Risk management has come a long way since its origins as a financial instrument for the insurance industry in the mid-1900s. Now, it’s a mainstream corporate function – due in large part to regulations that have been brought in by various industrial and governmental institutions seeking to tackle some of the major calamities of more recent time. From the global financial crisis to BP’s Deepwater Horizon disaster, risk management and regulatory compliance play major roles in establishing why crises have happened, and how they can be prevented from occurring again.
As is the case with emerging technologies, there have been multiple early adopters and pioneers. However, the majority are jumping on the risk management bandwagon either because it’s become fashionable, or because they are being told to do so by industry bodies – not because they have an in-depth understanding of what risk management is, how it could best be applied to their organisation nor fully appreciate the benefits of doing so.
As a result, whilst the motives for deploying a risk management programme within a business are positive, it can quickly become a tick-box exercise simply to comply with the relevant regulations once the initial implementation is complete, and the original sponsor is focused elsewhere.
It is also crucial that the risk management process isn’t derailed by excessive focus on science and methodology. This often puts off many employees, who just want to get back to doing their day jobs, and see risk management procedures and checklists as an obstructive waste of time, filling out forms and submitting reports.
Yet risk management, performed well and intelligently, can add great value to businesses, departments and projects. The key element of this value lies in the formal approach it provides to governing, helping to chart a path through uncertain and potentially turbulent times in the future. This is especially important for senior management and executives undertaking enterprise risk management where time is in short supply and hightly valuable to them. It creates a structured environment for brining together and facilitating debate between key decision makers and subject matter experts, highlighting threats and opportunities that may not otherwise have been visible to the people who could do something about them.
Discussion points
So, for risk management to be more than a regulatory exercise, two main factors need to be introduced. First, the real value to businesses and senior management lies in the discussion and information sharing processes resulting from the risk management process. These should be maintained and encouraged, rather than letting the process become dominated by maintaining spreadsheets.
Second, steps must be taken to ensure that the vital process of data aggregation is efficient and effective, rather than onerous and cumbersome. At SureCloud, we manage this through user profile dashboards, ensuring that each stakeholder can access and input only the data that they need, rather than suffering information overload. This also allows for the multiple levels of reporting required by multi-tiered organisations. Each person involved focuses only on what they need to do.
Effective risk management must be both focused and strategic. Organisations need a range of risk analysis methods that incorporates evidence libraries, impact and likelihood tables, and risk registers. They also need to be able to normalise and aggregate risk. Some business units will be smaller than others, yet carry disproportionately high risk, so companies need to be able normalise the risks by unit size, contribution to overall revenues, and so on so they can get a true picture of what’s important to the business.
Above all, don’t lose focus on the main objective of the risk management process, irrespective of the chosen methodology. Ultimately, risk management is about better informing yourself and your peers through the sharing of information – to not only safeguard but, critically, to enhance your business.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.