The enterprise mission, strategy and objectives are the basis for understanding the dynamic risk landscape in which the enterprise operates. Whether an organization is public or private, for profit or nonprofit, government or military, it has a mission to deliver value to stakeholders and customers. In my work with senior executives, I am often asked how to get more value from the risk management process. Many risk management programs focus on the risk of noncompliance to prescribed regulations, standards and guidelines, or rooting out internal control deficiencies. Often, the business lines complain that risk management is additive to all the other important “real-work” activities already on their plates.
In the absence of a mature risk management program and process, the enterprise can be generally effective in preventing most realized risk with a robust compliance or controls testing program. However, this places emphasis on findings after the fact and makes risk management look like a pre-audit function rather than a partner that adds value to the business.
Positioning risk to the enterprise in the context of the mission, strategy and objectives is the first step in making sure that activities add value to the overall risk management process. This is known as setting the context for risk management. Pairing a risk-based approach with a strategic view of the enterprise enables communication and clarification of which uncertainties, or risk, have the highest potential to prevent the enterprise from meeting its intended targets, objectives and mission. If you want to ensure that the enterprise is managing the risk that has the most relevance to the enterprise, here are some tips to think about for improving your risk management process:
- Periodically revisit the mechanisms for each of the risk process steps (identify, assess, analyze, plan response or treatment, communicate and monitor response) to understand if the step is efficient and effective. For example, if an enterprise is using a risk and control self-assessment (RCSA) as a technique for risk identification, is it updated periodically as conditions change or emerging risk is discovered?
- Is there a project or program management office that can be leveraged to make risk management a normal part of enterprise operations by building risk identification into standard work procedures? Track progress of risk treatment activities against plans to get started with metrics.
- Evaluate risk activities to ensure that the most important assets and services are in scope. Some enterprises start with high-value assets that support the most critical business lines, processes or products, or critical services and then expand the scope as the risk management capability matures.
- Integrate the planning of risk management activities with the audit and compliance planning cycle. Often, there is economy in collecting data once and using them to satisfy multiple information needs.
- If the risk management activities rely on quantitative models, subject the models to the risk management process to ensure that they continue to perform as intended.
The main drivers for risk management include the needs to improve decision-making in enterprises, align risk management resources to address the risk with the greatest potential impact on the enterprise and ensure that value is created by maintaining risk within acceptable tolerances and appetites. For more information on the risk management process, read the ISACA white paper Getting Started with Risk Management or sign up for the upcoming post-conference workshop on Risk Management and Communication at 2019 NA CACS in Anaheim, California, USA.
Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.