In our previous article we introduced key levers that enable risk functions to deliver real value. In this article we take a deeper dive into the foundational elements that drive meaningful results.
One thing has been abundantly clear through close collaboration across the three lines of defense, with risk leaders (CAEs, CROs, first line) in both large financial institutions and regional organizations: the underlying data, which is the foundational element for risk management, is not clearly understood, evaluated, or managed consistently. The reasons are varied, including legacy carryforward; misalignment around data across lines of defense; lack of true data management and Governance, Risk, and Compliance (GRC) platforms; and internal politics (yes, it happens!).
A simple and often overlooked truth is that the process risk and controls data underpinning all functions are the same. Core elements—such as commonly overlooked strategic priorities, process taxonomy, key risk drivers, and the controls that mitigate those risks—are shared across the board. While peripheral data (issues, events, action plans, reporting, etc.) may vary, it should still reflect common needs and be designed for shared effectiveness. The way data is structured and segmented matters, and thoughtful design is key.
Risk leaders today don’t have the luxury of treating data as an afterthought. It’s foundational, and proactive and intentional management is essential. Effectively managed data is the first lens through which risk management is truly enabled. It strengthens culture and provides strategic, actionable insights.
The mandate is simple—think “data first.”
Granularity Isn’t Optional
We’ve all seen risk data that is either too high-level to drive action or too granular to be digestible. The sweet spot is user-aligned granularity, meaning structuring data so it’s relevant to the person consuming it, whether that is a board member, a business line lead, or a control owner.
In our recent work, we have seen firsthand how aligning risk data to the right level of granularity enables better prioritization and faster decision making. It is not just about dashboards—it’s about decision-grade intelligence.
Achieving this takes time, effort, and coordination across all three lines of defense. When done correctly, defining deeper granularity for user alignment enables organizations to leverage the same data sets across all three lines of defense and aggregate them into meaningful insights. For example, the granularity from the risk and control self-assessment (RCSA) process enables risk-aggregated reporting, drives consistent and ongoing risk environment effectiveness assessments, and provides a critical feed into internal audit, both for risk assessments and individual audits.
The main challenges for effective granularity alignment are:
- Executive mandates which few leaders are willing to drive, even though change requires core risk leadership alignment.
- Cost and effort considerations, as resources are often stretched.
- Change management, which can be hard to navigate and define without the right experience.
- Politics can be difficult to navigate since alignment across the risk management lifecycle requires teams to work outside of their silos.
GRC Is the Infrastructure
GRC platforms are no longer just peripheral systems or compliance tools; they are the backbone of risk enablement. These platforms connect policy, process, and data, allowing risk leaders to operationalize controls, monitor compliance, and discover emerging threats in real time.
More importantly, GRCs are where data is managed, aligned, quality checked, and used appropriately. This allows organizations to build a fully integrated risk data model that is both traceable and accountable.
When implemented correctly, GRC platforms allow us to connect controls, risks, policies, and findings in an approachable way that supports tracking and implementation. Without this infrastructure and alignment, risk functions become significantly limited in the following ways:
- Inability to understand and analyze emerging risks and areas of focus.
- Being reactive rather than proactive, regardless of mandates.
- Ineffective continuous risk monitoring, continuous auditing, issues management, etc.
However, GRCs alone do not solve all problems. Despite the popularity of GRCs among companies, a common pushback is that “it’s just a data repository,” which is true if there is lack of strategy, alignment, and clarity. To unlock full potential, GRCs must be powered by purpose and executed with thoughtful methodology.
Methodology Is the Engine
Methodology is what transforms raw data into insight. It defines risk taxonomies, scores impact measures and likelihood, and determines control effectiveness. Without a strong methodology, even the best GRC platform is just a shell.
As an example, in our Digital Operational Resilience Act (DORA) readiness work with European and U.S. banks, we have built frameworks that move clients from operational risk management to operational resilience. That shift is only possible when the methodology is robust, scalable, and embedded. Similarly, the same can be said of audit methodology, RCSA processes, as well as other compliance routines such as Model Risk Management.
What “Good” Looks Like
Trends we are seeing at leading institutions:
- Risk data mapped to business processes, not just risk categories.
- GRC platforms integrated with audit and compliance workflows, not siloed.
- Methodologies that evolve with regulatory expectations, not static templates.
This isn’t a theory; it’s execution. And it’s what separates risk functions that inform from those that enable.
Final Thoughts
As a risk leader thinking about your function, start with the data. Ask yourself and your team: is it structured for action? Is it aligned to the right granularity? Is it enabled by GRC and powered by methodology?
If the answer to any of these is “no,” your organization may not just be behind—it may be exposed. Overcoming risk vulnerability by taking a deeper look at your data and using technology to create a future-forward risk function can only happen with a data-first strategy.
For more information, reach out to a Forvis Mazars professional.