Michael Rasmussen had a great post recently – Hordes of Policies Scattered Across the Organization – in which he had a great list of the challenges with risk management policies. Now Michael’s view of Governance Risk and Compliance (GRC) is a little different than mine but he is spot on with this list of issues. Any decision in which risk is supposed to be accounted for is going to have to be made in the light of a whole bunch of risk policies that will have some or all of the issues he has outlined.
Now I believe that risk is acquired one operational decision at a time – risk by risk. It is essential therefore for organizations to integrate an assessment of risk in to every micro decision. A company that is taking a truly enterprise-level view of risk but also treat these operational decisions – or at least how these operational decisions are made – as corporate assets. This typically means building and integrating predictive models – mathematical models that predict how likely a particular risk is to occur in a specific transaction such as “what is the risk of fraud in this claim” or “what is the risk of widespread reputation damage in this complaint”. It also means turning the scattered policies of Michael’s post into a coherent, manageable (and managed) set of business rules that can be applied to these operational decisions.
A business rules management system or BRMS allows you to do exactly this and is really the foundation of successful Decision Management. Extracting the rules from all these different policy sources, mapping them to executable business rules in a BRMS’s repository and ensuring traceability between them (perhaps through an intermediate level of rules) is essential. This allows Decision Services to be deployed that apply the right rules for particular transactions and particular decisions. It also allows an accurate assessment of which rules must be changed when policies or the regulations on which they are based change. In many ways it is this ability to manage rules that drives the need for a BRMS rather than its ability to execute them.
Enterprise risk management, good GRC practices, require that every decision you make accounts for its contribution to overall risk. Make sure you are managing these operational decisions, that you are managing the rules behind them and that you are maximizing the use of predictive analytics too.