Consulting firm Protiviti released a new report on the need for organizations to transition from a culture of labor-heavy periodic risk auditing to a system of automated, continuous risk auditing.

The problem is familiar, as a manager you are focused on day-to-day operations issues, you have a system in place to periodically verify whether vendor and supply chain risks are being managed, but you likely don’t know where to begin to automate the process.

Protiviti argues that the technology for most companies to largely automate internal risk monitoring is now available and affordable when parterning with a specialized firm. The main challenge is knowing what metrics need to be tracked and monitored.

Instead of auditing paperwork, supplier insurance policies, contracts and balance sheets on a quarterly or annual basis, why not choose one of these areas with the goal of automating the reporting and risk tracking function?

Protiviti states that the keys to implement an automated, continuous monitoring risk program are as follows:

  • Define where the big risks are coming from in your organization. For example, to begin automating vendor risk management you must first identify what sources of risk vendors pose, such as carrying sufficient liability insurance, naming your company as additional insured, renewing the policies on time so that there are no lapses in coverage, carrying a waiver of subrogation, maintaining the proper business licenses, etc.
  • Next you must define and quantify what types of information you should track, record, and analyze relating to the identified risks, and how they interact with each other. For example, if a vendor’s business license lapses, is that a bigger or smaller risk than if the vendor had insufficient general liability policy limits?
  • And finally, after defining the source of risk, quantifying and categorizing what metrics to track, you must implement controls to verify whether the monitoring system works.

These are somewhat esoteric summaries of the challenge, as the ultimate goal of automating a risk managment program in any organization will vary depending on the specific technology solution that fits the need of your industry and company, and the number of variables that need to be tracked. But for our purposes in outlining the report, the message is simple, risk management automation is available for most companies, if they simply know who to partner with to implement the project.

Topics: COI Tracking, ERM, Insurance Certificate Tracking, INSURANCE RISK MANAGEMENT, RISK, Uncategorized, Vendor Screening

Leave a Comment