Increasingly, organizations are focusing more on the purpose of knowledge management initiatives and less on the technology itself. More organizations have a strategic intent when they launch new applications and a clearer set of goals.
"KM is about sharing and leveraging collective knowledge," says Kent Greenes, president of Greenes Consulting. "We view it as the ‘boundaryless' flow of knowledge." In some cases, the flow is across the whole enterprise, and in some cases, it is across different organizations.
In one of the examples that follows, a large and geographically dispersed organization has taken on the task of evaluating, tracking and measuring risks associated with departments throughout the company to guide its corporate risk strategy. In the other, a modest-sized government organization is collaborating with its counterparts to gain economies of scale in its operations. Although the two cases differ in many respects, they both are striving for a flow of information that creates a more meaningful understanding of its environment, a more responsive organization and better use of resources.
Vattenfall is a Swedish company that produces electric power domestically and in six other countries in Europe and Scandinavia. The energy industry has a high level of opportunity but also a high level of risk. To gain a holistic understanding of enterprise risk and provide effective decision support, Vattenfall sought a solution that could manage the full range of risk issues confronted enterprisewide.
The company researched the vendor market and reviewed information from a number of analysts. After narrowing the field to five vendors and examining each in detail, Vattenfall decided to implement SAS Enterprise GRC Solution, a comprehensive solution for managing governance, risk and compliance.
One platform for multiple risks
The solution, which was implemented in four months, now has a database that tracks 1,000 risks and is used by 300 employees. SAS Enterprise GRC Solution offered Vattenfall the ability to have one infrastructure and platform to manage its risks. "We wanted to address a range of risks, including operational, political, legal and market risks," says Dan Mansfeld, risk manager at Vattenfall. The application can also be extended to other areas that are of concern to the company such as incident crisis management and environmental risks.
SAS Enterprise GRC met the stringent requirements that Vattenfall placed on functionality, including a strong analytical and quantitative capability and the ability to connect to other applications. Now that the product is in place, users can update risk measures continually, and quarterly reports are delivered to executives. "Having a centralized risk database is a big advantage for us," explains Mansfeld. "It allows us not only to see the full picture with respect to risk, but also to provide transparency among different business units."
Vattenfall also values the workflow that is a part of SAS Enterprise GRC. "In the past, we did not have a system for passing along tasks or assignments based on results of the risk assessment," Mansfeld says. "Now we can do that, and track the status of each task." If users want to explore the results of reports that are produced by SAS Enterprise GRC, they can drill down into the data at different levels.
SAS Enterprise GRC allows Vattenfall to consolidate its risks into a system that provides robust analysis and reporting. "We plan to grow this solution and develop it more in the future," says Mansfeld. "The large data processing, risk event identification, qualitative assessments and incident reporting provided by this solution are all capabilities that are growing in importance for us."
Stress testing risk tolerance
Using a risk management solution provides a framework that moves a company beyond looking at each risk individually and in isolation from other factors. "Credit risk, market risk, reputational risks and many others combine to form an overall impact," says Dave Rogers, SAS global product marketing manager. "Getting an overview is very important in terms of guiding the direction of a company."
Many firms use both a top-down and bottom-up approach to risk. "Executives lay out their high-level expectations for how risks should be addressed across a range of qualitative and quantitative statements," Rogers continues, "and business units describe and document the risks they perceive." The documented risks are passed through a series of assessments to create a profile that describes the tolerances a firm's senior management is willing to operate within.
That information in turn is used when setting the operational limits that are monitored via the firm's risk systems. "What has been an issue in some organizations is how well the top-level statement maps against the actual business risks," Rogers says. "With the need to evaluate risk against a complex set of opportunities and threats the board and regulators are requesting, stress testing a firm's risk appetite tolerances to an increasingly complex set of scenarios and on a more frequent basis has become a major challenge."