Four Keys to Making Risk Meaningful
The risk management function within organizations can be a struggle. Why? There is a breakdown between the strategic (enterprise level) and individual departments on the front lines of operational risk. Poor communication or a lack of transparency results in stakeholders keeping risk data to themselves or only sharing in high-level reports. The disconnect can also stem from different departments using different risk metrics. As a result, management is forced to make decisions relying on dated or faulty data.
Lockpath’s Adam Billings discussed these common risk management challenges in a recent webinar titled Making Risk Meaningful. In the recorded webinar, Billings shares both the disconnect organizations experience with managing risk and how to make risk meaningful.
Here are Billings’ four keys:
Key #1: Understand your risk
The first key to making risk meaningful is knowing your organization’s goals and the value leadership attaches to its assets. For example, how much does your company value its reputation? That very topic, reputation risk, was put through a bowtie risk assessment by Billings. This type of assessment reveals the causes and effects of a risk in your organization. For those seeking to understand risk, it’s a light bulb moment seeing the bowtie risk assessment in its final form and how everything connects.
Key #2: Recruit a leader
Risk management programs demand engaged leadership. Without leadership support, it’s hard to make changes that are otherwise interpreted by the status quo as making waves. Leaders, by their nature, are change agents. They can package and promote your team’s initiatives, green-lighting them and convincing people to rally behind the direction. Leaders are also wise counsel for the risk team, capable of sharing past efforts and their experiences of what works and what doesn’t.
Billings, who speaks from first-hand experience with technology implementations, said, “Leaders have the clout. They can mandate change.”
Key #3: Embrace standardization
Embrace standardization by using universal risk metrics across the organization like velocity, probability, and impact. Choose the metrics model that offers meaning to your organization. But don’t stop at the risk metrics stage. Identify key reporting where you’ll find value and efficiencies, and think through risk treatment options. You need standard processes for every stage of risk management.
Key #4: Invest in technology
Technology can empower risk management if the other three keys, leadership support, understanding risk and standardization, are present. The right technology solution like a governance, risk management and compliance (GRC) platform helps on a multitude of fronts. It can enforce standardization, policies and procedures. Use the solution to map departmental risks to organizational risks and to connect them with other risks like vendor and IT to give a better view of enterprise-wide risks.
A GRC platform also consolidates and controls information, so only those who need to see it receive automatic notifications. It’s especially helpful when risk criticality goes from low to high overnight. The platform streamlines the notification and escalation process.
There’s much more to making risk meaningful. Continue your education on this topic by watching the webinar and learning about defining risk, common approaches, risk ownership and making risk meaningful. There is also some great information in the Q&A period at the end of the webinar.
COVID-19 has pushed several risk disciplines into the spotlight, including business continuity, third party risk, cybersecurity, and data privacy. We’ll explore each one and deliver advice and guidance.
In many ways, global supply chains are in the crosshairs of the global pandemic. We share three strategies you can pursue now to be ready for when business starts to recover.
While the coronavirus has dominated news cycles, other notable events occurred around a number of new rules, regulations and guidance, from California’s data privacy regulation to NIST data privacy framework and SEC guidance on cybersecurity for financial service firms.