When everything changes, professional risk management helps to deal with the unpredictable. What does risk mean in times of digital change? How can you even manage risk when no stone is left unturned?

The importance of risks management services in the digital world has not changed compared to the importance in the analog world. At the core of risk management, it is still about ensuring that organizational or individual goals are achieved. Risk management forms the framework for dealing with unforeseen events or developments and for taking active control measures. 

Specific domains of risk management, such as information risk management, are becoming increasingly important as a result of digital change. Information that was only available in physical form until a few years ago now exists digitally, and can therefore be accessed anywhere and at any time. A few years ago it was still sufficient to protect valuable information from the outside with good perimeter protection, the much more intensive cross-company networking, the trend to store data in the cloud and the much easier access to information via mobile devices mean that Rethinking and redesigning information protection.

Keeping pace with these developments is one of the main challenges in maintaining the level of security in the digital revolution.

What requirements does risk management place on the customer’s processes and organization?

Risk management nowadays often has the reputation of being a “preventive”, especially when it is only operated by a few risk managers who have to be involved in order to make use of a right of veto in the case of critical decisions. In fact, risk management is a management discipline that cannot be separated from the operational management structures of an organization. Every decision-maker weighs risks in every aspect of his or her actions – whether using gut instinct or formalized methods. Company-wide risk management has the clear task of providing uniform methods and tools that help operational management to make better decisions. Interestingly, it can be observed that organizations with a strong target focus do not consider risk management as a stumbling block,

What is the significance of the “human factor”?

As has been shown in various economic crises, even with the best algorithms, it is not possible to make valid conclusions about the future from the past. Risk assessments – and the resulting assessments of future developments – are essentially always based on three sources: data from the past, parameters of the present in connection with the data of the past and human assessments, conclusions, deductions – i.e., “expert’s judgment”. I am convinced that even in times of big data and with vast amounts of historical data available, people will draw the appropriate conclusion and that their subjective experiences and properties will always play a role.

What options do GRC tools offer? How does your use look in practice?

From my perception there are two types of software tools in the GRC environment. There are expert tools that usually support a very small group of experts in preparing data, processing it with special analysis and simulation methods and showing statistically verifiable probabilities of results in response to very specific questions.

The second type of tools are management systems – tools that enable central risk management to exercise its governance function. Processes and methods are set up that help to carry a homogeneous risk management approach into the entire management organization in order to strengthen target focus and resilience to unforeseen developments in the entire company. The greatest benefit for companies arises when they begin to integrate several such management systems in order to generate synergies between ERM, ICS, audit management, compliance management, security management and other GRC (Governance, risk management, and compliance) processes. It is through this integration that GRC develops its real added value.

What are the 3 most important success factors for GRC in the digital age?

SCurve’s vision for GRC encompasses essential subject areas that we see as critical success factors of GRC initiatives – and thus also of the success of the respective company:

1. Integration – Those responsible for GRC are more and more challenged to break down and integrate their GRC process silos. In such an eventful time, board members can no longer accept that YOU are obliged to build the overall picture from countless, non-integrated reports in order to be able to make decisions. Even implementing a uniform GRC tool, which only then contains hermetically separated GRC silos, will not solve the problem here. The success of GRC initiatives – especially from the point of view of the executive board and supervisory board – will largely depend on whether GRC initiatives are holistic or just “old wine in new bottles”.

2. Agility – The faster the environment evolves, the faster risk management and GRC processes must be able to develop. This requires the greatest flexibility and adaptability of the GRC systems used. It is necessary to be able to further develop all aspects of a GRC initiative based on the maturity of the company. Methods, processes, standards and norms, integration scenarios, interfaces – all of these elements must be able to adapt to the respective circumstances in order to avoid dead ends in the IT implementation of GRC.
3. Collaboration – The larger the target group of people involved in a GRC process, the simpler, fast and transparently documented collaboration on GRC content is required. This includes both possibilities for people, departments and locations to interact with risks, measures or other GRC content, as well as simplifying communication across the different organizational levels.