Amid the coronavirus pandemic, organizations have deviated from their standard operations to maintain some sense of business as usual – working from home, for example, rather than on site. Such shifts can expose an organization to new risks, and even elevate existing ones.
The pandemic may have changed the operating models of some businesses, but not the responsibilities of executive leadership, who are still expected to manage risks and meet corporate obligations. Leadership teams are still accountable for the decisions they make today and their potential impact on the future of the organization, making risk management programs more important than ever.
How is your organization keeping track of decisions? Do you have processes and systems in place to provide a holistic view of the underlying risks to your organization? How are you managing risk exceptions and mitigating underlying risks today? When exceptions and deviations aren’t tracked, when their severity is not evaluated, when the appropriate compensating controls are not in place, decisions can pose great risks to the organization.
The concept of risk exception management is not new; it is a vital component of any risk management program. A risk exception management program enables users to request exception or exemption to comply with corporate policy, or deviate from standard practice for a stipulated period of time.
A typical risk exception management process consists of several steps:
Risk exception management provides a great deal of flexibility for users who are unable to comply with a corporate policy or standard practice or mitigate risk due to technical constraints or circumstances beyond their control. For instance, the application owners who aren’t able to comply with password policy requirements may request exception due to technology constraints in a legacy application or till the budgets allocated to make necessary enhancements to a legacy application.
At the same time, programs enable organizations to keep track of risks and ensure appropriate compensating controls are in place to guard the backdoors that were left open due to the risk exception.
Common pitfalls: The importance of understanding your program
It’s common for organizations to struggle with risk exception management programs, but it doesn’t have to be. Most challenges to implementation stem from a lack of familiarity with the processes:
Key elements of an effective risk exception management program
A good risk exception management program should:
Challenges in managing risk exceptions
Risk exception management may seem straightforward, but many organizations that are slow to go digital, standardize, train, and govern also struggle with the following common challenges:
Seven steps to build an effective risk exception management program
Step 1: Evaluate the maturity of the program
Understanding the maturity of the current program is the key to developing and implementing an effective risk exception management program.
Step 2: Define a framework
Establish a cross-walk between risk exception, risk, policies, and controls, with an ability to fully engage data to mitigate and manage risks.
Step 3: Define a governance structure
An ideal governance model should include a clearly laid-out RACI matrix, including process and procedures for reporting willful violations.
Step 4: Define metrics
Define risk exception metrics to track, monitor, and predict potential impacts on risk posture and be proactive in mitigating risks.
Step 5: Automate processes
Automate the risk exception management process, including checks and balances, to eliminate silos, standardize programs throughout the organizations, and establish a single source of truth.
Step 6: Create awareness
Create roll-out awareness sessions to educate users on the process for requesting exceptions, their roles and responsibilities in managing risk exceptions. Conduct awareness sessions via WebEx based, e-modules, and class room based trainings. Also, roll-out campaigns to review and report metrics on level of awareness via quick polls, surveys, contests, and quizzes as part of awareness initiative.
Step 7: Track and monitor metrics
Keep thorough accounting of metrics and take timely actions on expired risk exceptions.
As stated above, untracked risk exceptions may result in the underlying risks being left open when things return to normal, posing greater risks to the organization. Managing risk exceptions is therefore key to managing risks, especially during unprecedented times.
How can we help?
With deep roots in technology and domain expertise, Wipro is uniquely positioned to help organizations implement risk and compliance programs successfully.
We provide end-to-end services – from developing governance, risk, and compliance (GRC) strategies, selecting the right tools to implementing programs, and work closely with executive and stakeholders to design, configure, onboard, and maintain solutions for managing various risk and compliance programs.
We have developed pre-defined frameworks, toolkits that can help you to understand the maturity of your current risk exception management program, address gaps, and jumpstart automation with plug-and-play solutions.
To learn more about how Wipro enables enterprises to better manage risk exceptions, click here.
Sesh heads the Americas region of Wipro’s risk compliance and assurance practice. He is a seasoned professional with 20+ years of experience advising companies on cybersecurity, risk, compliance, and audit matters.
Sesh is a subject matter specialist in GRC with a multi-domain exposure to the areas of enterprise/operational risk, cybersecurity, third-party risk, internal audit, systems audit, fraud investigations, business cycle and ITGC reviews, and compliance, especially with respect to Sarbanes-Oxley, HIPAA, CCPA and the like.