Risk doesn’t often stay isolated in silos. Changes in one area of the business can create risk in another and still require support from another. Risk management is a team sport, requiring business leaders to work together with many different functions to achieve success.
A connected risk approach aims to address the gap between rising risk management demands and limited resources by dismantling silos, fostering alignment across teams, enhancing collaboration and information sharing, unifying data, and automating essential processes. Organizations can strengthen business resilience in a dynamic risk environment by empowering internal audit, InfoSec, risk management, and compliance leaders to advance connected risk across the business while enabling leadership to make better risk-informed decisions.
In this article, we break down the crucial first steps to get started with connected risk, including:
- a vision for information security leaders who step forward to advocate for connected risk across the enterprise
- foundational projects to tackle first
- connected quick wins information security is well-suited to initiate
- key partners to reach out to along the way.
Our aim is to offer best practices and projects that will position you to successfully spearhead a connected risk approach in your organization.
Check out the other articles in our Connected Risk Quick Start Guide series for fellow key roles in compliance, risk management, and internal audit and controls — and download the Connected Risk Report for the full findings from AuditBoard and Ascend2’s survey of 514 GRC professionals in the U.S., UK, and Ireland about their approaches to connecting risk management data, people, processes, and technology across the enterprise.
Snapshot: The Forward-Thinking Information Security Leader
The modern, progressive CISO understands the data, assets, and processes the business needs to achieve its objectives. They are responsible for identifying the risks to the business’s assets and helping it prioritize and implement the necessary controls to protect those assets. This leader accomplishes this by translating risks into a language the C-Suite understands.
The CISO has the influence required to foster accountability across the organization to mitigate risks. They are recognized as collaborative, trustworthy, and credible — a perception that is critical for helping the business feel comfortable sharing information about its objectives, data, and processes with the CISO’s team.
Due to the rapid pace of change in the business and technological landscape, the CISO excels at leveraging data and technology to aggregate and continuously update its picture of risk across the organization and Board so they can prioritize and respond quickly to emerging risks.
Foundational Information Security Projects to Tackle Before Connected Risk
Manual Aggregation/Discovery: Establish a way to inventory, track, and manage your IT assets, risks, and policies. This is important before embarking on connected risk so you have a place to input feedback from your partners and stakeholders.
- Asset inventory: Most people think of physical assets, but your assets should include everything that requires protection from the security function, e.g., data, people, processes, entities, etc.
- Risk Register: This entails a common taxonomy across the organization for thinking about and discussing risks to the organization’s assets.
- Policies: An inventory of regulatory and compliance requirements around those assets and key controls that mitigate the risks that are being identified.
Risk Treatment/Exception Process: Capture all critical IT and cybersecurity issues and gaps in a scalable way so that you can assign mitigation plans and treat those risks accordingly. This requires having the right integrations and automation in place to bring in the vulnerabilities and incidents that affect your GRC objectives.
Connected Risk Quick Wins for Information Security
Win 1: Dashboard of the Organization’s Top Risks and Threats. This dashboard is broken out by business area, department, and location to show the breadth and depth of information collected. It should include:
- Top risks and threats by department/location/business area/business leader
- The organization’s riskiest assets
- The largest or most significant control gaps
- The third parties that introduce the greatest risks or the most control gaps
Win 2: Proposal of the Top Security Initiatives That Will Provide the Greatest Organizational Benefits. These are sometimes referred to as risk treatment plans and are accompanied by requests for resourcing and investments. Collaborative CISOs look for opportunities to align their plans with business needs and direction, looking for ways to reduce InfoSec risk while simultaneously addressing multiple types of risk or creating business-enabling opportunities. For example, leading a technical transformation that retires legacy technical debt, increases reliability, reduces cost, and eliminates security vulnerabilities. These plans should be collaboratively reviewed with cross-functional risk peers to ensure they include the current state of risk and the initiatives planned to reduce the greatest amount of risk in these areas.
Win 3: Accountability of IT Risk Ownership Across the Organization. There must be transparency and accountability for executing IT risk treatment plans and a way for progress to be shown. In some organizations, there can be a quarterly governance committee meeting to review progress. In larger organizations, accountability might entail board engagement. In comparison, in smaller organizations, this might involve a dashboard or a quarterly meeting to discuss who owns risk treatment plans, budgets required, and timelines. The CISO must provide visibility and focus on areas of emerging need to influence the rest of the business to do what is necessary to keep risks under control.
Take Action: Identify Partners Across the Organization
Who in the organization owns the most significant IT risk areas? Who are the business process owners? Who owns the assets and controls supporting and protecting critical business processes?
These answers will lead you to the IT risk owners in your organization. You should partner with them first because they will be your advocates and allies in compelling asset owners to execute the activities necessary to mitigate those risks. Moreover, their performance is tied to achieving business objectives; once they understand that IT risk treatment plans are essential to their goals, it should be easy to gain their support.
Consider sharing the other articles in our Connected Risk Quick Start Guide series with your fellow risk stakeholders in compliance, risk management, and internal audit and controls — and download the Connected Risk Report for the full findings from AuditBoard and Ascend2’s survey of 514 GRC professionals in the U.S., UK, and Ireland about their approaches to connecting risk management data, people, processes, and technology across the enterprise.
