Clever-Risk Review Efficiency
by Fools Gold.
When risk-based compliance checking becomes a monster.
In this abbreviated case study, I summarise a basic problem in a large organisation that led to analysis-paralysis. The organisation opted to remain anonymous, and so fictitious names are used herein, but they were happy to share their case and learnings for this publication.
The Context: Lets call the organisation Fools Gold Incorporated or FGI. FGI is one of the largest Cybersecurity providers in Africa. They were recently bought of by a very large multi-national corporation, Gold Buzz (GB). GB views FGI as their revenue generating internal cybersecurity department.
The Requirement: FGI needed to, in addition to servicing an African customer base, also service the European Union (EU) headquartered GB's internal ICT cybersecurity requirements. FGI has Enterprise Risk Management (ERM) processes that was now reporting GB's ERM team and the FGI ERM framework needed to be integrated into the GB ERM framework.
The Problem: FGI ERM needed to add GB risks from a local African perspective and that pipeline of raising risks from bottom-up in the pre-existing process began to be overloaded with the new EU risk checking controls. Some operational processes had stalled due to operational resources prioritising time to partake in the risk process and the GB Board was unaware of the root-causes but aware of what looked like a very liable situation.
The Root-Cause Analysis: The risk control frameworks were from two different contexts.
The controls being assessed for risk fell into different and incorrect categories;
A. It only applied to either EU or local data/transactions only but not both.
B. There were overlapping controls that were required to be checked multiple times.
Additionally, the integration of local and global team objectives were not completed;
C. There was a lack of training of the new processes and control assessments required.
D. There were duplicate ERM policies and processes enforced.
The EU framework controls being assessed by the FGI local ERM team were not fully understood nor trained.
The FGI operational teams that normally logged risks through the FGI ERM process were not trained on the new processes either.
The result was that the local ERM processes ran side by side with the GB ERM processes.
This also resulted in multiple risk registers and assessing similar risks unnecessarily.
The risk identifiers, were being pulled into various risk meetings and there was confusion often over applicability and risk ownership.
This led to more meetings between local and global teams where risk owners could not be determined.
Not all risks were analysed appropriately, some risks were logged but never discussed and others resulted in operational delivery being stalled.
The Consequences; Since the purchase of FGI (a three month period), FGI reported a failure in addressing 50% of all new risks logged and a 25% drop in operational productivity, quoting the onerous burden of compliance to EU Directives as the primary cause.
While GB ERM team reported to their board that there were high/critical risks and appauling levels of local governance in the new company purchased and same with corresponding local third party supplier risks.
The Solution; The control frameworks needed to be merged. We used the C-xO Clever-Risk Compliancy Method for this. The separate processes needed to be merged. The duplicate efforts needed to be optimised. We merged the FGI ERM process into the global GB ERM process. The Separate risk registers were combined with added categorisations to include the FGI ERM risks. The FGI ERM team was then free to upskill on the EU control risk assessment requirements and train the operational risk stakeholders on identification and logging through the merged global ERM risk process.
The Results: The global GB ERM process was aligned to ground level operations in the Africa division (FGI). The resources followed a simple ERM process without many clarification meetings and knew how to categorise risks logged and the FGI ERM team was able to direct risks to be correctly owned and addressed. Operational teams were more free to focus on operations and the productivity improved to close to pre-merger productivity levels in the following quarter. No risks were left in unassigned ownership status and all risks at least were in remediation planning status for risk treatment.
This case study demonstrates how sometimes the people on the ground need ladders to get up above the canopy and look above the trees. Management sometimes need to understand that operational delivery, when working well, is like a finely tuned engine and is 100% driven towards leadership's goals and that their respective views must be supported by the right business intelligence. If one changes the environment to drastically without the right due diligence, the engine stops working optimally in the pursuit of misled goals....
Chasing goals unchecked leads one astray, sometimes we need to realise that we are off the path and ask for directions to get back on it.... Fools Gold.