Risk Management | Governance Risk & Compliance
Framework recommends the strategy of Identify, Classify, Treat.
What is Risk IT?
Better decision-making requires transparency into all risk information gathered at your organization. It
also requires the ability to prioritize that information by assessing the risks related to organizational
goals, resources, controls, and test monitoring.
Business values means looking at where yous pend time and money so you can prioritize resources and resolve confusing or contentious issues. In the risk ERM/eGRC space, some people think that business value is synonymous with reduced regulatory fines; because of the results of recent studies and reports. However, we risk managers know that regulatory risk is just a piece of the business value ERM can offer.
The purpose of a risk assessment is to bring context to other things. Assessments by themselves are like adjectives to nouns. Controls, tests, tasks, and resources are very expensive and risk assessments add priority to these activities, helping you understand how critical each one is.
Every organization has overlapping and redundant controls, tests, and metrics. All these excess activities are obstacles that prevent you from achieving a truly efficient risk management program. As risk practioners, we know we could always improve our programs, but the best path toa ccomplishing this goal isn't always clear.
However, by adopting a standardized and objective best-practice risk assessment methodology, you can start to identify the overlapping activites that crowd your program, priotize actions, and help your organization make more informed decisions.
Business values means looking at where yous pend time and money so you can prioritize resources and resolve confusing or contentious issues. In the risk ERM/eGRC space, some people think that business value is synonymous with reduced regulatory fines; because of the results of recent studies and reports. However, we risk managers know that regulatory risk is just a piece of the business value ERM can offer.
The purpose of a risk assessment is to bring context to other things. Assessments by themselves are like adjectives to nouns. Controls, tests, tasks, and resources are very expensive and risk assessments add priority to these activities, helping you understand how critical each one is.
Every organization has overlapping and redundant controls, tests, and metrics. All these excess activities are obstacles that prevent you from achieving a truly efficient risk management program. As risk practioners, we know we could always improve our programs, but the best path toa ccomplishing this goal isn't always clear.
However, by adopting a standardized and objective best-practice risk assessment methodology, you can start to identify the overlapping activites that crowd your program, priotize actions, and help your organization make more informed decisions.
Why do I need Framework to navigate Risk Management?
Think of Framework as your birds eye view. It allows you to look at your entire risk system from above, as a
whole. Companies without Framework are facing the challenge of not being able to look at risk as a whole
while comparing information across departments. Here are a few examples:
Activity Fatique
Staff may ignore certain activities because of lack of time to access them.
Activity Obsolescence
In a changing environment, there is no effective way to know when activities no
longer
apply.
Lack of Prioritization
Picking activities to focus on is likely to be on an ad hoc basis and subject to
the
whims of current staff.
Lack of Continuity
Changes in the organization or development of new business lines may result in new
activities even though existing ones are more effective.
Lack of Coordination
Often, activities apply to multiple risks or commitments across functional lines.
The
inability to formally tie activities to risk or commitments hinders inter-functional coordination, resulting
ina business silos and duplication of effort.
Wasted Resources
The number of resources available for accomplishing business goals and treating
risk is
finite. Staff will too often continue to manage obsolete or unimportant activities rather than re-aligning
with current imperatives. If a risk changes, most organizations have no way of knowing how (or even if)
these changes will affect their resources and activities. Risk assessments and linking risks to activities
allows organizations to start prioritizing what activities need to be monitored.
Framework recommends the strategy of Identify, Classify, Treat.
Rinse and Repeat.
Identify
Staff may ignore certain activities because of a lack of time to access them.
Classify
In a changing environment, there is no effective way to know when activities no longer apply.
Treat
Picking activities to focus on is likely to be on an ad hoc basis and subject to the whims of current staff.
Most likely network security challenge in the next twelve months
11%
Cloud Computing
13%
Incidents from Employee-
Owned Devices
5%
External Hacking
7%
Cyber Attacks
17%
Data Leakage
5%
Disgruntled Employee
16%
Employee Mistakes
18%
All of the above