Policies, The Last Mile of Risk Management
The Relationship Between Risk and Policies
Keeping complexity and change in sync is a significant challenge for boards, executives, as well as governance, risk management and compliance (GRC) professionals throughout the business. Organizations are hindered when aspects of GRC are managed in disconnected silos that do not share information and collaborate. To effectively manage risk requires that the organization have a thorough context of risk relationships to other aspects of GRC such as policies, controls and events. Risk management activities managed separately from corporate policies leads to inevitable failure. Without a policy, risk taking is up to individuals and the integrity of the organization is in jeopardy. Policies are risk documents that expressly state expectations and boundaries. Think of policy management as the last mile of risk management. If risk management is not part of policy management an organization would spend time and resources on conducting risk assessments that have no impact or change on the business.
©GRC 20/20 Research, LLC. All Rights Reserved.
No part of this publication may be reproduced, adapted, stored in a retrieval system or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of GRC 20/20 Research, LLC. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines established in client contract. The information contained in this publication is believed to be accurate and has been obtained from sources believed to be reliable but cannot be guaranteed and is subject to change. GRC 20/20 accepts no liability whatever for actions taken based on information that may subsequently prove to be incorrect or errors in analysis. This research contains opinions of GRC 20/20 analysts and should not be construed as statements of fact. GRC 20/20 disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. Although GRC 20/20 may include a discussion of related legal issues, GRC 20/20 does not provide legal advice or services and its research should not be construed or used as such.