Governance, Risk and Compliance (GRC) by nature is such that it's impossible to ever "finish". As soon as you put a control in place to mitigate one risk, another pops up to take its place. It can feel like we are constantly swimming upstream, with the target always moving just out of reach.
The data contained in our risk register and breach registers could be inaccurately mapped to our controls, or potentially, the operational and regulatory goalposts have changed. Thus, the cycle continues, or we intervene, review, and update the registers and controls. There is an inherent difficulty in understanding where our genuine risks lie and how best to address them in real-time. The two-minute video linked below gives an interesting view of the problem.
Our ability to anticipate, prepare for, respond and adapt to disruptive challenges, especially during extreme events, is how we demonstrate our operational resilience and is a crucial tenet of our AFS Licence. It goes hand-in-hand with effective risk management, which, if executed well, provides us with the agility we need as a financial services business to 'bounce back better' from disruptive incidents.
A robust control environment, when in place, will provide an operational resilience framework, but even with the best control environment in the world, GRC will always be a moving target. So we have to accept that fact and put systems and processes in place that allow us to adapt quickly and efficiently where the organisational needs sit amongst the ever-changing landscape.
We need to move away from risk management as a compliance exercise and instead make it part of everyday business decision-making to create a culture of risk awareness and understanding, where everyone in the organisation knows their role in managing risk and feels empowered to take action.
So, what do we need? A data-driven solution that takes a holistic view of risk across the organisation. One that looks at how different risks interact and gives an ability to quickly zone in on and address areas of concern. A tool like this would help us to have a more proactive approach to risk management rather than the current reactive one.
Give us a solution that identifies and addresses risks before they turn into problems, so we can be better prepared for when the inevitable disruptions do occur. Help us to focus on the things that really matter and why we are doing all this in the first place – to protect our client's interests, and ensure that we remain a trusted and reliable partner.