Category: GRC/ERM

How Companies Can Support Their Employees (and Clients) During COVID-19

Globally, we are seeing companies being pushed into having a remote workforce, whether they are ready for it or not, especially as more US states and countries issue shelter-in-place orders to slow the spread of COVID-19. While shifting to a remote workforce may seem like an impossible feat, there are steps you can begin taking now to help your employees transition, and by extension, improve the experience of your clients. Since our inception, Origami Risk has valued its remote capabilities and the talented team we’ve been able to curate because of it.

Whether you are a work-from-home veteran or not, we’re all facing unique challenges in this new environment—from learning to work alongside your spouse and kids, to dealing with the challenges of conferencing technology—there is always a learning curve when transitioning from office to home. As a company of “remote work gurus,” we’d like to help make that learning curve a little shorter by sharing what helps Origami’s dispersed team efficiently work from home, all while servicing clients without interruption.

Have Readily Available Resources and Training

Some employees have fully equipped home offices, while others may have difficulty adjusting to their new work environment for a number of reasons. From a lack of technological savvy, difficulty working without a second monitor, or simply the social adjustment that comes with telecommuting, there are a number of obstacles that can work against an organization that’s suddenly forced to shift to a fully-remote workforce. First and foremost, it’s important to check in with employees to make sure they’re equipped with the tools and resources needed to effectively work and service their clients.

read more

Demystifying ERM

Enterprise Risk Management (ERM) is all too often shrouded in ambiguous, confusing terminology that provides little clarity as to what, exactly, ERM programs do. It’s also not uncommon for an organization facing a barrage of evolving risks (cyber, reputational, supply chain, environmental, etc.) to create an ERM program with the hope/assumption that somehow — as if by magic — those risks will be mitigated. It is no wonder then, that many stakeholders remain confused or highly skeptical about the effectiveness of ERM programs, even as they recognize the pressing need to do something about emerging risks.

Proponents of ERM frequently point to heatmaps as a primary deliverable, which may only make the situation worse. While heatmaps can be a good tool when used properly, they aren’t necessarily the end goal. Furthermore, when used improperly, they simply highlight risks that the organization already knows about. The article Five Benefits of Enterprise Risk Management summarizes what this can lead to:

“Many organizations struggle with implementing ERM and identifying how, and at what level, to integrate it into their organization. Managers often say they are already aware of the risks for their respective areas of the business. In these situations, what value does ERM provide, and how does it enable better perspectives and management of risks and risk data?”

read more

What Risk Managers Can Learn from the Coronavirus Crisis

The alarming spread of the new coronavirus and its potential effect on the global business environment can be seen in recent financial market adjustments. The hyper-quick emergence of this risk is likely to spur a number of questions for risk managers whose organizations have international reach:

  • What happens if the coronavirus expands and becomes a pan-Asia crisis?
  • What do we do if our supply chain in large parts of Asia is threatened?
  • Does potential market upheaval have the potential to threaten critical capital projects?
  • Will this disrupt R&D that relies on technical research taking place in the region?

As troubling as these questions are, there is a wider view that is potentially even more unsettling.

The curse of living in interesting times

“May you live in interesting times” is a proverb that was supposedly intended as a curse upon enemy states. Recent events demonstrate why that should not be considered a blessing. Houston endured a 500-year flood three years in a row. Preemptive power shutdowns last year in Northern California illustrate the effects of colliding risks (wildfires from extended droughts and inadequate energy infrastructure) on the business environment. Geopolitical risks with far-reaching ramifications (from the unknowns of Brexit to the escalating tensions between the U.S. and Iran) are mushrooming.

Applying a traditional approach to enterprise risk management in such turbulent times could lead to disastrous results. Fortunately, the coronavirus crisis offers three valuable lessons that could help all organizations be much better prepared to face similar challenges.

read more

Three trends from the 2020 Origami Risk User Conference

Origami Risk users gathered in San Antonio from January 12-16 for our 2020 User Conference. The fifth such event hosted by Origami, this iteration of the conference was the largest to date, with more than 500 people representing organizations from across the risk and insurance industry in attendance.

Collaborative, hands-on learning opportunities led by members of the Origami service team ranged from “boot camps”—introductions to the system for newer users—to instruction on setting up dashboards and reports to more advanced topics such as system administration. Attendees also had the opportunity to meet with an Origami expert for one-on-one sessions for a closer look at specific features or areas of the system they wanted to know more about.

Client co-presenters led sessions covering a wide range of topics including GRC, underwriting, safety, audits, and claims administration, to name just a few. As in previous years, the delivery of actual use cases and the opportunity for those attending sessions to ask questions about the ways in which Origami Risk is being used to address “real world” challenges provided a unique opportunity for peer-to-peer learning. read more

Why the California Consumer Privacy Act (CCPA) may be the tip of the regulatory iceberg for compliance

On January 1, 2020, a new California regulation went into effect that may push many unsuspecting enterprises doing business in the state into costly noncompliance while also introducing reputational risk and threatening their brands. The California Consumer Privacy Act (CCPA) grants new consumer rights related to data storage, use, and protection. Companies failing to comply with these rules can be fined up to $7,500 for each violation. Despite the potential impacts, a recent survey by the IT security firm ESET shows how ill-prepared most enterprises are regarding this new compliance obligation:

