Sean Thompson, President & Chief Operating Officer, NAVEX.
Business risks are mounting between post-pandemic workplace problems, supply chain challenges, extreme weather, inflation and geopolitical turmoil. Given these factors, business leaders must leverage all available data to identify potential risks to their organizations.
As the president and COO of a risk and compliance software company, I know there is no shortage of data collected from running and running a business, and more than you might think can be considered “risk signal” data . This includes supply chain data, HR and personnel records, legal filings by suppliers and customers, sales trends, revenue and financial reporting and other third-party data. Seen separately, these datasets each tell their own story. Together they help you see the whole picture.
When we look at this data together, a company can see where there is causality and interdependencies, creating an opportunity to address the root causes: treating the disease, not just the symptoms. For example, HR data may indicate an abnormally high turnover of female employees in the Midwest regional office over the past two years. Looking at data sources, the number of hotline reports of harassment has increased in the region, and compliance training reports show that managers in that office are late for harassment training. Only when these data are considered together can we have a clearer picture of the risk presented and a way to mitigate it.
Moving from siled data to an expanded view
Today, it’s rare for a single person or system within a company to look at risk signal data holistically, meaning leaders often miss the depth of the business risk their organization faces. While each department can review its own data and address risks as they arise, department heads ultimately focus on individual mandates. The CISO should focus on the IT landscape, the CFO should focus on financial risk, and so on across the executive suite.
While a Chief Compliance Officer (CCO) is tasked with ensuring legal and regulatory compliance across the organization, I’ve found that they typically have access to a limited set of data directly related to compliance. Similarly, while risk management teams try to discover the different types of risks a company may face, data silos often prevent risk teams from seeing the full picture.
I think it’s clear that a holistic view of data is pivotal to the next era in risk management and compliance, but it requires digital transformation. To effectively understand and mitigate risk, companies need a comprehensive view of risk signal data and an understanding of the company’s overall risk profile. To get there, I’ve found that organizations need three key ingredients: a system that collects, analyzes, and presents risk data; a leader empowered to transform the organization to extract business insights from the data; and a supportive corporate culture.
The CCO as transformation leader
Who should lead this charge? I believe that the CCO is the most suitable leader to meet the challenge. They can drive this next era of risk awareness and mitigation. But they can’t if much of the data they need isn’t accessible and their own teams are still working from spreadsheets – or worse, paper. CCOs have the knowledge, motivation and skills to increase risk awareness in functional areas and break silos. But they can only achieve this if they have access to the right data – wherever it resides – and the right systems and tools to analyze it.
When it comes to choosing technology solutions to help manage risk data, organizations must:
• Ensure they have fully assessed and understood the business problem and desired outcome. Developing a list of core features and functionalities needed to meet the objectives naturally limits the scope of possible solutions.
• Perform a high-level ROI analysis to evaluate how the solution will meet the organization’s risk data needs. This process should include the validation of a supplier’s implementation and delivery journey.
• Prioritize change management initiatives and allocate appropriate resources to manage holistic oversight of risk data. When it comes to the digital transformation of risk management and compliance, this means supporting the CCO in their role as a transformation leader and being involved in the decision-making process around the tools used to manage risk data.
I compare the current CCO to the IT director role in the early 2000s. They helped navigate the first major digital transformation cycle. This was a time when information technology was once in a silo, both in terms of data collection and job status within the organization. Today, IT is rightfully considered strategic and is fully integrated across the business, with a CIO in charge. I predict that the same evolution will play out for governance, risk and compliance (GRC). Of course, compliance leaders need to work with both IT and HR to drive the technology and cultural adoption needed to make this transformation happen, especially because the risk and compliance agenda is increasingly important for business success and an additional focus from executive management and the board of directors.
As compliance leaders embrace this transformation, data silos and manual processes will begin to disappear. Risk signal data that informs smarter decision making will become increasingly visible, even obvious. At the same time, organizational cultures will become more ethically oriented, more risk-aware and more productive. If you’re skeptical, I suggest you just look at the data.