In our recent webinar, Risk in Motion: Seeing risk before the incident, Protecht’s Terence Lee and I explored how organizations can move beyond static, point-in-time assessments to a more dynamic, connected, and real-time approach to enterprise risk management.
We covered a lot of ground – from integrating core risk processes and automating workflows to enhancing assurance and visibility through real-time data. As always, the audience brought insightful questions that sparked deeper conversation.
Below is a roundup of some of the key questions we didn’t get to during the session, along with our expert answers.
Watch the on-demand webinar to learn how dynamic, connected risk processes can help your organization stay ahead of emerging threats:
Questions
- I get pushback when presenting risk reports or results that suggest "low" risk with limited evidence. How does your Risk in Motion concept help with that?
- Does Protecht ERM software consider how big a mitigation’s cost-effort requirement is when calculating residual risk?
- What would be the best route to build a good connection between multiple business units for risk interaction and consistency of reporting?
- How about product risk management?
- Who should be responsible for control assurance – Line 1 or Line 2?
- What is the difference between control assurance and quality assurance in audit? Are they the same, and if so, why duplicate the work?
- You mentioned that issues and incidents are different. Could you elaborate on this? How should we manage them differently?
I get pushback when presenting risk reports or results that suggest "low" risk with limited evidence. How does your Risk in Motion concept help with that?
This is an important question. Often when we meet with potential clients and explain Risk in Motion, sometimes the stakeholders say, “oh yeah, we’re already doing that.” When we ask them to share the results, they actually struggle – because the data is outdated, or in five different formats compiled by five different business units, or they are using spreadsheets and the format changes based on who is in management.
Risk in Motion is a framework for good risk management: risk and control libraries, controls assurance, metrics, attestations, issues, incidents, audit findings – these framework components, done consistently and correctly, can be applied to any type of risk in any type of company. If necessary, you can always drill down into specific evidence that supports a risk assessment.
Does Protecht ERM software consider how big a mitigation’s cost-effort requirement is when calculating residual risk?
The cost of controls can be added to control data. This is different from the effect on the risk (whether it reduces the likelihood and/or the impact), which will be different for each control or treatment option. If you have an existing methodology or calculation, the Protecht ERM system is highly configurable and can be adapted as required.
What would be the best route to build a good connection between multiple business units for risk interaction and consistency of reporting?
We love using risk taxonomies as a way to enable aggregated reporting. By linking risks from a common risk library to multiple business units, it can enable reporting across that risk type.
How about product risk management?
I’m assuming this might be referencing our discussion on risk domains and specialization. There might be some specific steps you need to take – but bringing it back to our key message: the core risk management processes remain the same.
Who should be responsible for control assurance – Line 1 or Line 2?
In an ideal world, Line 1 should be providing assurance over their controls. More often these lines end up being blurred, for a number of reasons. Line 1 may simply not have been trained well enough in controls assurance or control testing procedures.
If Line 2 are currently conducting controls assurance, there should be an aim to move it towards Line 1. If Line 2 are conducting assurance or completing supplementary assurance, it should definitely be Line 1’s job to address any weaknesses. Line 2 might provide suggestions and expertise, but it isn’t their job to fix what they find.
What is the difference between control assurance and quality assurance in audit? Are they the same, and if so, why duplicate the work?
There may be some regional distinctions with terminology, but my interpretation (having been in a quality assurance role many years ago) is that quality assurance is more narrowly focused on products and services meeting their quality objectives. This could be monitoring calls in a call center, or assessing parts on an assembly line for defects.
Controls can manage many types of risks that threaten organizational objectives, which may not relate directly to products and services. For example, organizations will want to manage various types of fraud.
In a previous risk framework I managed, we captured a number of quality assurance activities as detective controls. We captured broad details in our control register (what the objective of each quality assurance check was intended to do), but each quality assurance process had its own detailed checklist and acted as a feedback mechanism to frontline staff.
You mentioned that issues and incidents are different. Could you elaborate on this? How should we manage them differently?
An incident is a risk that has occurred. Typically, this requires some form of root cause analysis to determine one of the following things:
- There was an inadequate process
- There was a control gap (missing control)
- There was a control weakness (not working as intended)
These can be defined as the issues that arose from the incident. Issues can also arise from the other processes we covered in the webinar, such as risk metrics being outside of tolerance, or controls testing identifying a control weakness. In terms of handling, some issues arise within their respective process and are linked directly to actions – it's just busywork to create a separate 'issue' record. In some cases, such as internal audit findings, those findings may be captured more formally, whether they are called findings or issues.
Conclusions and next steps for your organization
If you missed the live session or want to revisit key insights, you can watch the full webinar on demand here.
To see how Risk in Motion works in action, and how Protecht ERM can help you move from static to dynamic risk management, request a demo with one of our experts today:
