Several years ago, BT set out to upgrade its system for managing risks and controls with a cohesive approach that would improve visibility across the organization and provide credible, timely data to the senior leadership team and board.
CHALLENGE
BT Group is the UK’s leading fixed-line and mobile communications provider, including broadband, mobile, security, TV, networking, and IT services. With operations in 180 countries and more than 100,000 employees, the organization has a complex structure, which made it challenging to gauge the true picture of its risk exposure.
At the same time, the revised UK Corporate Governance Code will require boards to determine what they consider to be material risks and controls and decide the level of oversight and assurance they require to declare the effectiveness of the material controls in the annual report and accounts by 2026.
“It was clear that there was room to improve the approach to risk management. We needed a framework that provided those responsible for managing and overseeing risk with the processes and structure to do so. It was vital that the framework did this consistently and effectively, helping to support quality decisions and give important early-warning signs if something is about to go wrong,” recalls Dan Maclennan, group risk director for BT. “We set out to redesign the process from the ground up.”
But there was one potential sticking point: the new framework was tailormade for BT and had a very bespoke risk reporting process, along with its own naming conventions that were critical to maintain. Many were skeptical that a new system could replicate the framework and produce the reports the board required.
SOLUTION
BT turned to Riskonnect to provide a platform to bring this framework to life, integrating all risk, control, and assurance activities. The project started with implementing Riskonnect’s Enterprise Risk Management solution, followed by Internal Controls and Audit solutions.
“We chose Riskonnect because it’s so configurable,” explains Maclennan. “The philosophy behind our approach was to create one risk-focused community, including enterprise risk management, control, and assurance professionals. With Riskonnect we were able to bring everything together under one framework.”
Importantly, BT was able to continue with its established risk, control, and assurance methodology. The distinction between “enduring risks” and “dynamic risks,” for instance, is the cornerstone of its risk program. Enduring risks are those that persist over time and are worth investing in the structure of controls and processes for long-term mitigation. Dynamic risks are significant “of-the-moment” risks and uncertainties that arise, which cannot be mitigated via the existing control framework and require a specific response.
A big step was to build the data model to feed the reports. The team spent more than a year defining its enduring risks – health and safety, cyber, data protection, and so forth – mapping controls, and assigning responsibilities. “It took that long to get meaningful output,” says Maclennan.
Data from all enduring risks and their corresponding controls is now housed in Riskonnect to show how these risks play out across the organization. Control owners and assurance providers have full access to the system to carry out their activities. Others can provide updates via a portal, which makes it easy to bring more people into the process.
RESULTS
With Riskonnect, BT accomplished what some thought was a never-ending journey: All risk, control, and assurance data is now in one framework for better visibility – and its unique risk structure has been preserved.
“The framework shapes the way each specialist risk area is run,” says Maclennan. “Many parts of the company were already doing good work but not in a consistent manner to make it easy to monitor across the landscape and prioritize effort where required. Each area now has clear accountability and structure, which helps everyone do their jobs more effectively.”
Administrative burdens were removed, and reporting was streamlined and improved for an end-to-end view. “We need to see many different aspects of risk, from minute detail to board-level insight. It can be a minefield,” he says. “The solution provided by Riskonnect has enabled our framework to make that happen.”
Riskonnect surfaces the right data in automated reports that provide the board with line of sight into big, complex risks. Leadership can pick a category – say cyber – and run a report that shows how effective the controls are. “We have visibility across the whole landscape,” says Maclennan.
Having one framework also sets the standards for which everything can be evaluated against to prioritize resources, focus, and budget. Take cyber risk, for instance. “Our cybersecurity team has been at the forefront of adopting the framework and the Riskonnect tool, which is now being used to monitor our exposure and track actions to continually strengthen our security posture,” explains Maclennan.
BT has had good success at overcoming any lingering resistance to a new system. “We’ve received good feedback,” notes Maclennan. “People can genuinely see the benefits of using Riskonnect.”
And that, in turn, is influencing culture. “In meetings, I’ll hear people refer to point risks and emerging risks. It’s starting to become part of our vernacular.”
While compliance with the new regulations was not initially a top priority, the new framework aligns well with the requirements. “We inadvertently prepared and are in quite a good position to meet the enhanced control requirements in the UK Corporate Governance Code because we were already traveling in that direction.”
“Riskonnect is advancing our purpose of helping BT Group be smart with risk and make informed decisions,” says Maclennan.
For more on holistically managing risk, download our ebook, Governance, Risk, and Compliance: The Definitive Guide, and check out Riskonnect’s GRC software solutions.
