Subjectivity plays an important, yet dangerous, role in risk management. By its very nature, subjective perspectives are held in the mind of the beholder, and, as a result, are dependent on the individual’s knowledge and experience. These perspectives can lead to biases that can have implications on codifying risk well.
Moreover, the role of subjectivity is an indispensable part of certain risk management processes . For example, consider the risk assessment. Early steps include querying individuals with the goal of obtaining the identification and assessment of risks. Depending on the subject, job and role responsibilities, and familiarity with the business and its nuances, risk management data is mixed at best. This leads to a difficult task for the risk management function to interpret what has been obtained as input to the identification and assessment process. Too often, subjectivity is exacerbated as a result of these interpretations or at best subjectivity leads to inefficiencies in the risk management data collection process. The outcome puts the reputation of the efficacy of the risk program in the cross hairs of executives, the board, audit, and regulators alike.
Software Enablement
Conversely, objectivity seeks to remove judgment and bias by establishing its foundation in data and fact. One tool that is crucial to supporting objective risk management is Governance, Risk, and Compliance (GRC) software. These GRC solutions, which are frequently aligned to the “lines-of-defense” model, include setting the foundation for activities like audit, information security, enterprise and operational risk management, and compliance. These solutions act as repository for collecting relevant internal and external risk data. This data, whether structured or unstructured, provide the foundation to articulate the collective risk profile of the organization, a business, or function.
The software provides the means to analyze, aggregate, and disaggregate data in digestible formats. In order for the data to be relevant though, it must be organized in a way that is useful to the user or consumer of risk information. Given that risk is fluid, changes frequently, and has the potential to occur often (e.g., cyber-attacks), the software must be nimble enough to allow for dynamic processes such as the assessment of risk. As a result, configurability of the software, versus requesting custom code from the vendor, is essential. This allows the individual to obtain the data that is most relevant and use that data as the basis for educating the business in support of decision making.
Of course, the largest variable for objectivity is the quality of risk data. The adage “garbage in, garbage out” could not be more applicable. The ability for the software and the technology to automate or incorporate data feeds, whether internal to the organization or external, helps to ensure that individual opinion is minimized.
In the end, objectivity in the risk management process substantiates conclusions made on the strengths and weaknesses of the risk profile. The use of software and technology acts as the keystone to this process as data feeds and audit trail capabilities provide clarity to the data’s genesis, changes, and basis in fact. For more information read the Operational Risk Management White Paper or contact us.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.
