Rationalizing Controls to Effectively Manage Your Risks and Drive Risk-Aware Decisions

5 min read


Managing operational risks effectively is a top priority for most organizations today, and controls play an important role in ensuring risks are mitigated. Controls range from preventive to corrective and are essential for managing risks, ensuring compliance, and safeguarding the organization’s assets, customers, and reputation. Frameworks like COSO (Committee of Sponsoring Organization) require organizations to embed internal controls into business processes to ensure ethical and transparent operations aligned with industry standards. These controls must be monitored, tested, and improved continuously to keep up with the constantly changing risk environment and business priorities. The challenge before today’s organizations is to execute reliable strategies to manage operational risks via control rationalization and facilitate better decision making. 

The 2023 GRC Summit in Miami saw Kevin Finlay, Vice President, Sales, MetricStream, lead an in-depth discussion on this topic with experts: 

  • Varun Agarwal, Director, Enterprise Risk, Western Alliance Bank 
  • Seth Rosensweig, National Integrated Risk Technology & Enterprise GRC Leader, PWC 
  • Patricia Catharino, SVP, Head of Risk Management & Internal Controls, Itaύ US and Caribbean 
  • Kellie Bickenbach, Head of Control Assurance, First Citizens Bank

Watch Now: Effectively Managing Operational Risks Through Control Rationalization for Improved Decision-Making 

The panel of experienced practitioners had a lot to say on these topics, given that they live them every day. Read on for the key highlights of their engaging discussion.

How are Modern Organizations Addressing and Managing Today’s Risks?

The risk landscape is evolving at unprecedented speed and scale. As a result, an organization’s definition of what constitutes operational risk must also change, along with the steps taken to mitigate it. What do organizations consider new operational risk priorities, and how are they going about addressing it? 

  • Vendor and Third-party Risk – Most organizations today have robust risk management systems and control frameworks in place. But given the interconnected nature of risks arising from a world that is now more connected than ever before, risk can come from any quarter, including vendors and partners. A cyber event at a vendor’s site may leave enterprise data exposed. Stress testing a vendor’s risk controls, rationalizing controls for the external environment, and mapping the enterprise’s risk appetite along with the vendors are critical concerns for enterprises today. 
  • Risk Culture - Identification of risk and determining the organization’s risk appetite in a highly interconnected environment is a foundational step that must be prioritized. Establishing the three lines of defense, educating the frontline, and equipping them to identify and address risk is important. Control optimization cannot happen until these critical and foundational steps are taken care of. 
  • Documentation and Risk Prioritization - Organizations must have a repository of reliably documented risks and controls that are deployed and managed with a robust technology platform. They must identify key controls for critical areas and focus on those. Periodic reviews and realignment of the controls’ priority are also important. 
  • Technology – The technology strategy to manage operational risk must start by identifying how the organization identifies, measures, and monitors key operational risks for their business. Operational risks are inherently linked to how the business is conducted, and the technology strategy must, therefore, consider the overall business environment. Integrating risk controls in application architecture, cutting down the time taken to respond to risk, focusing on how data is collected, stored, and analyzed, and the effort taken to do so are all critical considerations.

Is a Risk and Control Self-Assessment Still Relevant?

A comprehensive Risk and Control Self-Assessment (RCSA) is a widely used exercise today, but it must be guided by the enterprise’s risk appetite, the big risk picture, and the expected outcome to be effective. 

When it comes to technology, most organizations conduct continuous control monitoring. However, the challenge lies in evaluating and rationalizing controls on non-IT systems. A bottom-up, process-driven risk control inventory anchored in common taxonomy is a good way to build a framework that encompasses all areas of risk. An overall understanding of the control environment must be followed by a systematic approach to prioritizing risks and controls for better impact. 

Here are a few points to consider when it comes to assessments: 

  • Frequency- Organizations may assume that frequent RCSA would be more impactful – quarterly instead of annual. But such frequent assessments may quickly become a tick-in-the-box exercise with no real focus on capturing real-time risks. A well-thought-through RCSA exercise that is based on enterprise priorities, risk appetite, business processes, and risk environment is more important than the frequency. 
  • Data-driven approach – Data holds the key to effective control rationalization. A lot of organizations still don’t use data effectively to inform their risk assessments and control rationalization or are too heavily reliant on controls. Better integration of controls with application architecture and processes will deliver more impactful outcomes. Data collection, data storage, and data integrity are critical areas to consider. Data-based questions and data-driven decision making is a critical business asset that must be exploited fully for organizations to optimize their control assessments. 
  • Optimize assessment processes – Risk identification and control assessments are not going to become irrelevant. However, organizations must innovate and focus on making the best use of time and resources in order for the process to be effective. The way these assessments are done must be changed, beginning with a robust three lines of defense structure. An empowered and aware front line is critical as they must be agile enough to identify triggers and take action. The events at the frontline should lead to the second line deciding when to retest the control environment.

Optimizing and rationalizing controls for enterprise risk management will increase in complexity as the risk environment continues to evolve. Connected GRC approaches and technology can help organizations improve the process by leveraging data for better insights and quicker action. AI models will be immensely helpful for organizations in the years to come. At the same time, best practices from fields such as anti-money laundering must be explored and extended to unrelated businesses for a comprehensive assessment and rationalization effort.

Power Your ORM Program with MetricStream

MetricStream’s Operational Risk Management software is designed with a comprehensive set of capabilities that powers your ORM program to drive risk-intelligent, real-time business decisions that accelerate business performance and reduce losses. 

With MetricStream’s Operational Risk Management software, your organization is empowered with:

Interested to learn more? Request a customized demo now. 

Stay tuned for more details on the upcoming 2024 US GRC Summit! Keep an eye on this space for updates.


Sumith Sagar Associate Director, Product Marketing

Sumith Sagar is a proven product marketing professional, specializing in software product positioning, product-led growth marketing, presales and sales enablement. With over 12 years of risk management solutioning experience raging from Governance, Risk and Compliance (GRC), Commodity Trading & Risk Management (CTRM) and cybersecurity, she has been instrumental in driving BusinessGRC product marketing at MetricStream.


Ready to get started?

Speak to our experts Let’s talk