Think about an emergency room for a moment. We count on the people in these high-pressure situations to manage the whirlwind of activities that occur during an emergency.
To accomplish this, professionals in the hospital rely on a careful division of labor.
They do not have countless medical professionals in the room who all focus on triage. Instead, they have a mix of nurses, medical assistance, triage doctors, surgeons, and countless other specialties on call. This division ensures that the patient’s needs are met with the utmost care.
Notice also that these different roles also work in unison.
Rather than keeping the different disciplines segregated, they work together to successfully manage the task that arises.
Within a risk-based team, the tasks at hand might not be as urgent as they are in an emergency room, but they do require a mix of skills and talents.
Bringing together members that have different specialties ensure that the team can perform to the highest ability (and in many cases are required to get work done at all).
Identifying the GRACE-IT roles and understanding their importance
As a team, you will tackle various challenges. You have a “PURPOSE” and that purpose encompasses a certain scope of responsibility. Your team might:
- Be an ongoing department or function (e.g., compliance, audit, risk, internal controls, infosec)
- Be a temporary initiative or project
- Address a specific topical area (e.g., financial crimes)
- Address a cross-cutting shared process (e.g., training or policy management)
Regardless of what your scope is, you need a well-rounded mix of skills on your team to ensure you deliver creative solutions and high-performance. We use the acronym GRACE-IT to remember the key skill areas.
Governance and strategy
Governance and strategy professionals bring skills that help to understand the business and operating environment. They understand the organization, its mission/vision/values and how the overall business is designed to achieve objectives.
These skills are used to “draw lines” from business strategy to tactics, programs, and initiatives. This is a critical part of any team because you need to understand how the team’s work impacts the organization as a whole.
Some of the important skills that comprise governance and strategy include:
- Defining mission, vision and values and business objectives
- Understanding industry forces that impact the organization
- Designing a business model to achieve objectives
- Designing governance and management activities to ensure the proper indirect and direct control of the organization
Make sure that you have these skills on your team to ensure that any solutions that the team proposes are linked to things that REALLY matter to the business.
For example, if your scope is “third party management” the governance and strategy skills on the team will:
- Understand the relative and economic importance of third-party relationships to the business model
- Draw lines to demonstrate how “third party management” helps the organization realize and secure revenue in growing economies
- Understand how the team’s work reduces costs and cycle time to forge valuable relationships in new markets
Without these skills, you might find your team saying something like, “We are doing third party management because we have to.”
You might think this is hyperbole. However, I assure you it is not. The number of teams doing third-party management who understand precisely how they support business objectives might surprise you -- in a bad way!
Risk and performance
By definition, “risk-based work” deals with “risk.” And, modern conceptions of risk and risk-based make the point that addressing risk is really about making better decisions under uncertainty.
Of interest is that modern conceptions of performance management make the point that addressing performance is really about making better decisions under uncertainty.
So, in some ways, these disciplines have converged. Their difference is really in emphasis rather than kind. For example, risk-based work tends to focus more on the negative effects that uncertainty has on objectives, and performance management work tends to focus more on the positive effects.
To be fair to both disciplines, we should recognize that both risk-based and performance management, when done properly, address both the positive and the negative effects -- but for most people, risk is associated with the negative and performance is associated with the positive.
Risk and performance management skills help the team:
- identify opportunities and threats for achieving objectives;
- analyze things that might happen (and determine when to use more or less sophisticated modeling to understand these things);
- implement governance and management actions to indirectly and directly control the organization; and
- monitor the effectiveness of management decisions.
Continuing with the example of third-party management, the risk and performance management skills will help the team model the current economic spend and performance of the existing third-party management program. Then as the team considers new options for tackling this area, risk and performance management skills will help the team (and the business) identify things that might happen to 1) get in the way of successful third-party management; and 2) facilitate successful third-party management.
While not exhaustive, this list of techniques helps you understand the kind of quantitative and qualitative capabilities that your team needs:
- Design thinking
- Scenario planning
- Sensitivity analysis
- Dependency analysis
- Simulation modeling (deterministic and non-deterministic)
- Causal inference modeling
- And more!
These are the kinds of hard-core analytical skills that drive effective decisions to manage risk and performance.
Audit and assurance
Audit skills help the team understand, in advance, the areas where management will want (or should want) assurance that what management BELIEVES is happening actually IS happening; and that it is ENOUGH given the organization's objectives.
Not every aspect of the organization requires high levels of assurance. And, not every assurance activity requires absolute objectivity. However, it is important to define areas where risk-based work should undergo periodic or real-time assurance activities.
Audit professionals often have skills such as:
- Requirements analysis
- Sampling and statistical analysis
- Forensic analysis
- Data analysis
- And more
Using the third-party management example, audit skills will help to either “build in” assurance activities or make the third-party management solution more “auditable” in the right ways.
Perhaps this entails developing a real-time report that notifies the board of any time a third-party receives a notice from a government entity. Perhaps this entails an annual forensic analysis of vendor financial. Perhaps this entails an annual audit to ensure that 100% of vendors have complied with code of conduct compliance and training.
Some risk-based teams don’t have a specific mandate to define their own assurance activities. Regardless, it is important (and smart) to have these skills on your team so that you can build in the right “hooks” to make the assurance work defined and done by others more effective and efficient.
