The troubles on Wall Street have created a renewed and heightened interest in business governance, risk and compliance (GRC) issues.  The Open Compliance and Ethics Group is a leader in this area and a great resource for those interested in strengthening their own corporate cultures. 

A recent set of OCEG initiatives focusing on technology solutions that can help achieve unified GRC caught my eye, particular an article titled “Risk Intelligence”.  The premise is that information technology tools are available to assist companies in achieving “risk intelligence”, but there are three steps that need to be taken before companies develop such knowledge.  

First, companies must identify their risks and determine at what level each risk becomes an “issue” worth addressing or resolving.  It’s basically a process of categorizing and prioritizing risk.  Once identified, that information becomes the building block for determining what risk indicators need to be tracked and how they should be quantified.

Second, the collected information must be evaluated and quantified. Third, the risk must be responded to and the response data collected and examined for effectiveness.  This response database can then serve as a resource if the problem recurs and management wants to see what’s been done before and whether it worked.  It’s an institutional memory.

The technology tool sounds wonderful and will no doubt play an important part in automating and integrating GRC initiatives.  But I can’t help comparing the situation to the fellow who buys a big fancy project planner in the hope that he’ll get better organized.  Buying the planner may make him feel better, but if the data is not input properly and maintained, the system will be just as cluttered and ineffective as the pile of jumbled post-it notes on his desk.  Relying on an IT system could therefore lull some companies into the same complacency trap.  

Quantifying risk may create the appearance of turning soft concepts into hard science.  But, IT systems are no substitute for good GRC practices any more than a project planner will organize your projects for you.  To be effective, the IT system and the project planner will require care and feeding on both the front and the back end.  Sure, the data being collected will need to be analyzed and responded to.  But, the risk being measured will also require a periodic reassessment of whether it is still an appropriate risk to be measuring.    

Markets and business climates change.  They are dynamic.  These changes can impact your company’s legal risk profile.  That’s why there must be a periodic review of what is being measured to determine whether the metrics continue to be meaningful.  If not, you could be measuring the wrong thing and wind up with a bunch of feel good numbers that offer a false sense of security instead of a robust system for identifying and managing unwanted legal risk.

What could your business be doing to keep its finger on the pulse of its changing legal risk profile?