  • Nearly half of all respondents had never heard of CCPA
  • More than 8 in 10 respondents did not know if the law even applied to their business
  • A third of executives were unsure if their organizations needed to change how consumer data was stored/processed
  • Nearly 1 in 4 respondents “didn’t care” about becoming compliant
  • More than half had not performed a risk assessment on cybersecurity within the past year

Given the stakes involved, this broad lack of urgency is concerning but not all that surprising. A DataGrail survey indicated that despite investing thousands of hours and being given a two-year head start, only half of the companies reported achieving compliance with the General Data Protection Regulation (GDPR), a similar data privacy regulation in Europe. Additionally, 70% of enterprises admitted the systems they were currently using to comply would not scale. When the pace of regulatory change is accelerating so rapidly, most enterprises are being caught flat-footed.

read more

The Importance of GRC as a Risk Initiative: Q&A with Mary Upshaw

Origami Risk has expanded its operations in the UK, Europe, and Middle East due to rapid growth in the region. Mary Upshaw, Head of Professional Service – EMEA at Origami, discusses the current risk landscape, expected trends, and the role technology plays in an effective GRC programme.

From the perspective of a client executive who is working very closely with UK and EMEA-based organisations, what are the most pressing issues risk managers face in regards to GRC?

There are a few that come to mind. The first is dealing with regulatory change. How do organisations stay on top of risk associated with regulatory compliance when the landscape is constantly changing, the jurisdictions that companies reside in are growing, and laws around privacy are growing?

The second is getting different groups and departments within an organisation to work together toward a shared GRC approach. For example, there might be an internal controls team that rolls up through the CFO; an enterprise risk management (ERM) team that works for the CRO; a business continuity management (BCM) unit that flows through a CTO; and a compliance group that reports to the general counsel’s office. Risk managers need to set a tone that conveys that all of these groups must work together in order to reap the benefits of GRC.

read more

ERM Done Differently

Those in the risk management field have heard plenty about the benefits of establishing an enterprise risk management (ERM) program. In some cases, they’ve likely heard too much. Lost in debates about frameworks or which acronym to employ (ERM vs. IRM vs. GRC) is the answer to the question, “How do I actually establish an ERM program that produces tangible, measurable results?”

An ERM program doesn’t have to be overly complicated. (Really!) Neither does it have to be an academic exercise that takes you away from critical daily tasks. When ERM is done right, it’s tied directly to your organization’s central strategic goal and consists of clearly laid-out, doable steps.

You can launch a manageable and sustainable ERM program. You can get everyone on board with the process. You can find success without losing your mind.

You can do ERM differently.

Focus on execution

ERM isn’t a magical, all-knowing tool into which issues are input and solutions spit out. ERM is a considered process that forces you to ask the right questions—questions that lead to the right preventative measures. So when embarking on the creation of an ERM program, your focus should be on execution: What actions am I not taking today that I should be taking in order to get out in front of risks?
read more

How to get leadership buy-in for ERM

Before organizations can begin implementing an enterprise risk management (ERM) program, they must get buy-in from leadership. But in order for leadership to feel comfortable buying into a program, they must have sufficient evidence that it will make a difference for the organization’s overall goals.

There’s a solution to this catch-22. By having the right conversations and showing results from smaller-scale initiatives, organizations can demonstrate the value of an ERM program to leadership—and do so without the same time, effort, and resources required for a full-scale ERM operation.

Start the old-fashioned way

The right technology can be instrumental in demonstrating ERM program successes. However, before using technology to prove the benefits of an ERM program, risk managers can begin influencing leadership through small, in-person conversations.

“One of the biggest buy-in methods for a successful strategy is talk,” writes Darius Delon, AVP of risk services for Mount Royal University, in the article Putting Strategy into Risk Management. “One person at a time, one hour at a time, one advocate at a time. People will not buy-in to ERM just because they read something you put in front of them or heard at a large forum. Talk to them, work with them, get small wins…”

read more

Risk management technology’s role in keeping ERM on track

Enterprise risk management (ERM) programs require focused planning and commitment from a range of stakeholders within an organization. However, even organizations with the best intentions can see ERM efforts fall to the wayside as more pressing day-to-day issues take precedence.

In the article Leveraging Technology To Drive Sustainable ERM Initiatives, Origami Risk’s Josh Newsum discusses the powerful role of risk management technology in keeping ERM initiatives on track, as well as how organizations can achieve the best results, regardless of where they are in the process.

Read the article in Risk Management →

Hospital staff burnout, part 2: How healthcare ERM can prevent burnout

As the hospital burnout crisis continues to make headlines, healthcare organizations are in need not only of solutions that address the consequences of burnout, but also strategies for preventing burnout in the first place. As discussed in part 1 of this series, the right healthcare risk management technology can play a role in efforts to ensure physicians are more fully engaged. Physicians who feel connected to the core purpose of their work are less likely to burn out, and more likely provide quality patient care.

Another approach to addressing clinician burnout is the establishment of an organization-wide plan to monitor, analyze, and, ultimately, prevent the condition from occurring. Efforts to mitigate burnout will likely come from many directions within an organization, but to streamline the process and get everyone on the same page, a logical but perhaps unexpected place to start is with the hospital risk management team. Healthcare risk managers can play a crucial role in successfully preventing burnout by viewing burnout like the other risks they manage, developing a healthcare enterprise risk management (ERM) framework, and leveraging the technology they already work with on a daily basis.

read more