Checklist to Measure & Improve Risk & Resilience Maturity

The GRC PunditWritten by
Published onUpdated onDiscussionLeave a Comment on Checklist to Measure & Improve Risk & Resilience Maturity
Businessman working with tablet. Checking mark up on the check boxes. Successful completion of business tasks. Digital marketing of statistics level up of graph. Business management goal strategy.

The mature risk and resilience program can be measured against critical elements across governance and oversight, people and engagement, process and execution, and information and technology.

Risk & Resilience Governance & Oversight

  • The governance model is agreed upon at the board level and effectively communicated and supported across the organization 
  • Policies and procedures for risk and resilience management are fully documented and consistently applied across the organization 
  • The risk and resilience management framework is well defined 
  • Measurement and trending are now available in an enterprise view 
  • Risk appetite and tolerance are well defined and understood in the context of objectives, processes, and services of the organization

People & Engagement

  • Clear roles and responsibilities across the organization 
  • Skills and resources are being applied to programs 
  • A dedicated team is in place and recognized as a center of excellence 
  • Skilled subject matter experts engaged in reviews 
  • Training and development are embedded 
  • Resources are focused on strategic value-added components of the program rather than tactical components 
  • You may be outsourcing some industry standardized activities to shared services communities

Process & Execution

  • Well-defined and executed processes across the organization
  • There is a single version of the truth for all risk and resilience information that is well-integrated with other business systems
  • Risk assessment and monitoring processes are standardized and automated
  • Segmentation and risk tiering is in place
  • Clear view of inherent and residual risk at both the process and enterprise levels
  • Applying a risk-based approach that incorporates critical risks and the long-tail impact
  • Multiple risk categories being assessed for each department, process, and services
  • Issue management is in place, and full tracking and remediation is taking place in a single system
  • Ongoing monitoring is established, with changes in risk profiles automatically triggering the appropriate actions
  • Clear view and controls for the extended enterprise
  • Managing risk through business change
  • Performance management fully embedded in the program
  • Program improvement decisions are facilitated by robust data

Information & Technology

  • Leveraging best-in-class risk and resilience management software 
  • Risk portal for assessments, document collection, issue management and collaboration to engage front-line and operational management and risk owners
  • Leveraging risk intelligence content to support automated business processes, and to support enhanced decision making

This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Risk & Resiliency Management Maturity Model: A New Paradigm on Risk, Resiliency & Continuity Integration.

DOWNLOAD: Risk & Resiliency Management Maturity Model

Leave a Reply

Your email address will not be published. Required fields are marked *