There’s | 15 3. Embed Embed solutions to proactively respond to risk and improve performance They execute their risk response plans more effectively and are better enabled to prevent, adapt and anticipate risk that would otherwise impact their business strategy. It is not about adopting one-off solutions, it is about embedding sustainable solutions that enable an organization to remain successful. Organizations that think strategically about risk and have optimized their functions and processes are able to more easily embed and sustain solutions across the three lines of defense. These solutions are based on the organization’s risk response plans and align to the objectives of each risk category — strategic, preventable and external. Preventable risks Keep it simple: embed solutions that seek to prevent or eliminate these risks all together. Design risk and control frameworks that optimally prevent risks from arising, and can be efficiently monitored and tested to deter or detect risks if they arise. Organizations implementing new financial platforms should design application security that address compliance requirements and align to the businesses’ operating model; eliminating potential risks resulting from segregation of duties conflicts or excessive access at go-live. Leveraging GRC technology, organizations can implement additional control measures to detect and deter potential segregation of duties conflicts from arising. In this case, the second and third lines of defense play a major role in both ensuring that compliance requirements are adequately addressed and assessing the design and operating effectiveness of control measures. Leading organizations focus on optimizing their internal control frameworks to eliminate duplication and automate controls. Similarly, organizations adopt continuous process monitoring solutions to further enhance and automate controls as well as improve the second and third line’s ability to monitor the overall internal control environment. In our GRC survey, 75% of respondents identified usage of continuous monitoring, ranging from fraud detection, transaction monitoring and performance monitoring. As a result, these types of solutions better enable all parties within the organization to focus their efforts on managing the strategic and external risks. Strategic risks Balance risk mitigation with risk taking: embed solutions that reduce potential risks to your business strategy and enable you to adapt should those risks arise. Organizations willingly accept some degree of risk in order to drive business performance; for example, a financial services organization offering new products needs to accept a defined level of risk associated with extending its products and services to potential high-risk customers. Organizations balance and manage this type of risk through solutions such as risk modeling and analytics. This enables them to monitor the risk exposure to the organization real-time and adjust their business strategy accordingly — in this case, their criteria for accepting customers — capitalizing on the customers they do want to target. The second and third lines of defense facilitate and monitor the effectiveness of the models and analytics, as well as challenge the inputs and underlying assumptions. As new products are offered, the criterion by which customers are evaluated is continuously updated, reducing the risk to the organization while reaping the expected benefits. Audit and compliance management, security and process controls and enterprise risk management capabilities are viewed as the most important GRC technology capabilities today. Risk responses Organizations that embed solutions as a core aspect of their business can proactively respond to risk and drive performance. 49% of respondents utilize one or more GRC technologies to enable risk management activities. Categories of risks: strategic, preventable and external External risks Preventable risks Strategic risks