“Sticks in a Bundle are Unbreakable” The Case for an Integrated Risk Framework
Every organization faces risks and threats regardless of size, location, or industry. As the risk landscape continues to shift, it is vital for organizations to strengthen risk controls by implementing an integrated strategy. Typically organizations structure risk management as independent teams, with managers specializing in a risk expertise, tasked with developing and implementing processes and procedures to achieve defined measurable goals. For example, the business continuity group makes annual crisis plan updates, the information security group conducts regular infrastructure security testing, or the risk management group meets a specific target ratio for resolution of “red” rated risks. These are all sound risk control measures that individually provide resilience against an array of threats. I would suggest that integrating these groups into a risk governance framework will strengthen the effectiveness of the overall risk controls. The integration approach will be dictated by the specifics of the organization such as, culture, structure, and regulatory requirements, so the following suggestions should be tailored to fit.
Risk Tracking and Resolution
If your organization has a risk management group in place then most likely a risk registry is maintained with all identified risks (or at least those most threatening, likely, and probable). Every risk control group (security, business continuity, etc) should also maintain a registry of risks within their category.
Every risk control group should meet periodically (at minimum quarterly) to share, discuss, and consolidate all risks into a top ten list. This will strengthen the coordination of risk resolution and reduce overlapping of efforts, which will also build credibility with the issue owners.
Crisis Communication and Incident Management
When significant incidents occur that require the involvement of several groups, it is important that roles and responsibilities are clearly understood. Coordinated planning between risk control groups can ensure a more effective incident management strategy. For example in the event that a cyber attack occurs, the business continuity group can proactively manage triggers for internal and external communications, freeing the information security team to focus on containing and resolving the threat.
Heightened Organizational Awareness of Risk Management
Conduct training and awareness sessions to explain the full scope and capabilities of the risk framework. Forming a “united front” of the different risk control groups into an integrated risk framework will bolster and clarify its strategic importance to the organization.
Risk Framework Sponsor
Assigning a sponsor, preferably at the C-level, to represent the overall risk framework is vitally important for a couple reasons. First of all, it gives risk a seat at the top of the organization where strategic decisions are made. Exposure to those decisions will allow better alignment of risk management with the organization’s strategic objectives. Finally, if the sponsor’s personality and status allow, she/he could be an effective promoter of risk governance, increasing visibility and support, which could come in handy when advancing future initiatives.
Every organization has a unique culture and faces threats specific to its industry, but one thing they all share is the goal of minimizing the impact of potential risks. A sound approach to achieving this is by integrating the expertise of the different risk control groups through coordination, regular communication, and alignment with strategic objectives.