tests
wherever appropriate.
16  Provide the ability to integrate regulatory compliance
risk management, monitoring and reporting with overall
risk management activities.
7 key trends in enterprise risk management 25
 TAKE THIS SIMPLE TEST:
ARE YOU MAKING THESE COMMON (AND RISKY)
ENTERPRISE RISK MANAGEMENT ERRORS?
Do the risk management processes in your organization suffer from any of these risky characteristics?
Take this quick quiz by checking all that apply to your current enterprise risk management (ERM) process…


□□Spreadsheet-driven
Spreadsheets are incredibly versatile tools and, for certain activities, are impossible to beat in terms of ease-of-use and cost effectiveness. But ERM is not one of
these activities.


There are at least two major drawbacks:
»» Spreadsheets are difficult and unwieldy to consolidate. Even if the same »» Spreadsheets are highly prone to error. The great benefits of spreadsheet
consistent spreadsheet template is mandated for use across the ERM process, flexibility also represent a big risk to the integrity of the ERM process. Even
the task of compiling large numbers of spreadsheets (potentially hundreds or the best-designed and best-controlled spreadsheet template can get altered
more!) is often highly inefficient and frustrating. by accident and result in incorrect data. The impact on enterprise risk
assessment can be serious. (And the irony of managing risk in a risky tool
undermines credibility in the whole undertaking!)

According to GRC20202, financial services regulators in the US are stating that spreadsheets and documents for audits and risk/compliance assessments are no
longer acceptable without additional tools to enhance the data. The post further states additional reasons why spreadsheets are not suited to GRC functions,
including: lack of audit trails, easier malicious data manipulation, lack of workflow structures, compilation nightmares, and increased risk of compilation errors.

□□Consists of silos
You are probably already well aware of the problems with risk management and
compliance silos. The extent of the issue varies from one organization to another
(sometimes dramatically so), reflecting the way that processes evolved over time,
usually having emerged from the days before organizations thought about ERM. If
there was a need to manage compliance with SOX, EPA regulations, FCPA or any
of the tens of thousands of other regulatory requirements that exist, then it was
likely that some form of team developed to focus on specific types of compliance
requirements. And that’s just for compliance…
Various forms of risk management silos often exist for almost every different
aspect of risk (including strategic, financial and operational) each of which may
have its own sub-categories for function, or geography or business unit.
From a process point of view (and a technology one) the problem is that every
silo takes a different approach to tracking, managing, assessing and reporting on
different risks. The result is nearly always less than efficient and often
duplicative and wasteful of resources. And a lot of expensive time spent copy,
pasting and amalgamating reports.

□□Embedded in technology systems that are complex, customized and/or costly

The result of multiple silos can certainly amount to a haphazard mix of incompatible and duplicative systems and software products.
Another common challenge arises from using a homegrown technology Whether systems are based on seemingly “free” spreadsheets, or specialized
approach that was built piecemeal as ad hoc processes emerged: for example, a products, the likely outcome is a very high cost of ownership, particularly when
spreadsheet system or a mix of spreadsheets, documents, shareware and looked at on a total enterprise basis. Many earlier generation products are now
multiple network folders. In many cases, a different specialized risk and proving to be inflexible or require extensive customization. Moving to newer versions
compliance software tool is acquired for each “silo” area. is often expensive in terms of effort, license fees and consulting service costs.

2
GRC2020. “Why Spreadsheets, Documents & Emails Fail for GRC” 7 key trends in enterprise risk management 27
WHAT NOW? NEXT STEPS TO GETTING STARTED ON THE JOURNEY
TO PERFORMANCE-ENHANCING ERM…
If you have read this far, there’s a strong chance that you already know the ERM processes
in your organization need improvement…
or perhaps a complete transformation.
What can you do next?
Take a moment to assess your current ERM approach:
»» How does your organization’s approach compare to what you have just read in this eBook?
»» Could your risk and compliance management program deliver more value to your organization if it
evolved into a true performance-focused, enterprise-wide process?
»» What benefits could you achieve?
»» What obstacles do you foresee in getting where you want to be?
We have worked with many organizations which were intent on accelerating corporate performance
through a better approach to risk management. Technology is a critical enabler of a high-performance
ERM process, and ACL’s risk management platform has been designed to support the most intelligent and
effective processes. Get in touch. We want to do our job by listening to what you have to say, learning
more about what you want to achieve—and sharing our methodology, developed through our work with
thousands of customers like you.

In part two of this eBook series, we show you how modern technology
can transform your ERM processes to enhance strategic performance,
and provide a technology evaluation checklist to help you assess your
internal processes and reveal where technology gaps are holding your
organization back. Visit acl.com for more resources to jumpstart your
journey to performance-enhancing ERM.
STRUGGLING TO BRIDGE THE CHASM BETWEEN ERM AND
PERFORMANCE OF YOUR ORGANIZATION’S STRATEGIC AGENDA?

Get better risk ROI. Protect value. Create value.

Let us help.
ACL’s platform solution brings objective, data-powered
ERM to life, providing that “single pane of glass” view of
opportunities and risks to corporate performance.
We’ve drawn upon three decades of experience working
with thousands of customers worldwide to develop
detailed methodologies and best practices.
Boost ERM program success with a collaborative
platform aligned to regulatory standards, industry
frameworks and peer benchmarks—aligned with
strategic performance objectives and using a quantified
approach that rules out subjectivity.

For a free assessment of how your organization can achieve

performance-enhancing enterprise risk management using
technology, speak to one of our ERM experts at
1-888-669-4225 or info@acl.com.

Visit acl.com to learn more.

7 key trends in enterprise risk management 29


About the Author:
John Verver
John Verver, CPA, CISA, CMC, is an acknowledged thought
leader, writer and speaker on the application of technology,
particularly, data analysis, in audit, fraud detection, risk
management and compliance. He is recognized internationally
as a leading innovator in continuous controls monitoring and
continuous auditing and as a contributor to professional
publications. He is currently an advisor to ACL, where he has
also held vice president responsibilities for product strategy, as
well as ACL’s professional services organization. Previously,
John was a principal with Deloitte in Canada.
About ACL
ACL delivers technology solutions that are transforming
audit, compliance, and risk management. Through a
combination of software and expert content, ACL enables
powerful internal controls that identify and mitigate risk,
protect profits, and accelerate performance.
Driven by a desire to expand the horizons of audit and risk
management so they can deliver greater strategic business
value, we develop and advocate technology that strengthens
results, simplifies adoption, and improves usability. ACL’s
integrated family of products—including our cloud-based
governance, risk management, and compliance (GRC) solution
and flagship data analytics products—combine all vital
components of audit and risk, and are used seamlessly at all
levels of the organization, from the C-suite to front line audit
and risk professionals and the business managers they
interface with. Enhanced reporting and dashboards provide
transparency and business context that allows organizations
to focus on what matters.
And, thanks to 25 years of experience and our consultative
approach, we ensure fast, effective implementation, so
customers realize concrete business results fast at low risk.
Our actively engaged community of more than 14,000
customers around the globe—including 89% of the Fortune
500—tells our story best.
Visit us online at www.acl.com
© 2017 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd.
All other trademarks are the property of their respective owners.