The pressure to build and sustain a successful risk management program is rapidly increasing. Just this week, major U.S. financial institutions were given notice by the U.S. Treasury’s Office of the Comptroller of the Currency (OCC) that they must prepare to meet a new set of risk management standards and guidelines. According to the OCC’s news release, the proposed guidelines set forth the minimum standards for the design and implementation of an institution’s risk governance framework and provide minimum standards for oversight of that framework by the board of directors.
Central to these new guidelines is the need for a solid blueprint for success. Gartner has identified 10 critical elements that companies must address to integrate their enterprise risk management (ERM) framework with their governance, risk and compliance (GRC) technologies to create a risk-aware culture within the business. The following 10 elements (or what we call the “10 A’s”) and related questions form the basis of our ERM/GRC Blueprint.
- Appetite – How much risk are we willing to accept to achieve our strategic goals?
- Aggregation – How do we understand and articulate our total risk exposure in relation to a given strategic objective?
- Assessment – What is our current level of inherent and residual risk related to our strategic goals?
- Analytics – How can we model risk events that will have a material impact our business operations?
- Applications – What technology is required to enable collaboration and communication of risk- and compliance-related information to support business performance and decision making?
- Architecture – How are GRC applications, automated and manual controls, risk monitoring, and risk and compliance reporting incorporated into enterprise architecture?
- Assurance – What policies, processes and controls are required to meet strategic objectives, as well as legal and regulatory mandates?
- Accountability – How do we reinforce the ownership of risk and control within the enterprise?
- Action – How can we ensure that employees act in the best interests of the company and within established risk tolerances?
- Achievement – What risk metrics are required, and how are they linked to performance metrics to ensure the desired business outcome?
Click here to read our latest research and learn more about how you can utilize ERM/GRC Blueprint and the 10 A’s to improve your risk management program.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.