I think I can speak for all of us when I say that broken processes are the bane of our existence -- like an itch between your shoulder blades -- whether we are hired into it, transferred into it, silently watching it from afar (and smiling because it isn’t ours), or downright created it.
Risk management is too important to not have a clearly defined and refined process, with accountability to fulfill the phase objectives – otherwise the risk team and its business stakeholders can fall into a Perception vs. Reality trap.
Fallout of a Poorly Designed Risk Management Process
Risk identification needs a centrally managed and governed intake for risk assessment requests. If you have risk requests coming in from every channel of communication, then it’s more probable the team will miss risk assessment requests from the business or fail to document a policy exception request.
Risk analysis requires a clearly defined measurement method. Using numerous methods of measurement can create variance in analysis results resulting in gaps and lower thresholds for defensibility among analyses.
For risk reporting, using numerous evaluation reports can lead to inconsistent messaging where not every decision maker is seeing and hearing the same message to determine success criteria and risk prioritization
Inconsistency in risk treatment planning can lead to historical reference data being inadequate and incomplete when it is time to re-evaluate a risk item. Or just miss assigning a mitigation plan and risk owner all together!
Inadequate risk monitoring can lead to critical risk items getting lost in the fray.
These issues are just scratching the surface of the havoc an inefficient process can cause daily.
Ben Storm is a RiskLens Risk Consultant
RiskLens' 5 Steps to Better Risk Management
RiskLens services experts have worked with hundreds of large enterprise risk teams around the world and in the process have developed unique expertise on how to build effective programs. Each organization is different of course, so we customize to each situation, however here are the 5 steps we always take to improve your risk management workflow:
1. Align risk program output to corporate governance objectives
When developing the risk management process, it is important to make sure that the output leads to value creation that aligns with corporate governance objectives. We work with your leaders to make sure the risk program keeps corporate governance objectives in scope.
2. Select risk management framework
Let’s assume RiskLens has already helped you to get started on the FAIR™ standard for quantitative risk analysis and assessment, so now it is time to select the framework to address the other areas of the risk management life cycle.
There is no shortage of risk management frameworks out in the wild (NIST, ISO, HITRUST, etc.), and they are all compatible with FAIR. Choose one that is internationally recognized and tool agnostic. Most of them will get you to where we want to go, however be aware that your journey isn’t complete yet. Remember that choosing a risk management framework is important, but developing the process around how to deliver value by using the framework is critical and will guide you to success if executed correctly.
3. Assign roles and responsibilities
A process is only as effective as the accountability to execute it. Effective risk governance is about keeping people accountable and that starts with the risk management stakeholders. Every phase of the risk management lifecycle requires action and ownership from stakeholders to continuously drive risk items to completion.
4. Create metrics to track process efficiency and quality
Continuous improvement is a key component for a newly formed process. There will be improvements that can be made once stakeholders start navigating through the process. To assist with continuous improvement, use measurable metrics to identify problem areas within the process. It could be as simple as identifying overlap in responsibilities or a potential bottleneck in the workflow.
5. Practice, practice, practice
As with everything in life if you want to be good you must practice, practice, practice. Noticeable improvements will be made once stakeholders work the risk management process start to finish. It will drive efficiency and help showcase the value being generated. It will make everyone involved look good in front of the top brass – and close that perception vs. reality gap in the organization.
Look, risk management can be complicated as we all can attest to. That is why it’s so important to make sure that your process around managing risk is efficient. We here at RiskLens want to make sure you are spending your time creating value and delivering on your program’s core objectives, not continually fighting with the process around how you work. Together, we can fix that.