Lacking an integrated view of risk and resilience results in business processes, services, employees, and systems that behave like leaves blowing in the wind. Organizations need to develop, nurture, and mature a risk and resilience management capability aligned with strategy, performance, and objectives that operate as a risk and resilience central nervous system. Consider the following from Steve Balmer:
“If you think of the human body, what does our nervous system let us do? It lets us hear, see, take input. It lets us think, analyze, and plan. It lets us make decisions and communicate and take action. Every company has a nervous system: companies take inputs, they think, they plan, they communicate, they take action.”Steve Balmer, former CEO Microsoft
A risk and resilience nervous system connects with other major systems of the body and provides among others analytical capability, strategic thinking, and quick response to the environment.
Managing risk and resilience effectively requires multiple inputs and methods of modeling and analyzing risk and resiliency. This requires information gathering — risk intelligence — so the organization has a full perspective and can make better business decisions. Mature risk and resilience management is built on a cohesive and mature strategy, process, information, and technology architecture that can show the relationship between objectives, risks, controls, loss, and events.
This means maturing an integrated view of risk and resilience management that automates and makes processes more efficient, effective, and agile. This in turn enables organizations to spend more time focusing on the analysis of risk in the context of the organization, its strategy, and objectives to enable not only resilience but also agility. Technology makes it easier to share data, while still maintaining the independence of thought and action across the organization.
Integrated and mature risk and resilience strategy with common processes, information, and technology gets to the root of the problem. Leading organizations adopt a common strategy, framework, architecture, and shared processes to manage risk and resilience, increase efficiencies, and be agile in response to the needs of a dynamic and distributed business environment. Mature risk and resilience deliver better business outcomes because of stronger risk governance in the context of the organization and its processes and objectives, which will deliver:
- Efficiency. Lower costs, reduce redundancy, and improve efficiencies.
- Effectiveness. Deliver timely, consistent, and accurate information.
- Agility. Improve decision-making and insight into what is happening across risks and operations.
Organizations need to be intelligent about what risk and resiliency management processes and technologies they deploy. A sustainable risk and resilience strategy means looking to the future and mitigating risk, as opposed to putting out fires. It requires that the following risk and resilience elements are in place:
- Understand your risk. An organization must have a risk-based approach to managing resilience and continuity of operations and services. This includes ongoing monitoring of risk in a dynamic environment as the business is continuously changing and so are its risks to strategy, operations, processes, and services. Risk assessments should cover exposure in specific processes, services, relationships, and geographies.
- Approach resilience in proportion to risk. How an organization implements risk treatment procedures and controls is based on the proportion of risk it faces. If a certain area of the organization or a business partner carries a higher risk of failure, the organization must respond with stronger resilience controls.
- Tone at the top. The risk and resilience program must be fully supported by the board of directors and executives. Communication with top-level management must be bidirectional. Management must communicate that they support the risk and resilience program. At the same time, they must be well-informed about the effectiveness and strategies for risk and resilience initiatives.
- Know your business and who you do business with. It is critical to establish a risk and resilience framework that catalogs risks, processes, and services. If there is a high degree of risk exposure, additional controls may be established in response. This includes knowing your third-party relationships as well as the organization is highly dependent on the extended enterprise to deliver goods and services.
- Keep information current. Risk and resilience assessment efforts must be kept current. These are not point-in-time efforts; they need to be done on a regular basis or when the business becomes aware of conditions that point to increased risk.
- Risk and resilience oversight. The organization needs a group that is responsible for the oversight of an integrated risk and resilience strategy. This requires a collaborative relationship where business continuity/resilience reports into risk management.
- Established policies and procedures. Organizations need documented and up-to-date policies and procedures that define risk and resilience responsibilities and processes. This starts with an enterprise risk management policy. These requirements and processes must be clearly documented and adhered to.
- Assessment and continuous risk monitoring. In addition to periodic risk assessment, the organization must also have regular risk and resilience monitoring activities to ensure that risk and resilience is understood in a dynamic context and how it impacts business processes, and services.
- Manage business change. The organization must monitor for changes that introduce greater risk and resilience issues. The organization must document changes that result from observations and investigations, and address deficiencies through a careful program of change management.
This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Risk & Resiliency Management Maturity Model: A New Paradigm on Risk, Resiliency & Continuity Integration.
GRC 20/20 will be presenting in detail the market, drivers, and trends to Risk Agility, Resilience, & Integrity (ESG) in the upcoming 2022 State of the GRC Market Research Briefing on March 1st . . .