Compliance and quality
There are both mandated and voluntary requirements that an organization must meet. You might think of these as the “boundaries” between which an organization must operate.
Mandated boundaries include laws, rules, and regulations dictated by the government. Voluntary boundaries include provisions in contracts or internal policies (it is important to remember that violating a voluntary boundary can result in even more damage to an organization than violating a mandated boundary). Quality management often specifies voluntary boundaries via specifications and targets for performance.
Your team needs to understand these boundaries and the requirements that must be addressed along the way. The way you address voluntary boundaries is more open. However, the way that you address mandatory boundaries is often regulated or, at a minimum, “highly recommended” by regulators.
Compliance professionals often mix management, legal, quality and HR skills including:
- Requirements analysis
- Risk analysis
- Policy management
- Training management
- Corporate communications
- Crisis management
- Attention to details
- And more
Using the third-party management example, compliance skills might uncover a range of legal requirements in the way you vet vendors (information that you can / cannot ask for). Compliance skills will define the various legal requirements for which your organization is still accountable even though you’ve outsourced to vendors (thus you must be certain that the vendors are doing a good job in those areas). Compliance skills will ensure that you meet the minimum legal standards; and then to go beyond these standards where the minimum isn’t enough to address the real risk.
As a final note, in the modern business environment, virtually every business process has some compliance aspect that must be considered. Having these skills on your team, even when you think that your team isn’t “doing compliance” directly, is critical to getting out in front of this reality.
Ethics and culture
Various professions focus on “ethics and culture” of an organization. Many compliance professionals consider “ethics” to be an important aspect of their job. Most HR professionals would consider “culture” to be an important part of their job. In fact, some chief executive officers might say that ethics and culture is their primary responsibility or even everyone’s responsibility.
To be sure, and in a broad sense, ethics and culture truly is everyone's responsibility. For those individuals charged with the responsibility of implementing and managing programs that are primarily designed to impact ethics and culture, there are a range of common skills:
- Organization design and development
- Industrial and social psychology
- Training and development
- Leadership development
- And More
Adding these skills to your risk-based work is important because many times human behavior and culture are at the root of the challenge you hope to address.
For example, addressing an issue such as harassment is really about building a culture of respect. Addressing an issue about discrimination is really about building a culture of equality. Addressing an issue about corruption is about building a culture of honesty and transparency.
Using the third-party management example, you can imagine building various assessment tools to vet supplier culture; or education to influence supplier culture; or surveys to measure supplier perceptions, or their employee perceptions about risk.
You get the idea.
In fact, sometimes, the best “controls” that your team can and should develop will involve building strong culture instead of processes or IT systems.
And, ethics and culture also have a measurable impact on how teams, themselves, perform and behave. They help to create a particular atmosphere, influencing how people interact with each other and how they view their role within the organization and the the greater society.
IT - Information Technology
Information Technology (IT) is not only unavoidable in the modern organization; but it is also a critical component of business objectives. Your team will either build or modify IT systems as part of almost any solution. Having these skills on your team can be helpful.
That said, “IT skills” can mean a lot of things including:
- Enterprise architecture
- Application architecture
- Software design / development / testing
- Infrastructure design / development / testing
- Software as a Service / cloud
- Internet of things (IoT)
- And more
There is also a growing field of specific IT professionals and skills focused on risk-based work including:
- Information security
- Access control
- And more
Using the third-party management example, you will be a better team if someone is able to, first-hand and without standing in some “procurement queue,” assess the kinds of third-party management software that might be available in the marketplace. What does this software do? Are there new ways of looking at third-parties because of new technology in the marketplace? And so on.
What happens where there is no mix?
If your team lacks this critical mix (the Critical 6) of skills, you will see a few problems arise.
Without governance and strategy skills your team will lack the ability to understand how the business really works. Your team will struggle to align their solutions with the rhythm of the business. And, your team might even hinder the progress of business operators without even knowing / noticing.
Without risk and performance skills, your team will lack the ability to address uncertainty using sophisticated thinking, modeling and decision-making tools. Your team will struggle to address the most important threats and opportunities and reduce the organization's ability to balance risk/reward.
Without audit and assurance skills, your team will lack the ability to think (ahead of time) about how various solutions might need to be evaluated by internal or external assurance bodies. Your team will struggle to design solutions that are “auditable” and drastically increase the work required by colleagues charged with that responsibility.
Without compliance and quality skills, your team will lack the ability to understand and address boundaries. Mandated and voluntary boundaries will be poorly understood or maybe even ignored. And, when external fear-mongers come in spreading gloom and doom around the latest regulatory fire-drill (how many cliches is that?), your team won’t know how to calmly assess the reality.
Without ethics and culture skills, your team will lack the ability to address the human factors at the root of so many issues. They will underestimate how to transform the organization and shape enduring changes for the better.
Without IT skills, your team will be a prisoner to external vendors peddling the latest and greatest innovation (which may or may not work). Or, your team might be a prisoner to corporate IT, standing in line behind other “priorities” because of your inability to articulate the critical role IT plays in your solutions. Perhaps the worst consequence of not having IT skills on the team is not knowing what you are missing. There are so many opportunities to address risk-based work using new innovations … and you need to know about them!