An important benefit from our release of RSA Archer 6.1 this week is an alignment of organization maturity with the technology to support it.
Building a good Operational Risk Management program takes time. It requires a commitment from executive management to make it happen, human resources to administer the program, capital to acquire necessary technology, and a culture of engagement from the affected stakeholders. Some heavily regulated organizations may mature their programs more quickly to satisfy regulatory demands while others are driven to respond to a big loss, incident in the news, or by best practices around strategy and enterprise risk management.
The progression of an organization’s Operational Risk Management program maturity can be characterized in stages:
Organizations just starting a program are typically very Compliance oriented, attacking individual risks and compliance initiatives within an isolated strategy. Their strategy relies on the constant fire-fighting modes of their front line and functional employees. Their focus is so much on compliance and tactical risks that they cannot see beyond the immediate. They are hunkered down in the trenches too scared to move forward or relying on old fashioned approaches that may get the job done but will never keep pace with today’s market. These organizations need to take “Compliance” off the table and solve the regulatory and industry needs in a more efficient and effective manner. This requires automating compliance and building a cohesive strategy to deal with the ‘basic requirements’ of doing business.
In order to transition from a Compliance focus to a Managed stage of maturity, organizations need to reduce compliance costs through automation and reallocate budgets to gain resources and risk visibility. Organizations in the Risk Managed stage have solved (or are considerably on their way to solving) the ‘advanced requirements’ of Compliance. They have common policies, standards and controls, an effective control infrastructure and efficient methods to measure, monitor and report on their compliance state. Organizations in this stage need to become aware of the various risks they are juggling and put in individual plans to manage these risks within the context of a broader strategy. Organizations need to understand the risks in their landscape and be navigating (or at least identifying changes) to avoid major issues. This progress is being fueled more and more by visibility into risk through metrics and analysis capabilities.
In order to transform an organizations program from Risk Managed to Opportunity Advantaged, organizations need to manage known and unknown risk, and identify new business opportunities. The Opportunity Advantaged organization has mapped out and conquered the risk landscape and are poised to explore the Opportunity Landscape. These organizations are now ready to realize the competitive advantage of harnessing risk – beating competitors to market, launching new products and services with calculated efficiencies, avoiding those major issues that affect reputations and the bottom line. Organizations in this phase focus on speaking “business language” instead of “risk language”. They are able to identify and respond to emerging risks ahead of the curve – using common taxonomies, common approaches, finely-tuned decision making processes and most importantly DATA to support their conclusions.
With the release of RSA Archer 6.1 we are making individual Operational Risk Management use cases available that align to this maturity journey. Please look for The Operational Risk Management Journey (part II) to learn how you can take advantage of this new approach.