Defining & Communicating a Culture of Risk
I am baffled by the ignorant that are happy with their blinders and do not see how governance, risk, and compliance interrelate and support each other to form GRC. Today we will look at how the R (risk) in GRC needs governance and compliance.
Risk professionals can suffer with a myopic view of their work – a lack of imagination, foresight, or intellectual insight. They are comfortable with their quantification work and love Monte Carlo simulations, Bayesian modeling, and Value at Risk algorithms. They do not always understand how risk interacts with governance and compliance to properly steer and direct the organization to stay within mandatory boundaries of laws and regulations as well as the voluntary boundaries of risk culture, tolerance, appetite, and values.
Risk by the OCEG definition in Red Book 2 is defined as . . .
“. . .the measure of the likelihood of something happening that will have an effect on achieving objectives; most importantly, but not exclusively, an adverse effect. Thus, Risk Management is the systematic application of processes and structures that enable an organization to identify, evaluate, analyze, optimize, monitor, improve, or transfer risk while communicating risk and risk decisions to stakeholders. The overriding goal of risk management is to realize potential opportunities while managing adverse effects of risk.”
Risk management does not happen in a vacuum – it needs Culture & Context (the first elements of the GRC Capability Model). The only way an organization can manage risk appropriately is if acceptable and unacceptable risk is defined. That is where risk needs governance. The board and management have to clearly define and communicate the culture of risk taking, acceptance, tolerance, and appetite. If the governance function does not do this – risk taking is up to individuals and the integrity of the organization is in jeopardy.
Once a proper culture of risk management is defined – including risk tolerance, and appetite – this gets established and communicated through policies and procedures. This is where risk needs compliance. Compliance is more than adhering to laws and regulations – it is making sure that risk culture, policies, procedures, and controls are being adhered to. In the case of risk management, compliance plays a critical role in communicating policies and validating that the organization is staying within proper boundaries of risk taking established by the governance roles in the organization.
The elements of governance, risk, and compliance are three legs of the GRC stool. You take any one away and the stool becomes unstable. They need and depend on each other.
My advice . . . organizations need to establish an enterprise committee to initiate a collaboration on defining, communicating, and managing a culture of risk in their environment. The goal is to define and communicate a culture of risk, establish it in policy and procedures, and monitor adherence to staying within boundaries of risk tolerance and appetite. The complex interrelationship of risks requires that an organization gain an enterprise view of risk by overcoming the silos of risk management. Risk management should develop relationships with corporate compliance to help communicate policies and monitor adherence and enforcement of them.
A well defined GRC system and process will not only do risk assessment and modeling, but also will deliver the definition, communication, and training on policies and procedures. The system will map the interrelationship of risks to controls, policies, enterprise assets (e.g., business process, employees, relationships, physical assets, and logical assets), as well as incidents & loss.