Part 10 in the “Controls and Risk Management” series
Since I started working in GRC software, and actually even sometime before, when I was working on audit topics, a recurring concept has been risk-based auditing or similar denomination. The intent here is to focus the audit function on the riskiest parts of the company to ensure that all high-profile risks are reviewed regularly, correctly monitored, and so on to protect the business from operational surprises.
Nevertheless, audit isn’t the only function that focuses its efforts on high-profile risk areas. Internal control and compliance departments have a similar approach, but call it risk-based compliance, applied notably when performing a scoping exercise before launching assessments.
When taking a broader perspective within a company, many departments use the same risk-based approach, such as: business continuity; fraud management; environmental, health, and safety; and even finance for risk-adjusted planning and budgeting. Indeed, most departments have to ensure that they reach their objectives and that they don’t leave behind threats that could endanger their achievements and prevent the company as a whole from succeeding.
What does this tell us? I’m not going to enter the “it’s all about risk” debate. Actually, quite the opposite. I personally think that it’s all about other departments.
Risk management has, for a long time, benefited greatly from the work of other departments: leveraging investigations and findings to identify new risks, using existing controls from compliance as well as continuity plans to monitor and mitigate identified risks, etc. Now I believe it’s time for risk-management departments to stand up and be key contributors to their companies’ success.
There are many ways in which risk management departments can do this, but I’d like to highlight two.
Help the company focus on upsides: the opportunities
As I’ve discussed in previous posts, I’m a strong believer that any new project, product, or investment inherently carries risks of failure, of course – but more importantly, opportunities for success. Risk management has all the information necessary to define a “SWOT profile” and help the business make the best budget-allocation decision.
Be a lighthouse for the business
When contextual changes occur, risk management should be the first area to have up-to-date revised information and, therefore, be able to shed light on the new risk profile: potential negative impacts, the chain of probable events that could be triggered, and so on. If this department is able to communicate these changes and associated outcomes in a consumable and timely manner to compliance, business continuity, HR, finance, or any other departments impacted by a new risk context, then truly proactive decisions could be made.
Currently, this communication happens most often when these departments do their annual review and pull risk-management information, so very much in a passive, ad hoc manner. Conversely, pushing relevant information regularly would make the business more agile and enable faster and more relevant resource and budget allocations.
What about you? Do you see the role that risk management plays within your company changing? I look forward to reading your thoughts and comments on Twitter @TFrenehard.
If you are interested in hearing more about this topic and discussing it, then have a look at the SAP Conference on Application and Information Security – Building Digital Trust, taking place October 20 and 21, 2020 in Dublin, Ireland.