Resilient by Design: The Art and Science of Managing Interconnected Risks with a Connected Approach
- GRC
- 12 February 25
Introduction
Most organizations today are looking to improve their risk management strategies to be able to keep pace with the rapidly evolving risk landscape. We now know that for a risk management program to be successful and effective, it requires participation from functions all across the organization.
But what does it take to build a risk-aware and resilient organizational culture; how can organizations address the challenges posed by interconnected risks, and how can they build an integrated and unified risk management strategy? These were the questions that a panel of GRC experts sought to address at a panel discussion on Building a Culture of High Performance and Integrity: The Crucial Role of Integrated Risk, Compliance, and Audit by Design, at our recent GRC Summit.
The panel had a diverse panelists- from second and third line of defence to technology enabler:
- Claudia Iacobucci, Head of Assurance, Risk and Controls, ABB
- Somkant Mishra, Senior GRC Manager, CRH
- Bilal Javed Mahmood, Senior Director Risk Management, Hitachi Rail
- Bhaskar Dasari, CEO, Vivid Edge Corp
Here are the key takeaways from the interesting session.
Watch the video: Building a Culture of High Performance and Integrity: The Crucial Role of Integrated Risk, Compliance, and Audit by Design
Building a Resilient Risk Management Framework
To be effective, risk management plans must be aligned with the organization’s business objectives as well as strategic priorities. This means that risks must be identified, evaluated, and their potential impact effectively communicated. At the heart of organizational risk management strategy is a resilient risk framework that combines enterprise risk management with resilience planning to focus on not just risk assessment but also risk resilience:
- Standardized methodologies and centralized platforms for risk data aggregation are critical.
- This should include a unified risk universe that:
- Is central repository to store risks and controls
- Establishes common taxonomy and reporting structures
- Includes data models and governance structures
- Automated systems for risk identification can significantly reduce errors and improve response time while maintaining data consistency.
- Compliance can be integrated into the risk management strategy to identify and address cross-functional risks effectively.
- The risk and resilience management effort must also include regular reviews of emerging risks to identify and address them.
Cross-Functional Collaboration for Integrated Risk Management
Risk Management vs. Compliance and Audit: As organizations focus on integrated risk management strategies, they must consider cross-functional collaborative approaches that involve key stakeholders. The first step towards this lies in awareness of the nature of risks and how risk management differs from compliance and audit processes:
- Risk is nebulous, and risk management operates in uncertainty in an environment that is fluid and where outcomes and priorities can change quickly.
- Risk management must be constantly engaged and assess how external factors, ranging from regulatory change to political upheavals, can impact business decisions and strategies.
- Compliance and audit on the other hand, are structured processes that operate within defined boundaries.
- For example, the US election results may not have an immediate impact on regulations, and compliance teams may not need to take immediate action, but risk management teams must anticipate and prepare for the impact of the election results on geopolitical landscapes, policies, and strategic direction.
The onus is on the risk management teams to communicate with compliance and internal audit functions on how risk operates differently and needs dynamic management approaches. The risk team must drive the collaborative integrated risk management process, and communicate emerging risks in clear, actionable terms. This will help compliance and audit align their efforts with the more significant risk management objectives and ensure that all functions understand their separate but interconnected roles. Research and data-based tools like competitor analysis, annual reports, and industry trend studies can help provide a context for teams and uncover unique risks and opportunities.
Structured cross-functional engagement and collaboration: A comprehensive enterprise-wide risk management and resilience strategy can only work if every key member across diverse teams is on board with the strategy:
- Varied priorities must be addressed with a unified and shared GRC ecosystem that respects team boundaries and autonomy and facilitates collaboration, customization, and flexibility.
- Shared KPIs can motivate teams. However, this is only a temporary measure, and the long-term focus must remain on establishing clear objectives and key results to ensure successful collaboration.
- RACI models and compliance structures can help guide discussions and process alignment efforts.
- Engaging teams to solve challenges or risk-based puzzles can be a simple but effective way to secure participation. For example, diverse teams can come together to assess the possible impact of AI risks and even suggest mitigation strategies. This not only helps them think beyond their roles, but also gets them actively involved in the risk management process. It also facilitates the sharing of diverse perspectives and ideas.
Simplified, Intuitive, and User-Friendly Systems: Key to Successful Integrated Risk Management
Collaborative effort on integrated risk management must be simple:
- Systems and processes must be built with the end user in mind, particularly the front line that will interact with the systems.
- Overly complicated or technical processes and systems will prove counter-productive in the long run as people on the ground may lack the technical expertise or specialized skillsets to use them correctly.
- For example, if a facility manager has to execute complex controls, they are likely to do the bare minimum, leading to non-compliance, lack of data, and system failure.
- Collaboration is also not a one-time effort but an iterative one that must comprise small, deliberate steps.
- For example, an organization can begin the process with functions that apply to all departments, like policy and document management systems. Once these are addressed, they can move on to more complex areas like internal audit.
A Step-by-Step Guide to Implementation
Collaborative GRC implementation must follow a structured methodology to be successful:
- Listen to the organization’s requirements and needs and understand their vision and objectives for the GRC program as well as overall business goals.
