Executing your Integrated Risk Management project in
Embarking on an Integrated Risk Management (IRM) project can be a daunting process.
Those that control project budgets are challenging you “What are the benefits of a new IRM system” given money is tight and there are different views of what to do across the three lines of defence (3-LoD).
However, those that are bold and commit to an IRM project can realise benefits such as:
So where do you start?
Our IRM User Group has touched on this topic a couple of times now and that is what prompted us to start talking about the baby steps you should take.
Any project can be split down into phases and for the purposes of this, we will cover business case, system selection, initiation and design. In the future we will cover build, test and implementation.
What are the you should take in these phases?
High level business case: Recognise the need for change and gain consensus across the 3 Lines of Defence (3-LoD).
This is really important as the IRM project will impact across the 3-LoD and leadership support is critical if the programme is going to be a success.
At this stage a high level business case may be required to agree why change is required, the likely benefits and next steps.
This will allow you to get agreement to commence a project and perform a system / partner selection exercise.
System selection: Gather requirements and complete a system and partner selection exercise.
This might seem an obvious step but so many organisations fail to do it properly and then wonder why the system selected doesn’t meet requirements!
Spend time understanding your requirements and set criteria to assess both systems and implementation partners.
Having the right people involved in this process is critical to ensure you select a system and a partner that is the right fit for you.
Business case / initiation: Prepare an implementation plan.
The plan will have several workstreams such as design, build and test; data readiness; data migration (if relevant); business change and cut over.
Agile methods should be adopted to deliver a Minimum Viable Product (MVP) so you can realise benefits in a timely manner.
The crawl, walk and run principle should be adopted and followed so you build capability and realise benefits in increments. Remember, ensure your plan is resourced with people who have the necessary capacity and capability to deliver.
Business case / initiation: Capture all Risks, Issues, Assumptions and Dependencies (RAID).
All of the activity in the previous steps will identify RAID items and you need to ensure they are captured with clear ownership and actions.
For example: you may have a dependency on a CSDM project or there is uncertainty because the detailed design is not yet completed. Ensure you capture these and have a plan in place to deal with them. Don’t just hope they will be ok as many organisations have fallen into that trap.
Business case: Finalise the business case and submit for approval. Once the previous steps have been completed you have the necessary information to finalise a business case started in step 1.
The final piece of the jigsaw are the benefits and ensuring they are captured with clear ownership and a benefits realisation plan.
These will include items such as efficiency gains from automating compliance testing; synergies from removing duplication of effort across 3-LoD as now operating on one data set and productivity gains from real time visibility of risk position and this also potentially avoids costly incidents.
Kick off the project!
This is a key moment and sets the tone for how you want the project to operate. Ensure you have clear roles and responsibilities that all project members understand and the right culture so people feel they can speak up, as well as having clear decision making / escalation paths.
Leadership engagement and visibility is fundamental to this and don’t forget to celebrate success and thank people for their efforts.
Step 7Completing workshops and design deliverables. In my view design is the key phase to ensure a successful project. Requirements / user stories should be gathered and acceptance criteria set for them. The right people should be in the room and wherever possible difficult decisions should not be deferred as it will come back to bite you. For example, the risk events process can touch multiple areas of the business so you need to get consensus on what the process will be and what the system requirements are.
Note 1: Source: The Total Economic Impact Of ServiceNow Risk And Compliance – Forrester January 2021