Four Keys to Making Risk Meaningful

Mike Ogden

The risk management function within organizations can be a struggle. Why? There is a breakdown between the strategic (enterprise level) and individual departments on the front lines of operational risk. Poor communication or a lack of transparency results in stakeholders keeping risk data to themselves or only sharing in high-level reports. The disconnect can also stem from other departments using different risk metrics. As a result, management is forced to make decisions relying on dated or faulty data.

NAVEX Global’s Adam Billings has spoken to these common risk management challenges in recent years. Billings has shared both the disconnect that organizations experience with managing risk and how to make risk meaningful.

Here are Billings’ four keys:

Key #1: Understand your risk

The first key to making risk meaningful is knowing your organization’s goals and the value leadership attaches to its assets. For example, how much does your company value its reputation? That very topic, reputational risk, was put through a bowtie risk assessment by Billings. This type of assessment reveals the causes and effects of a risk in your organization. For those seeking to understand risk, it is a light bulb moment seeing the bowtie risk assessment in its final form and how everything connects.

Key #2: Recruit a leader

Risk management programs demand engaged leadership. Without leadership support, it is hard to make changes that are otherwise interpreted by the status quo as making waves. Leaders, by their nature, are change agents. They can package and promote your team’s initiatives, green-light them and convince people to rally behind the direction. Leaders are also wise counsel for the risk team, capable of sharing past efforts and their experiences of what works and what doesn’t.

Billings, who speaks from first-hand experience with technology implementations, said, “Leaders have the clout. They can mandate change.”

Key #3: Embrace standardization

Embrace standardization by using universal risk metrics across the organization like velocity, probability, and impact. Choose the metrics model that offers meaning to your organization. But don’t just stop at the risk metrics stage – identify key reporting where you’ll find value and efficiencies, and think through risk treatment options. You need standard processes for every stage of risk management.

Key #4: Invest in technology

Technology can empower risk management if the other three keys – leadership support, understanding risk and standardization – are present. The right technology solution, like a governance, risk management and compliance (GRC) platform, helps on a multitude of fronts. It can enforce standardization, policies and procedures. Use the solution to map departmental risks to organizational risks and to connect them with other risks like vendor and IT to give a better view of enterprise-wide risks.

A GRC platform also consolidates and controls information, so only those who need to see it receive automatic notifications. It is especially helpful when risk criticality goes from low to high overnight. The platform streamlines the notification and escalation process.

There is much more to making risk meaningful. Learn more about GRC platforms and the impact of automation and technology with our whitepaper, 21st Century Business Requires a 21st Century Compliance and Risk Management Tool.


Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.



Conflict of Interest Disclosures: A 21st Century Approach

What if Conflict of Interest collection and mitigation reporting comprised just one component of a larger compliance management database? It can. Twenty-first century COI disclosure software can and should be capable of delivering on this wish list and more.

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

Three Strategies for Addressing Operational Risk and Perfecting Policy Exceptions

A major challenge for organizations during the COVID-19 pandemic is issuing policy exceptions and updating policies. For Compliance, do you approve the exception, knowing full well that it will increase operational risk? You need nuanced guidance. 

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.