- Educate them on how to best leverage existing investments – technology and tools – for maximum value.
- Collaboratively plan by listening to all stakeholders. This fosters a feeling of ownership and involvement.
Leadership Support and Direction
Effective collaboration in GRC requires strong leadership commitment and executive sponsorship. CXOs must take the lead in championing GRC initiatives to ensure consistency, alignment, and long-term success. Key leadership actions include:
- Championing Collaboration – CXOs must actively promote GRC collaboration and drive its adoption across the organization.
- Ensuring Strategic Alignment – Leadership involvement ensures that GRC efforts align with business objectives and long-term strategies.
- Optimizing Resource Allocation – Executive support secures the necessary resources for implementing risk management and compliance initiatives.
- Driving Momentum – Leadership commitment sustains engagement and accountability in executing GRC strategies.
- Linking Risks to Business Outcomes – Clearly connecting risks to organizational objectives helps secure leadership buy-in for an integrated GRC approach.
- Directing Resources to Critical Risks – Leaders must ensure that the right resources are allocated to address the most pressing risks effectively.
- A robust, resilient, and integrated risk management program is an iterative process that takes time, leadership vision, and cross-functional collaboration to develop and implement. Risk awareness and management in this challenging environment can no longer remain the sole purview of the risk and compliance department and must be embedded into every level and hierarchy of the organization. By strategically integrating risk management, compliance, and audit by design, organizations can create robust frameworks that drive accountability, operational resilience, and risk mitigation.
Interested to watch the entire session? Watch the video
Liked this recap? It’s just a glimpse of the many discussions featured at MetricStream’s biggest event, the GRC Summit. The GRC Summit has been a key platform for the GRC community to come together, share knowledge, exchange best practices, and explore what's on the horizon for GRC. Whether it's new technologies, evolving processes, or upcoming regulations that could reshape your business, you’ll discover it all at this event.
Register now for the next GRC Summit in London on June 10th-12th, 2025.
Our ConnectedGRC product streamlines governance, risk, and compliance processes by integrating real-time data. It provides a centralized platform for managing risks, ensuring compliance, and driving business resilience across the organization.
To learn more about how MetricStream can help with ConnectedGRC and an effective Enterprise Risk Management strategy, request a personalized demo today!
Frequently Asked Questions
Managing interconnected risks with a connected approach means replacing siloed risk functions with a unified strategy that links risk, compliance, and audit across the enterprise. Rather than addressing each risk independently, organizations identify how risks cascade and coordinate responses across all functions to prevent compounding exposure.
In an integrated GRC program, risk management identifies and assesses uncertainty, compliance ensures adherence to regulatory and internal obligations, and audit independently verifies that controls are operating effectively. Each function has a distinct role, but all three are interdependent and must share data, insights, and objectives to be effective.
Cross-functional collaboration is essential because risks do not respect organizational boundaries. A threat originating in IT can escalate into a financial or reputational issue within hours. When risk, compliance, legal, operations, and business units share a common risk framework and communicate proactively, organizations can identify and respond to emerging threats before they compound.
A unified risk universe is a centralized repository that consolidates risks, controls, processes, and taxonomies into a single governed framework shared across risk, compliance, and audit functions. Organizations need one to eliminate duplicated efforts, ensure consistent risk definitions, and create a complete enterprise-wide view that supports faster, more informed decision-making.
Organizations should embed risk awareness into frontline roles through structured training, clear escalation pathways, and accessible reporting mechanisms. Frontline employees encounter operational risks before they surface in management data. Equipping them to recognize and report issues early extends the organization's risk detection capability beyond the second and third lines of defense.
Leadership sets the tone for how seriously risk, compliance, and integrity are prioritized across the organization. Without visible executive commitment, integrated GRC programs lack the authority and resources to sustain cross-functional engagement. Leaders must model risk-aware behavior, allocate appropriate investment, and hold all functions accountable for their role in the GRC program.
Standardized risk methodology ensures that risks are identified, assessed, and scored consistently across all functions and business units. When every team uses the same taxonomy, thresholds, and reporting formats, aggregated risk data becomes comparable and reliable. This consistency is what makes enterprise-wide risk visibility possible and allows leadership to prioritize treatment accurately.
Organizations should start by establishing a shared risk taxonomy, defining roles across the three lines of defense, and implementing a common platform that enables data sharing across risk, compliance, and audit. Early wins typically come from eliminating duplicated assessments and creating structured forums for cross-functional risk communication before broader program integration begins.
A resilient risk management framework is iterative because the risk landscape, regulatory environment, and organizational structure continuously evolve. A framework built for today's risks may be inadequate within months. Regular reviews, scenario testing, and updates ensure the program remains relevant, effective, and aligned with both current threats and the organization's strategic direction.
Organizations operating across multiple geographies, regulatory regimes, or business lines benefit most, as the complexity of managing siloed risk functions scales quickly. Highly regulated sectors, including banking, insurance, healthcare, and energy gain particular value, but any organization where operational, regulatory, and strategic risks intersect has a strong case for integration.
