Enterprise risk encompasses regulations, finance, operations, technology, reputation, strategy, and many more — and losing control over any one of these risk areas could mean disaster. Lately, with the increased focus on strong governance requirements, there is more scrutiny over risk management programs. This article will share insights on three holistic risk management strategies organizations use to meet modern governance expectations.
1. Gain Executive Understanding by Breaking Down Knowledge Silos
Executive support is essential to the success of any program — and a key ingredient in gaining executive support is to make sure they understand what you are trying to tell them. While this sounds easy in theory, one of the most common challenges in managing risk across the enterprise is successfully ensuring your executives are bought into those risks.
In order to break down silos with your executive team, it is important to find common ground. Risk leaders can do their part to bridge the gap by taking care to advise executives in a way that will be easy for them to understand — and take action on. Here are a few ways to get your executive teams on the same page as risk management:
- Report concisely on what is relevant to the executive team, using pertinent and actionable supporting data.
- Contextualize technical information within an executive’s business-focused needs.
- Use KPI data to make your case in budgetary discussions.
- Share data that demonstrates the ROI on risk mitigation activities to make the business case for budget to support your initatives.
- Present risk findings in terms of business risk and market trends in order to shape the conversation that marries security and business goals.
When framing risk to gain executive buy-in, remember that storytelling is key — and it’s both an art and science. What is this risk? Why is it important? Are we asking you, the executive, for support or action? What are we doing or going to do to manage it — or exploit it?
The conversations can be either formal or informal, depending on your culture and the extent of your organization’s silos. They may be part of regular updates in risk management, especially when discussing risk responses or projects that require considerable effort. For example, many public companies have implemented controls around Environmental, Social, and Governance (ESG) disclosure reporting. Risk managers knew the risk topic would impact their companies, so many began socializing the idea and probable controls well in advance so that other stakeholders would be comfortable once the requirements went into effect.
2. Centralizing Risk Management
A centralized risk management function can consolidate adherence to a governance life cycle. In most risk scenarios, we can apply a consistent five-step life cycle:
- Identify Risk
- Analyze Risk Scope, Impact, & Likelihood
- Evaluate Risk Qualitative, Quantitative, & Interactive Factors
- Accept, Control, or Share the Risk
- Establish Continuous Risk Monitoring
As an illustration, a company may identify high employee turnover as a risk and use the lifecycle model to think through the impact to their organization.
- High employee turnover can lead to efficiency loss, poor morale, and loss of institutional knowledge.
- Based on current trend analysis, the scope is limited to corporate functions, including accounting, financial planning, and treasury.
- We analyzed the average corporate turnover rates for the past five years to capture pre and post-pandemic trends and investigated any outliers.
- Quantitative: The corporate average turnover rate is 12%. Accounting (35%), financial planning (33%), and treasury (27%) have experienced 2x-3x the corporate average.
- Qualitative: In exit interviews, the most common reasons for leaving were the current requirement to work from the office with no exceptions, lack of affordable, convenient childcare options, and fear of staff reductions.
- Interrelated Risks: Working from home increases cybersecurity exposure. Rising inflation leads to reduced revenue. Overcorrection in expense reduction leads to understaffed functions.
- Mitigate: Policies will be adjusted to allow more flexibility in hybrid work. Controls are designed to meet departmental needs within a hybrid setting.
- Share: A staffing company has been engaged to supplement the hiring process to backfill open positions.
- Management will produce bi-weekly reporting to present turnover, hiring, succession planning, and retention efforts.
Centralizing the risk management lifecycle and following a model like this example enables a better comparison of risks across the organization and consistent treatment of the risks in line with management’s risk appetite.
3. Integrating Governance Frameworks
Organizations have to monitor and comply with many frameworks. Within an IT function alone, there are laws and regulations to follow and standards like NIST, SOC, ISO, SOX, PCI, COBIT, and others that all require simultaneous compliance. Keeping the requirements updated, tested, and monitored is a huge undertaking.
One of the best strategies for complying with multiple frameworks is to create an integrated matrix that combines all of the frameworks so teams can take advantage of overlapping requirements and controls. This will help your team not only save time with managing their compliance program, but will also allow for an intergrated approach across compliance teams. Having an integrated approach across compliance teams is crucial in staying ahead of the new regulatrions and monitoring which ones are relevant to your company.
With so many frameworks, consider bringing in a technology solution with a fully integrated and intuitive platform to manage all your frameworks — gaining valuable efficiency by eliminating redundant testing.
Connecting Risk Across Your Organization
Adopting a holistic view of organizational risks from a centralized risk management function brings consistency to risk mitigation initiatives, the way risks are treated, and the ability to manage multiple requirements simultaneously. The strategies presented in this article are proven to increase management buy-in for upcoming projects while reducing redundant control and testing efforts. Learn more about AuditBoard’s connected risk platform designed to meet modern governance expectations.
Mary Tarchinski Krzoska, CISA, is a Market Advisor at AuditBoard. Mary began her career at EY before transitioning to a risk and compliance focus at A-LIGN, and brings 9 years of global experience including SOC, HIPAA and ISO compliance audits, consulting on business continuity and disaster recovery processes, and facilitating risk assessments. Connect with Mary on LinkedIn.