Four Keys to Making Risk Meaningful

Published on July 3, 2018

The risk management function within organizations can be a struggle. Why? There is a breakdown between the strategic (enterprise level) and individual departments on the front lines of operational risk. Poor communication or a lack of transparency results in stakeholders keeping risk data to themselves or only sharing in high-level reports. The disconnect can also stem from different departments using different risk metrics. As a result, management is forced to make decisions relying on dated or faulty data.  

Lockpath’s Adam Billings discussed these common risk management challenges in a recent webinar titled Making Risk Meaningful. In the recorded webinar, Billings shares both the disconnect organizations experience with managing risk and how to make risk meaningful.  

Here are Billings’ four keys:  

Key #1: Understand your risk  
The first key to making risk meaningful is knowing your organization’s goals and the value leadership attaches to its assets. For example, how much does your company value its reputation? That very topic, reputation risk, was put through a bowtie risk assessment by Billings. This type of assessment reveals the causes and effects of a risk in your organization. For those seeking to understand risk, it’s a light bulb moment seeing the bowtie risk assessment in its final form and how everything connects.  

Key #2: Recruit a leader 
Risk management programs demand engaged leadership. Without leadership support, it’s hard to make changes that are otherwise interpreted by the status quo as making waves. Leaders, by their nature, are change agents. They can package and promote your team’s initiatives, green-lighting them and convincing people to rally behind the direction. Leaders are also wise counsel for the risk team, capable of sharing past efforts and their experiences of what works and what doesn’t. 

Billings, who speaks from first-hand experience with technology implementations, said, “Leaders have the clout. They can mandate change.”    

Key #3: Embrace standardization
Embrace standardization by using universal risk metrics across the organization like velocity, probability, and impact. Choose the metrics model that offers meaning to your organization. But don’t stop at the risk metrics stage. Identify key reporting where you’ll find value and efficiencies, and think through risk treatment options. You need standard processes for every stage of risk management.  

Key #4: Invest in technology 
Technology can empower risk management if the other three keys, leadership support, understanding risk and standardization, are present. The right technology solution like a governance, risk management and compliance (GRC) platform helps on a multitude of fronts. It can enforce standardization, policies and procedures. Use the solution to map departmental risks to organizational risks and to connect them with other risks like vendor and IT to give a better view of enterprise-wide risks.   

A GRC platform also consolidates and controls information, so only those who need to see it receive automatic notifications. It’s especially helpful when risk criticality goes from low to high overnight. The platform streamlines the notification and escalation process.  

There’s much more to making risk meaningful. Continue your education on this topic by watching the webinar and learning about defining risk, common approaches, risk ownership and making risk meaningful. There is also some great information in the Q&A period at the end of the webinar.  

Related Articles:

NYDFS Cybersecurity Regulation Isn’t Just a Phase

NYDFS Cybersecurity Regulation Isn’t Just a Phase

The New York Department of Financial Services (NYDFS) Cybersecurity Regulation was a first-in-the-nation cybersecurity regulation when it became effective on January 1, 2017. It was big news then, and it’s big news now.