Maturing Your Organization’s Risk & Resiliency Program

Posted on: September 21, 2022

Maturing Your Organization’s Risk & Resiliency Program ImageIn our August webinar “Maturing Your Organization’s Risk & Resiliency Program,” Michael Rasmussen, GRC Analyst and Pundit at GRC 20/20, discussed lessons learned from 2020 and 2021, key elements in a risk and resilience strategic plan, and a risk and resilience management maturity model. While this webinar is worth the watch in its entirety in order to fully understand how to effectively mature your organization’s risk and resiliency program, we’re detailing some of the major takeaways below 

Lessons Learned from 2020 and 2021

 Today’s modern business is changing minute by minute. Processes, third parties, the business environment, regulations, laws, enforcement actions, and more are changing faster than we can keep up. In fact, just like in financial services, there are 257 regulatory change events every business day coming from 1,270 regulators across the world, according to Thomson Reuters. One of our challenges is trying to keep all of this change in sync and being able to manage risk and uncertainty while also trying to be resilient. 

In order to effectively respond to the ongoing changes that are taking place in our world today, Rasmussen discusses the importance of reflecting on the lessons that we have learned throughout the last 2+ years, explaining that these lessons showed us: 

  • Interconnected risk – The health and safety risk of the pandemic turned into an IT security and privacy risk as organizations had to worry about their workforce working from home all of a sudden.
  • Objectives became dynamic – Whether they are entity-level objectives, process-level objectives, asset-level objectives, or department-level objectives, they all become a part of navigating the chaos.
  • Disruption – We have had to and continue to face constant disruption there is no longer a “calm after the storm.” This has changed the landscape for all of our businesses. Being able to operate in an ever-changing environment has become essential.
  • Dependency on others – We can’t address risk and resiliency without looking at third-party relationships, vendors, and suppliers. They are a part of our businesses, so they must be monitored accordingly.
  • Dynamic and agile business – Modern businesses are no longer defined by brick-and-mortar walls and traditional employees; the modern organization is the extended enterprise.
  • Values were defined and tested – You need to make sure that all parts of the business are aligned with your organization’s corporate values, particularly in an era of ESG (environmental, social, and governance). 

Rasmussen made an additional point, stating that “the past two years have taught organizations that in order to be resilient, they need a 360-degree view of objectives, risks, processes, and services within the organization and the extended enterprise.” 

Disruption is the new way of doing business, and every organization needs to address this as well as address digital resiliency and transformation. 

Key Elements in a Risk and Resilience Strategic Plan

While the concept of being prepared for disruptions has especially heightened in the last few years, this notion is not entirely new. As the physicist Fritjof Capra stated, “The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.” The same idealization can be applied to risk and resiliency management in the modern organization: you must be able to see each individual risk, understand the interconnectedness of all risks, and be prepared for their impact on objectives, processes, and delivery of services. 

And as we have seen with more recent regulations, it is necessary for organizations to integrate risk management and operational resilience to thrive not just survive in this new age of disruption. So, how do you get an enterprise view of risk and resiliency? Organizations must adopt a proactive approach and build a strategy that looks to the future, mitigates risks effectively, and keeps resiliency at the forefront. In order to be proactive in this manner, there are various elements to keep top of mind: 

  • Understand your risk
  • Approach resilience in proportion to risk
  • Tone at the top
  • Know your business and who you do business with
  • Keep information current
  • Have risk and resilience oversight
  • Establish policies and procedures
  • Run assessments and continuous risk monitoring
  • Manage business change 

Understanding these key elements and which of them your organization has implemented will help you realize where your organization is at within the risk and resilience management maturity model – and where it needs to be. 

Risk and Resilience Management Maturity Model 

GRC 20/20 Risk & Resiliency Maturity Model

Paula Fontana, Vice President of Product Marketing at Fusion Risk Management, states that “Risk and resiliency isn’t just a check-the-box exercise driven by compliance and heavily regulated industries. This is just good business practice.” To determine where your organization currently stands with its risk and resilience practices, you must understand each of the five stages within the risk and resilience maturity model. The five stages are: 

  1. Ad Hoc – Organizations have siloed practices, no structured and ongoing risk and resilience program, and a lack of skills and resourcing. 
  2. Fragmented – Organizations have a siloed approach to risk and continuity/resilience in different departments, began starting to determine a roadmap that has pockets of good practice emerging, and basic continuity plans and understanding of risk in place with some standardization and qualification of risk. 
  3. Defined – Organizations have defined risk and resilience programs and processes with roles and responsibilities at a department level but not across departments, a formalized approach with a designed framework and monitoring practices that are put in place at a department level, and a risk appetite and tolerance that is not yet well aligned but inherent risk assessments are still maturing. 
  4. Integrated – Organizations have a strategic approach to risk and resilience across departments, governance model agreed at the board level, and standardized risk and resiliency management strategy that is implemented and adopted with documented processes. 
  5. Agile – Organizations have a comprehensive governance structure with periodic meetings with the board as well as regular governance review meetings, a risk appetite and thresholds that are well defined and understood, and risk mapping and segmentations that are reviewed regularly in the context of change. 

Rasmussen notes that different departments within your organization can be at one of the first three parts of the maturity model, but in order to get to the fourth and fifth stages, your departments need to collaborate across the organization. But of course, for some organizations it is easier said than done to establish a cross-departmental strategy. The first step is to determine what you are all trying to accomplish through your risk and resiliency program. 

To gauge where our 200+ webinar attendees were at, we took a poll asking them where their organization was in relation to this maturity model. Over 50 percent of attendees answered that they felt that their program was “Mature,” meaning that they categorized themselves as being in the “Defined” or “Integrated” stages depending on their organization’s size. The qualifiers were that enterprise organizations may be mature in the “Integrated” stage. This is a great sign that practitioners are trying to break down siloes so that they can gain that holistic view of the organization as well as striving to reach that “Agile” stage. 

Mike Campbell, CEO of Fusion Risk Management, stated, “We are seeing different adoption rates in different industries. Obviously financial services has had the target painted for them on the agile side, and a timer is ticking down for compliance.” 

Careful planning is the key to a risk and resilience management strategy. It is critical to plan your journey by laying out the route ahead of time so that you are prepared to take on any disruptions that may arise. This involves understanding the current stage that you are at and where you want to be in the coming years. 

Enabling Integrated Risk & Resiliency Management

Maturing your organization’s risk and resiliency program starts with reflecting on lessons learned from 2020 and 2021, understanding the key elements in a risk and resilience strategic plan, and realizing where your organization is at in relation to the risk and resilience management maturity model.  

Interested in learning how Fusion can help you along your journey to risk and resiliency? Check out the solution perspective that Michael Rasmussen wrote about Fusion being a robust risk and resiliency management solution. He writes, “GRC 20/20 finds that the Fusion solution enables organizations to be efficient, effective, and agile in their risk and resilience management strategy, outpacing comparable offerings in the market.” 

You can also learn more in the replay of part two of this webinar which discusses the Role of Technology in Maturing Risk & Resiliency Management.