Better KM = Better ERM
Published on June 26, 2021
Imagine an IT services company that is looking to onboard subcontractors from India, Bangladesh or Philippines, who’re to provide critical staff and skill augmentation for a key project commissioned by a major customer. Onboarding the right vendor is pivotal to ensure reasonable margins on the project delivery, but when looking at working with subcontractors, there are various risks to consider – which are often captured in a Third-Party Risk Management (TPRM) Programme.
The Program Manager (PM) wants to follow due process to ensure all potential outsourcing risks are identified and mitigated ahead of time. Despite their awareness of a TPRM process that the company follows, this is how the story unfolds:
- The PM is not able to quickly locate the TPRM policy and procedures document,
- When the associate is finally able to locate it (after spending a few hours doing brute search on shared folders/drives and asking around), neither of them are sure whether they have the right version (there are more than one documents with similar headings and content available with little/no version control),
- After spending a few more hours speaking with the finance and risk management teams, they finally get their hands on what appears to be the latest version of the policies and procedures document. The policy requires them to obtain and document approvals from the Finance Head and Operations Director,
- Given the time already spent to get to this point, they are now worried about comments and modifications from both approvers, collating these and making sure they have one final, clean version of the approval. Getting this sorted is likely to impact their overall turnaround time,
- Finally, they are able to get both the approvals, but barely in time to onboard the vendor and submit their final proposal to the client,
- Given the last-minute rush, the PM and the associate forget about appropriately filing the approvals and the underlying analysis and working papers which are stashed away in their emails and/or their personal PC; instead, they focus on program delivery,
- Few months later, when the PM and the associate have left the company, the vendor file is picked up for an Internal Audit review from a third-party risk perspective. The final approvals cannot be located and there is no evidence of compliance with the TPRM policy,
- Amongst other things, the program team is asked to redo the TPRM approvals. This impacts the program team in many ways:
- There’s a finding in the Internal Audit report that the TPRM program ‘needs improvement’
- Duplication of efforts caused the margins to go down,
- There’s an increased cost of compliance given the vendor had to be approved more than once, and
- There’s frustration and loss of morale in the program team.
In my view, for a robust Enterprise Risk Management (ERM) program to thrive in organizations, there needs to be a culture of continuous exchange and application of knowledge from different parts of the business and the risk management teams.
Having said this, and in spite of various resources available at the disposal of risk managers, knowledge management (KM) very rarely features in strategic conversations and decisions on enhancing ERM.
Having said this, and in spite of various resources available at the disposal of risk managers, knowledge management (KM) very rarely features in strategic conversations and decisions on enhancing ERM.
What is ERM?
Enterprise Risk Management (ERM) is an integrated and joined up approach to managing risk across an organization and its extended networks. It’s as simple as that – an enterprise-wide view of the risks and controls help that mitigate the risks.
But is it this simple?
If it’s enterprise-wide, then everyone who’s part of the enterprise i.e., the Board, Management, staff and sometimes even third-parties like suppliers/vendors would need to have the knowledge of various risks to the enterprise and how they can help mitigate these. There is also a need for everyone to have the right knowledge, skills, and information to follow the controls (policies, procedures, etc.) designed and implemented to manage the risks.
For an ERM program to be highly-effective, everyone in the enterprise should have the right information at the right time, and be connected to the right people.
This is where an effective enterprise KM program can help.
But is it this simple?
If it’s enterprise-wide, then everyone who’s part of the enterprise i.e., the Board, Management, staff and sometimes even third-parties like suppliers/vendors would need to have the knowledge of various risks to the enterprise and how they can help mitigate these. There is also a need for everyone to have the right knowledge, skills, and information to follow the controls (policies, procedures, etc.) designed and implemented to manage the risks.
For an ERM program to be highly-effective, everyone in the enterprise should have the right information at the right time, and be connected to the right people.
This is where an effective enterprise KM program can help.
What is KM? What is enterprise KM?
KM is a collection of systematic approaches to help information and knowledge flow to and between the right people at the right time.
In the example I discussed earlier, imagine a scenario where the PM is able to quickly access the most current TPRM policy and procedure document, consult with the risk management team, and obtain approvals from the Finance Head and Operations Head, asynchronously, using an IT system that logs all approvals and the underlying analysis within the system.
The benefits of such an approach are manifold:
An enterprise KM approach requires that the enterprise strategically manages knowledge resources and facilitates access and reuse of knowledge and information between different stakeholder groups.
In the example I discussed earlier, imagine a scenario where the PM is able to quickly access the most current TPRM policy and procedure document, consult with the risk management team, and obtain approvals from the Finance Head and Operations Head, asynchronously, using an IT system that logs all approvals and the underlying analysis within the system.
The benefits of such an approach are manifold:
- Reduced cost of compliance,
- Better risk management,
- Improved internal audit findings,
- Improved margins (due to reduced cost of compliance), and
- Improved employee morale.
An enterprise KM approach requires that the enterprise strategically manages knowledge resources and facilitates access and reuse of knowledge and information between different stakeholder groups.
Enterprise KM as a critical element of ERM
Enterprises that manage knowledge, and by extension manage risk knowledge in an effective manner, stand a better chance of ensuring the success of their ERM program. Let’s see how this works in practice:
- Better compliance: Timely and easy access to authoritative and accurate information, policies, tools, and training to members of management and staff ensures higher compliance rates and by extension, reduced risk.
- Continuous improvement:
- By sharing risk management experience through case studies, working groups etc., the risk management teams learn together and enhance their ability to manage enterprise risk,
- By participating in knowledge sharing activities such as sharing of best practices and lessons learnt, management and staff learn to respond better to risk events.
- By sharing risk management experience through case studies, working groups etc., the risk management teams learn together and enhance their ability to manage enterprise risk,
- Holistic view of risk: Knowledge sharing across different parts of the business, members of staff and management from different office locations and the different risk management teams helps merge, categorize, and blend different risk factors and controls for a more holistic view of the ERM program.
- Succession planning: A sound KM approach to ERM ensures that when a key member of the risk management team walks out of the door, they don’t walk away with years and often decades of institutional knowledge.
A best practice ERM program based upon sound KM principles
Here’s a small checklist of items that you might want to think about when building your best-practice ERM programme that is founded upon sound KM principles.
- Build an Intranet or Knowledge Portal or a Document Management System to store, seek and share risk knowledge (Top Tip: if you already have one in your organization, keep it under review and get a KM specialist to update it every 1-2 years)
- Consistently develop and disseminate risk knowledge to different parts of the business, members of management etc. (Top Tip: try multiple channels and media to communicate relevant information to a highly targeted audience instead of a bulk email approach)
- Build an active Risk Knowledge Champion network who promote knowledge sharing behaviors at the team level (Top Tip: find ways to incentivize the participation of the Risk Knowledge Champions to drive stronger adoption)
- Build an active risk-related Community of Practice (CoP) to discuss best practices, lessons learnt etc. (Top Tip: try to involve members of management and staff i.e., not just the risk management team to take an active role in the CoP)
- Periodically assess your KM program’s maturity to identify areas of improvement (Top Tip: Use a simple KM Proficiency Assessment Tool to quickly understand current state and areas to develop)
Written by Sairam Natarajan, Chief Ethics Handyman at Business of Ethics, and an ethics, risk & compliance professional with about 15 years of experience leading ethics, governance & risk management programs for multi-national professional services organisations in the UK, US & India.