The mature risk and resilience program can be measured against critical elements across governance and oversight, people and engagement, process and execution, and information and technology.

Risk & Resilience Governance & Oversight

  • The governance model is agreed upon at the board level and effectively communicated and supported across the organization 
  • Policies and procedures for risk and resilience management are fully documented and consistently applied across the organization 
  • The risk and resilience management framework is well defined 
  • Measurement and trending are now available in an enterprise view 
  • Risk appetite and tolerance are well defined and understood in the context of objectives, processes, and services of the organization

People & Engagement

  • Clear roles and responsibilities across the organization 
  • Skills and resources are being applied to programs 
  • A dedicated team is in place and recognized as a center of excellence 
  • Skilled subject matter experts engaged in reviews 
  • Training and development are embedded 
  • Resources are focused on strategic value-added components of the program rather than tactical components 
  • You may be outsourcing some industry standardized activities to shared services communities

Process & Execution

  • Well-defined and executed processes across the organization
  • There is a single version of the truth for all risk and resilience information that is well-integrated with other business systems
  • Risk assessment and monitoring processes are standardized and automated
  • Segmentation and risk tiering is in place
  • Clear view of inherent and residual risk at both the process and enterprise levels
  • Applying a risk-based approach that incorporates critical risks and the long-tail impact
  • Multiple risk categories being assessed for each department, process, and services
  • Issue management is in place, and full tracking and remediation is taking place in a single system
  • Ongoing monitoring is established, with changes in risk profiles automatically triggering the appropriate actions
  • Clear view and controls for the extended enterprise
  • Managing risk through business change
  • Performance management fully embedded in the program
  • Program improvement decisions are facilitated by robust data

Information & Technology

  • Leveraging best-in-class risk and resilience management software 
  • Risk portal for assessments, document collection, issue management and collaboration to engage front-line and operational management and risk owners
  • Leveraging risk intelligence content to support automated business processes, and to support enhanced decision making

This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Risk & Resiliency Management Maturity Model: A New Paradigm on Risk, Resiliency & Continuity Integration.

Leave a Reply

Your email address will not be published. Required fields are marked *