The risk management function within organizations can be a struggle. Why? There is a breakdown between the strategic (enterprise level) and individual departments on the front lines of operational risk. Poor communication or a lack of transparency results in stakeholders keeping risk data to themselves or only sharing in high-level reports. The disconnect can also stem from other departments using different risk metrics. As a result, management is forced to make decisions relying on dated or faulty data.
NAVEX Global’s Adam Billings has spoken to these common risk management challenges in recent years. Billings has shared both the disconnect that organizations experience with managing risk and how to make risk meaningful.
Here are Billings’ four keys:
Key #1: Understand your risk
The first key to making risk meaningful is knowing your organization’s goals and the value leadership attaches to its assets. For example, how much does your company value its reputation? That very topic, reputational risk, was put through a bowtie risk assessment by Billings. This type of assessment reveals the causes and effects of a risk in your organization. For those seeking to understand risk, it is a light bulb moment seeing the bowtie risk assessment in its final form and how everything connects.
Key #2: Recruit a leader
Risk management programs demand engaged leadership. Without leadership support, it is hard to make changes that are otherwise interpreted by the status quo as making waves. Leaders, by their nature, are change agents. They can package and promote your team’s initiatives, green-light them and convince people to rally behind the direction. Leaders are also wise counsel for the risk team, capable of sharing past efforts and their experiences of what works and what doesn’t.
Billings, who speaks from first-hand experience with technology implementations, said, “Leaders have the clout. They can mandate change.”
Key #3: Embrace standardization
Embrace standardization by using universal risk metrics across the organization like velocity, probability, and impact. Choose the metrics model that offers meaning to your organization. But don’t just stop at the risk metrics stage – identify key reporting where you’ll find value and efficiencies, and think through risk treatment options. You need standard processes for every stage of risk management.
Key #4: Invest in technology
Technology can empower risk management if the other three keys – leadership support, understanding risk and standardization – are present. The right technology solution, like a governance, risk management and compliance (GRC) platform, helps on a multitude of fronts. It can enforce standardization, policies and procedures. Use the solution to map departmental risks to organizational risks and to connect them with other risks like vendor and IT to give a better view of enterprise-wide risks.
A GRC platform also consolidates and controls information, so only those who need to see it receive automatic notifications. It is especially helpful when risk criticality goes from low to high overnight. The platform streamlines the notification and escalation process.
There is much more to making risk meaningful. Learn more about GRC platforms and the impact of automation and technology with our whitepaper, 21st Century Business Requires a 21st Century Compliance and Risk Management Tool.