16 There’s no reward without risk — EY’s global governance, risk and compliance survey 2015 | 17 Advance | Optimize | Embed Advance | Optimize | Embed Respondents identified the top activities enabled through continuous monitoring as: 1. C ontrols monitoring/ testing 2. Fraud detection 3. Security monitoring 4. Transaction analysis 5. Compliance monitoring Leading organizations prepare scorecards, dashboards and other forms of reporting — including monitoring key risk indicators (KRIs), key performance indicators (KPIs) — for the board and executive management. This provides visibility into the risks that impact their business strategy and how they will affect the organization’s overall risk profile, enabling management to adapt the organization’s business strategy as appropriate. However, 78% of our GRC survey respondents only prepare management dashboards annually or quarterly, indicating further opportunity exists to provide decision-makers with vital risk insights more regularly. Objective Solutions Solutions Solutions Objective Objective Enabler Embed solutions Balance Technology Application security Processes and controls Continuous monitoring Prevent Risk modeling and analytics KRI scorecards and reporting Project portfolio analytics Limit Stress testing Wargaming Disaster recovery Strategic risks External risks Preventable risks External risks Prepare for the worst, hope for the best: embed solutions that anticipate and limit the impact of external risks. These solutions enable organizations to regularly identify potential risks, assess their impact, determine how to limit it and help to bring the organization back to “business as usual.” Stress testing, scenario planning and wargaming enable organizations to assess the impact of outside forces on their business strategy. For example, an organization periodically conducts scenario planning to analyze the impact of forces such as geopolitical crises, technological shifts, regulatory changes or economic volatility on their business within the next 5 to 10 years. The second line of defense facilitates these exercises along with participants from the first line to assess how the organization would perform under different scenarios. The third line of defense participates within the exercises acting as an advisor, providing independent feedback and challenging participants’ assumptions. This enables the organization to regularly and efficiently anticipate potential risks and adjust their business strategy. Organizations routinely assess the potential impact of natural disasters on its operations and supporting infrastructure, enhancing its DR plans as required. While the first line of defense owns the DR plans, the second line facilitates periodic risk assessments and the third line assesses the effectiveness and testing of DR plans — this helps to ensure that potential risks are adequately reviewed and the organization is prepared should a catastrophe occur. In each example, biases are eliminated due to the involvement of multiple parties enabling the organization to efficiently and effectively anticipate and limit the impact of potential risks. Case study An organization transforming its finance function into a shared services center operating model to improve its bottom line, willingly accepts the risks associated with changing operational processes, organizational structures and systems. The changes are required to realize the expected benefits, but pose potential risks that ultimately impact the overall ROI. Solutions such as project predictive analytics or benefits monitoring can effectively manage and balance the risks associated with such a transformational program. The second line of defense working in collaboration with the first line, assists in evaluating the program’s overall management and execution to anticipate and adapt to risks as they arise, balancing risk with ROI. The third line of defense embeds experts within the program to proactively identify and monitor the mitigation of high-risk areas. 78% of respondents only prepare management dashboards annually or quarterly, indicating further opportunity exists to provide decision-makers with vital risk insights. 61% of respondents with defined KPIs and KRIs indicated they were using monitoring to identify trends or risks that may impact their organization’s business strategy. 63% of respondents have defined KPIs or KRIs, but not both. Fifty percent of respondents monitor KPIs, KRIs or both by leveraging technology.