The goal of effective risk management is to align the amount of risk taken with the enterprise’s risk appetite to meet the strategic goals and objectives of the organization. When risk is strategically and thoughtfully taken, there are opportunities for competitive advantage, entering additional geographic markets, or developing new products and services.
The main drivers for enterprise risk management include the need to improve decision-making, to align resources to address risk with the greatest potential impact and to ensure that value is created by maintaining risk within acceptable tolerances and appetites.
In 2019, ISACA led an effort to survey a global population of risk professionals at organizations across many different industries to better understand the state of enterprise risk management programs. Here are some tips from the State of Enterprise Risk Management 2020 report on how an enterprise can improve and optimize its risk management efforts:
- Periodically revisit the mechanisms for each step of the risk process (i.e., identify, assess, analyze, plan response or treatment, communicate and monitor response) to understand if the step is efficient and effective. For example, if an enterprise is using a risk and control self-assessment (RCSA) as a technique for risk identification, is it updated periodically as conditions change or emerging risk is discovered?
- Evaluate risk activities to ensure that the most important assets and services are in scope. Some enterprises start with high-value assets that support the most critical business lines, processes, products or critical services, and then expand the scope as the risk management capability matures.
- Develop a risk management training curriculum for the risk landscape in which your enterprise operates. This curriculum can be a simple set of presentation slides that raise awareness of specific risk factors that have impacted organizations similar to yours or an in-depth, multimedia, computer-based training on the 3 lines of defense (3LoD) structure used by many global financial institutions. One innovative approach is to utilize real-event case studies. In 2 short hours, a group of business professionals can read a case study, perform the role of a risk owner, and have a lively discussion on actions that would have prevented the risk from being realized or decisions that would have improved the response and/or decreased the impact after the risk was realized.
- Cultivate an early-warning, neighborhood-watch-like alert system comprised of staff on the frontline of defense. Often, the people closest to the day-to-day operations of the business are the first ones to notice that something is not quite right or that policies and rules are often set aside or ignored to meet project deadlines or reduce operating costs. Catastrophic operational risk events are often the result of a series of cascading smaller failures or breakdowns in communication. As part of the risk management training curriculum, invest time in creating job aids, such as a laminated card with a reporting hotline phone or web address, that indicate where areas of concern can be reported anonymously. It is often easier to learn about these areas of concern early so appropriate action can be taken. To mature risk management practices, the line of sight from business operations execution to the board of directors (BoDs) or a senior governing body will require greater transparency.
The State of Enterprise Risk Management 2020 report analyzes and presents the key findings from the survey. This research brief also provides conclusions about risk management practices and risk management areas of opportunity and guidance for BoDs and executive teams. To read the full report, visit the State of Enterprise Risk Management 2020 page of the ISACA website.
Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.