I am attending Gartner Symposium and ITxpo this week and blogging as I go.
Christine Adams, French Caldwell, John Bace, and Rich Mogull presented on Enterprise Risk Management: The Benefits of Risk. They talked and answered questions on risk, risk management and related topics. I had a few takeaways:
- Risk is loss or potential for loss but ALSO the risk of failing to gain something. This matches a point of view I hold that every interaction contains risk - risk of bad debt, risk that marketing resources cannot be used on a better prospect etc.
- Gartner has a simple Enterprise Risk Management Framework - Definition, Planning, Management, Reporting with feedback but silos exist because you manage risk with domain expertise. Thus you need to give experts the power to track risks but feed it up and then give the board power to set risk tolerance that can be fed down so someone can make the trade offs in the middle.
- Compliance a big theme but really a question of management of risk. There is a symbiotic relationship between risk and compliance. For instance you are looking for controls to manage risks when you identify them. Then you need to comply with these. Similarly if you identify mitigation approaches then compliance is an issue. The key controls are going to be where your controls intersect with your Reasonably Accepted Risks. This represents the intersection of top-down compliance and bottom-up expert-driven risk assessment.
- Risk management is all too often only done in response to problems such as audit deficiencies. In fact it could be managed more proactively for instance to allow a company to try something it might not otherwise try if it did not have risk management.
- Important to have a management strategy for what to do when you get outside your acceptable boundaries. By definition you cannot define mitigation strategies for when your systems break.
- Recent Gartner survey said that no-one thinks they do risk management well and that silos are the big barrier. But it is not a big priority interestingly.
- People tend to focus on "their risk" without any kind of real enterprise framework - tendency for everyone's problem to become no-ones.
- The risks associated with outsourcing also came up and I have blogged before about the advantages of controlling decisions when outsourcing processes as a way to manage this risk - see this post on the future of BPO and rules
I have blogged before about the need for EDM in operational risk.
BTW Fair Isaac is at booth 305 and I am presenting at 12:15 on Wednesday on Real-World Experience in Applying Business Intelligence to Business Processes