The risk management strategy and policy is supported and operationalized through a risk management architecture. Organizations require complete situational and holistic awareness of risks across operations, processes, transactions, and data to see the big picture of risk in context of organizational performance and strategy. Distributed, dynamic, and disrupted business requires the organization to take a strategic approach to risk management architecture. The architecture defines how organizational processes, information, and technology is structured to make risk management effective, efficient, and agile across the organization and its relationships.
There are three areas of the risk management architecture:
- Risk management process architecture
- Risk management information architecture
- Risk management technology architecture
It is critical that these architectural areas be initially defined in this order. It is the business processes that often determine the types of information needed, gathered, used, and reported. It is the information architecture combined with the process architecture that will define the organization’s requirements for the technology architecture. Too many organizations put the cart before the horse and select technology for risk management first, which then dictates what their process and information architecture will be. This forces the organization to conform to a technology for risk management instead of finding the technology that best fits their process and information needs.
Risk Management Process Architecture
Risk management processes are a part and subset of overall business processes. Processes are used to manage and monitor the ever-changing risk environments.
The risk management process architecture is the structural design of processes, including their components of inputs, processing, and outputs. This architecture inventories and describes risk management processes, each process’s components and interactions, and how risk management processes work together as well as with other enterprise processes.
While risk management processes can be very detailed and vary by organization and industry, there are five that organizations should have in place:
- Risk identification. This is the collection of processes aimed at automating a standard, objective approach for identifying risk. Understand your surroundings. It is about the internal business context, the external environment that business operates in, and your strategy as to where the business is heading. On an ongoing basis, and separate from monitoring of individual risks, is the ongoing process to monitor risk, regulatory, and business environments as well as the internal business environment. The purpose is to identify opportunities as well as risks that are evolving that impact the overall objectives and performance of the organization. A variety of regulatory, environmental, economic, geo-political, and internal business factors can affect the success or failure of any organization. This includes the potential for natural disasters, disruptions, commodity availability and pricing, industry developments, and geo-political risks. This also involves monitoring relevant legal and regulatory environments in corresponding jurisdictions to identify changes that could impact the business and its objectives.
- Risk assessment. Once an organization identifies risk it then can identify what can happen to help or hinder your objectives. An organization wants to identify the possibilities of outcomes to what can impact it achieving objectives. This should go beyond heat maps to include a vareity of risk analysis and assessment techniques (e.g., bow-tie risk assessments, scenario analysis, Bayesian modeling).
- Risk treatment. After the range of potential possibilities is understood, the organization needs to decide what to do. What is going to be the best route for the organization to achieve objectives while minimizing loss/harm. This gets into risk measurement activities of understanding inherent and residual risk while looking at risk strategies of risk acceptance, risk transfer (insurance), risk avoidance, or risk mitigation (controls). The goal is to optimize value and return while keeping risk within acceptable levels of risk tolerance and appetite.
- Risk monitoring. This stage includes the array of processes to continuously monitor risks in the organization. These activities are the ones typically done within the organization to monitor and assess risks on an ongoing basis.
- Risk communications & attestations. Ongoing processes to manage the communications and interactions with risk owners throughout the risk management lifecycle. These are done on a periodic basis or when certain risk conditions are triggered.
Effective risk management processes deliver:
- Holistic awareness of risk. This means there is defined risk taxonomy across the enterprise that structures and catalogs risk in the context of business and assigns accountability. A consistent process identifies risk and keeps the taxonomy current. Various risk frameworks are harmonized into an enterprise risk framework. The IT architecture in place aggregates risk data and effectively communicates, monitors, and manages risk.
- Establishment of risk culture and policy. Risk policy must be communicated across the business to establish a risk management culture. Risk policies are kept current, reviewed, and audited on a regular basis. Risk appetite and tolerance are established and reviewed in the context of the business, and are continuously mapped to business performance and objectives. Technology monitors key risk indicators (KRIs) to ensure management of risk policy, and the management of risk against risk appetite, tolerance, and capacity.
- Risk-intelligent decision-making. This means the business has what it needs to make risk-intelligent business decisions. Risk strategy is integrated with business strategy — it is an integral part of business responsibilities. Risk assessment is done in the context of business change and strategic planning, and structured to complement the business lifecycle to help executives make effective decisions.
- Accountability of risk. Accountability and risk ownership are established features of risk management. Every risk, at the enterprise and business-process level, has clearly established owners. Risk is communicated to stakeholders and the organization’s track record should illustrate successful management of risk against established risk tolerances and appetite.
- Multidimensional risk analysis and planning. The organization needs a range of risk analytics, correlation, and scenario analysis. Various qualitative and quantitative risk analysis techniques must be in place and the organization needs an understanding of historical loss to feed into analysis. Risk treatment plans — whether acceptance, avoidance, mitigation, or transfer — must be effective and monitored for progress.
- Visibility of risk as it relates to performance and strategy. The enterprise views and categorizes risk in the context of corporate optimization, performance, and strategy. KRIs are implemented and mapped to key performance indicators (KPIs). Risk indicators are assigned established thresholds and trigger reporting that is relevant to the business and effectively communicated. Risk information adheres to information quality, integrity, relevance, and timeliness.
The next post will explore risk management information and technology architecture. I would love to hear your thoughts and comments on risk management strategy and process . . .
This post is an excerpt from GRC 20/20’s latest Strategy Perspective research: Risk Management by Design: A Blueprint for Federated Enterprise Risk Management
- Have a question about Risk Management Solutions and Strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .
- Risk Management by Design Workshop. Engage GRC 20/20 to facilitate and teach the Risk Management by Design Workshop in your organization.
- Looking for Risk Management Solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over 500 requirements for risk management solutions.
GRC 20/20’s Risk Management Research includes . . .
Register for the upcoming Research Briefing presentation:
Access the on-demand Research Briefing presentation:
- How to Purchase Risk Management Solutions
- Market Overview of GRC (Risk) Content & Intelligence Providers
Strategy Perspectives (written best practice research papers):
- Risk Management by Design: A Blueprint for Federated Enterprise Risk Management
- Model Risk Management: Enabling A Firm Foundation for Model Risk Management
- Policies, The Last Mile of Risk Management: The Relationship Between Risk and Policies
Solution Perspectives (written evaluations of solutions in the market):
- Sword Active Risk: Providing 360° Contextual Awareness of Risk
- MEGA’s Solutions for Model Risk Management: Innovation in Risk Management
Case Studies (written evaluations of specific strategies and implementations within organizations):