Risk doesn’t often stay isolated in silos. Changes in one area of the business can create risk in another and still require support from another. Risk management is a team sport, requiring business leaders to work together with many different functions to achieve success.
A connected risk approach aims to address the gap between rising risk management demands and limited resources by dismantling silos, fostering alignment across teams, enhancing collaboration and information sharing, unifying data, and automating essential processes. Organizations can strengthen business resilience in a dynamic risk environment by empowering internal audit, InfoSec, risk management, and compliance leaders to advance connected risk across the business while enabling leadership to make better risk-informed decisions.
In this article, we break down the crucial first steps to get started with connected risk, including:
- a vision for risk management leaders who step forward to advocate for connected risk across the enterprise
- foundational projects to tackle first
- connected quick wins risk management is well-suited to initiate
- key partners to reach out to along the way.
Our aim is to offer best practices and projects that will position you to successfully spearhead a connected risk approach in your organization. Consider sharing the other articles in our Connected Risk Quick Start Guide series with your fellow risk stakeholders in information security, compliance, and internal audit and controls — and download the Connected Risk Report for the full findings from AuditBoard and Ascend2’s survey of 514 GRC professionals in the U.S., UK, and Ireland about their approaches to connecting risk management data, people, processes, and technology across the enterprise.
Snapshot: The Forward-Thinking Risk Management Leader
The modern risk management leader is focused on protecting value while proactively seeking opportunities to create additional value. This individual understands how the business creates value and what goals and objectives the business believes will enable it to create more value. The leader then leverages this understanding to identify the risks that, when left unmanaged, will prevent the business from achieving its goals and objectives.
A forward-thinking leader in risk management is focused on ensuring all bases are covered from a risk management perspective by ensuring the appropriate people, processes, and response plans are in place to address the business’s key risks. Once this foundation has been set, this leader will proactively seek to mature their organization’s risk management approach by securing the data and technology necessary for driving better decision-making and sharing risk information across the organization.
Within the organization, this individual is seen as a collaborator, connector, and someone who promotes awareness of the people, processes, and technologies in place to address the unknown.
Foundational Risk Management Projects to Tackle Before Connected Risk
Strengthen and expand existing risk assessment procedures beyond the basic documentation of the organization’s top risks. This includes establishing a cross-functional risk committee to evaluate and assess key risk topics or scenarios, identifying additional risk owners, and expanding the scope beyond 10-20 key risks.
Mature your organization’s risk scorecard that defines, qualifies, and quantifies how risk is viewed, described, and assessed in the organization. This would include a risk taxonomy shared by everyone in the organization and incorporated into all risk and control assessments performed across the business, ensuring all findings can be contextualized in a shared language of risk.
Connected Risk Quick Wins for Risk Management
Win 1: Risk Assessments Roll Up Into ERM. To be successful, ERM needs to have visibility into and incorporate the risk assessments performed by complementary departments that may have deeper subject matter expertise (IT, compliance, ESG, audit, etc.). In order for this to work, all risk assessments should roll up into the organization’s ERM program, where the executive risk committee has established a clear risk hierarchy.
Win 2: Audit, SOX, and Compliance Work Supports Risks. Internal control, compliance, and assurance activities are aligned to enterprise risks to drive a residual risk score. This connected risk win requires a completed enterprise risk assessment and a formal alignment of residual risk activities — likely owned by various teams — continuously monitored and automatically updated in real time.
Win 3: Consolidated Approach to the Risk Remediation Process. When a risk manager concludes a risk is not being managed to an acceptable level based on the organization’s risk appetite, there is a clear process for remediating this risk level. Similar to how internal audit oversees the implementation of management action plans for outstanding issues, risk remediation activity will be documented and agreed upon by the risk owner, and the risk team will oversee the completion of risk remediation plans.
Take Action: Identify Partners Across the Organization
Who else in the organization performs a risk assessment? Who communicates risk-related information or data to senior management and the board of directors? Who else in the organization manages controls, policies, procedures, and issues?
These answers will lead you to other people assessing risks within the organization that risk management should partner with first to consolidate all risk work. To start, look to other teams who are performing risk assessments in the business. Examples include:
- IT and Information Security: PCI, HIPAA, HITRUST, ISO 27001 risk assessments
- Compliance: operational, ESG, Federal Sentencing Guidelines risk assessments
- Finance: SOX, fraud, and cyber risk assessments
- Manufacturing: quality assurance, EH&S, supplier risk assessments
- Audit, HR, and other departments’ risk assessments
Consider sharing the other articles in our Connected Risk Quick Start Guide series with your fellow risk stakeholders in information security, compliance, and internal audit and controls — and download the Connected Risk Report for the full findings from AuditBoard and Ascend2’s survey of 514 GRC professionals in the U.S., UK, and Ireland about their approaches to connecting risk management data, people, processes, and technology across the enterprise.
