Discover what leading GRC executives are doing to build effective risk management programs that drive exceptional performance.


Across the world, companies with a high risk maturity are demonstrating that risk management programs can drive the business forward, and catalyze growth by giving stakeholders the risk insights and intelligence they need to make informed strategic decisions. Strong risk management programs enable organizations to understand their risk appetite better, proactively identify the risks that matter, and build robust controls around them - all of which lead to greater resilience and better business performance.

So, what does it take to reach this level of risk maturity, and to align risk management with performance? At the MetricStream GRC Summit 2016, MetricStream COO, Gaurav Kapoor sat down with leading GRC executives to understand how they are strengthening business performance through effective risk management. Here are some of their insights:

1. Understanding the Context of Risk

“It’s about all 3 lines (of defense) getting together to not just look at risk in isolation, but look at risk within a context. And that context is increasingly the context of process. So, where we have a control failure, we’re not simply looking at how we can make that control better, but why we have that control in the first place – what is its point? So much of our focus now is looking at processes front to back. Why do we have the controls that we have in the first place, what is their purpose, and are they necessary? Many of the controls we have will probably at some point touch the customer experience. So how can I improve my customer experience on the back of that without compromising my risk appetite? Controls probably also drive cost. The more controls I have, the more cost there probably is in the organization. So when I look at that holistically, I can make sure that I’m getting the right balance between risk, and customer experience, and cost. Once we start to do that, the business actually sees that there is massive benefit to them.”

Philip White, Executive Director, Framework and Conduct Risk, Compliance and Operational Risk Control, UBS


2. Culture, Culture, Culture

“The problem with culture is that it’s easy to describe, but it’s hard to measure, and it’s really hard to enforce…We are looking at risk culture in a number of dimensions: Management governance - what structures do we put around what people do? Motivation and incentives – incentives count for quite a big chunk of many of the conduct issues we’ve had over the last 5-10 years in the industry. Therefore, managing those incentive programs, and linking them better to the returns to the customer, the returns to the shareholder, and the organization, is one step. Consequences is the one area that we’re focusing on – not just in terms of recognizing bad behavior and calling it out, but also recognizing good behavior and forcing people to confront and take real accountability for the decisions made.”

Len Sinclair, Group Head of Operational Risk, Barclays


3. Integration and Tone at the Top

“The biggest challenge we’ve seen is people working in silos, especially in large global organizations. So collaboration and effective communication are important, as is the participation of key stakeholders in risk management decision-making, and support from the top management. We talked about ethics and integrity - if you have the support of management on ethics and integrity, certainly aspects of risk reporting will improve. So the cultural change has to be enabled through a top-down integrated risk management model with the participation of the business.”

Sudheesh Babu, General Manager & Global Head - Risk, Compliance & Assurance, Wipro


4. Meaningful Discussions With The Business

“When risks come along, the temptation is for the business to think that the Risk function will try and stop the business from doing things. My view is that I don’t want to stop anyone from doing anything. I want them to stop making silly mistakes, or to take steps to avoid making mistakes which might come and bite us later. And I think the way we do that is to test assumptions. People are very good at logging obvious assumptions but I think, quite often, they’re not very good at logging some of the implicit assumptions that underpin what they’re doing. And by asking questions about innovation for instance – what does that really mean and what are you really accepting, what we find is that we have a much richer debate than we would have had. We’re seen as challenging rather than acting as someone who’s saying no.”

Len Sinclair


5​. Simplifying Risk Management

“At the heart of it, operational risk is not rocket science, and yet, what we all have a tendency to do is to over-complicate everything. I don’t think we make it that easy for the first line of defense to do the things they’re supposed to do to identify and manage operational risk. And I think we have a tendency to drive some of the wrong behaviors - there’s a consequence. So I think it’s critical to make things simple - give our people the right data and the ability to make the decisions that they need to make. We’re also investing quite heavily in a program to simplify our operational risk processes - because if you’re in the first line of defense trying to make money for the organization, that is your primary objective. If our framework processes to manage and control operational risk just make that activity more complicated, it really doesn’t help. So simplification not just in systems, but also in processes and frameworks is really our key mantra at the moment.”

Philip White


6. Collaboration and Team Work

“You need to have a group of people who understand where each other stands on a particular issue. Take cyber security - you can’t just have your IT group doing cyber security; you have to have run scenarios and war games to determine what can happen; because, if you’re waiting for the ‘what if’ to occur to have those conversations at the point of time it occurs, you just can’t react quickly enough. And in order to react, you have to have all the players know who their peers are. They have to understand that I may see the front of the elephant, and you may see the back of the elephant, but unless we figure how to stop that elephant from charging, we’re not going to be able to hit that risk.”

Isabel Smith, Director of eGRC Programs, Johnson & Johnson


In Summary

“Building a successful risk management program isn’t something that happens overnight. It’s a continuous journey of introspection, re-evaluation, and evolution. The key is to establish a pervasive culture of risk management across the enterprise by making risk management so simple and intuitive that it can be embedded deep into employees’ daily routines. Just as important is to align risk management to strategic objectives in order to have meaningful discussions with the business, and to enable them to go after the opportunities that truly matter. Communication is another key factor - stakeholders across the three lines of defense should be able to collaborate easily on risk management activities, while also running a scenario analysis of various risks, and collectively deciding on the best possible response. Finally, it is absolutely imperative to keep re-evaluating your approach to risk management -- eliminate controls and processes that are no longer relevant or useful to the business.”

Gaurav Kapoor, COO, MetricStream


The Enabling Role of Technology

Image removed.



Ready to get started?

Speak to our experts Let’s talk