By Alex Toews, Fusion Risk Management:
Risk management is typically discussed under two categories: Governance, Risk, and Compliance (GRC) or Integrated Risk Management (IRM). When thinking about GRC, it is a broad term used to define the programs and practices that organizations implement to monitor and mitigate risks, verify compliance and regulatory alignment, and align these elements to organizational goals. The industry has more recently established the term IRM. It considers similar programs and practices but stresses the importance of improving risk-based decision-making and performance through an integrated view of how an organization manages risk. It is important to note that both GRC and IRM work together in harmony – they are not stand-alone concepts but are rather an evolution from one to another.
Protecting Enterprise Strategy
Now that we have established a baseline around industry concepts, some risk perspectives have become center stage in the past few years. These perspectives can strategically drive the direction of your organization so long that you demonstrate the value and provide decision-makers with the proper risk-based context. Building a risk culture throughout the organization is a fundamental aspect when we talk about enterprise risk strategy. Strategic objectives should be tied across every program throughout the enterprise. By building a shared risk taxonomy and collecting, organizing, and understanding data from across the organization, you can get everyone to think like a risk manager and drive strategic decision-making.
What is strategic risk, and how do you manage it? Strategic risks are risks that affect or are created by an organization’s business strategy and strategic objectives. Those objectives are usually established at a senior or board level. They can change depending on the market environment and pending internal and external factors that may force you to navigate strategically. For example, a new organizational strategy can expose you to new risks. To gain a complete picture of your risk exposure, you now have the responsibility to align the cross-functional risks that sit within places like operational risk, enterprise risk, or IT risk.
To start, create a profile of risks across your organization, leveraging an integrated taxonomy and risk register, and figure out if the organization can navigate it. Most organizations create these risk profiles on an annual basis or set up triggers to revisit a strategic objective on a timely basis. Doing this helps provide executives with the perspective that you understand these strategic objectives and also understand, across your programs, that there are existing, identified, or emerging risks that may impact how successfully the organization is achieving the objectives. It is extremely valuable to assess, consider, understand, and report to your stakeholders with the right risk-based context. Your program can provide insight into what is happening now and how the organization may need to navigate it differently.
Operational risks are a fundamental piece of your organization’s DNA. They are significant risks that may affect the organization’s ability to achieve strategic objectives. These risks affect your people, processes, technology, and, oftentimes, the daily activities required to deliver your core products and services to customers. Because of the serious impact that operational risks can have on the organization, it is critical to understand how these risks can align and potentially influence your strategic objectives. Understanding which operational risks impact your ability to achieve strategic objectives is a core pillar of defining your strategic risk profile and objectives.
Information Technology Risk
Information Technology risks, or IT risks, are critical in informing how organizations navigate business strategy and vision. IT risk permeates throughout the entire organization and holds strategic, financial, and reputational implications. Prioritizing how you address, analyze, and respond to these types of risks is essential to integrating IT risks and business strategies.
Information Security in Everything
IT risk is a vast domain of risk as it applies to different organizations. Some organizations have stand-alone IT risk programs that wrap their arms around all the risks that may impact the organization’s IT infrastructure (software, applications, third-party IT assets, etc.). It has applicability across all organizational program areas. If you think about core operational resilience pillars like business continuity, third-party risk, operational risk, and IT risk, there are ways to break them into sub-domains to help you target the types of risk or the risk environment that is specific to your IT risk program.
It is essential to continue delivering on your customer commitment, no matter what. To do so, you need to understand how IT risk is associated with your processes, people, vendors, and other critical elements that help your organization deliver products and services. You can do this by connecting your information technology assets and their risks in an integrated fashion across all program areas in your organization. In order to fully understand how risks impact your organization and how your organization can continue to achieve strategic objectives now and in the future, this is a must-have.
Learn more at Fusion.
About the Author: Alex Toews is the Risk Solutions Manager for Fusion Risk Management.