As Thomas Jefferson once said, “With great risk comes great reward.” The race toward competitive differentiation calls for organizations to be bold, but at what cost? In business, we must understand measured risk while demonstrating a willingness to be daring in our pursuit of enterprise value. This utopian balance of risk, business value and regulatory compliance might not be as close as we’d like, however. So if the scales aren’t perfectly balanced, where should organizations place their best bet then?
Just in our small focus group alone, the answer to this question fell along the spectrum—enterprise value, compliance, risk and even a reversal of priority. While the strategic emphasis of your governance, risk management and compliance (GRC) programs might not be universal from one enterprise to the next, the one that takes precedence is largely based on your individual organization.
Risking for value
The aftermath of the financial crisis of 2008 drastically altered the landscape of risk. According to the Institute of Risk Management, “A successful risk management initiative should be proportionate to the level of risk in the organization, aligned with other corporate activities, comprehensive in its scope, embedded into routine activities and dynamic by being responsive to changing circumstances.”
The key here is to not only understand the risk but also to define the comfort threshold of such risk, thereby, eliminating unnecessary risk or what was not understood to be risky. Too often, we don’t spend enough time identifying this threshold, exposing our vulnerabilities and the associated dangers of reputational risk—certainly, an area of risk management that does not get enough attention. The loss of customer trust, anywhere along the complex buying journey, is one that cannot be underrated anymore.
Yet, not all risk is bad. In these times, we must show that, yes, we’re being safe, but we must retain the spirit of entrepreneurial boldness. This is often articulated through what is known as enterprise value: “This is the potential dollar amount or business value we can return, and this is the amount of risk that it’s going to take.” If you’ve been following this series, then you know we’ve already made our case for operational efficiency to secure buy-in for your information governance programs. The future of sustaining the support and funding of your governance programs lies within the return on investment (ROI) of business value.
It takes the right people to risk
No discussion of your GRC programs is complete without addressing the deep and transformational changes to organizational culture and behaviors that are required—changes that are sorely lacking in so many enterprises. I’ve talked about how this change must begin at the top, but what exactly do we mean?
According to Forrester Research, “There must be active engagement and reinforcement.” They advise to:
1. Work with leaders to constantly connect mission and values to risk and compliance culture
2. Underscore the need for leaders to live the values they preach
3. Set real consequences based on fair judgment
Beyond addressing enterprise value, we must also look at individual value. What does an information manager do with individuals who might not understand enterprise value but certainly understands you’re telling them that they can’t do what they’ve been doing for the last 20 years? This means you have to be quick on your feet in order to champion change. Communicating the personal benefits to that particular employee as well as the long-term impact to the business are the building blocks for articulating value.
As I’ve mentioned before, a best practice for implementing any strategy is a phased approach (see our Executing the Document Strategy Framework). Organizations can even calculate a composite score, with consultancy help, of those divisions/programs in the enterprise that represent the lowest barrier to implementation while realizing the most benefit. Selecting those with the highest composite score to begin the roll-out of your strategy can result in producing the success stories you need, which can be self-aggrandizing. Those divisions with the lowest composite score, or the greatest barriers of implementation, can now see through use cases the value of the program.
I believe driving enterprise value is the end goal we should be striving for in our strategic governance programs. While we all might not be there yet, here are our recommendations to get you a little bit closer to this future state:
- Know your environment: Every company is different. Are you shrinking or growing? Are you operating in a highly regulated industry? Is your leadership more or less risky? Really talk to your people to discover where the most emphasis is needed to make an impact. Take the time to figure that out.
- Set a strategy, and stick to it: Be diligent in obtaining the goals you set forth or revise as needed along the solution journey. It’s very easy to abandon the strategy when bottlenecks or barriers emerge.
- Communicate: How you are communicating across the organization cannot be underestimated. Clearly explain what you’re doing, how you’re doing it and the benefits of the program. You must evangelize change.
- Performance measurements/metrics: If you don’t know where you started, it will be hard to show where you ended up. By assessing your current state and developing metrics of progress, you will clearly demonstrate gains and efficiencies realized.
What about you? Do you put the most emphasis on enterprise value, risk or compliance management? Leave a comment below to tell me which you think is the most important.
This article borrowed discussions from the DOCUMENT Strategy Media Information Management/Governance Focus Group. We’d like to thank these professionals for their thought leadership, time and efforts in the advancement of information management and governance. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Information Management/Governance Focus Group or their employers. Information therein is not representative of any one company, industry or product, and any similarities are strictly coincidental.
Information Management/Governance Focus Group Members are:
Vice President, Enterprise Data Governance and Management
James Kennedy, CRM, IGP
Manager, Records & Information Management
Manager, Information Governance
Washington State Department of Ecology
Courtney Stone, CRM
Manager, Records and Retention
AMOCO Federal Credit Union
Mark E. Fackler
Business Systems Coordinator, Midstream
Allison Lloyd serves as the editor of DOCUMENT Strategy Media. She delivers thought leadership on strategic and plan-based solutions for managing the entire document, communication and information process. Follow her on Twitter @AllisonYLloyd.