Many companies find themselves facing the daunting task of building a risk management program from scratch with little to no knowledge of how to begin. Maybe this was brought on by pressure from shareholders or clients, misalignment with industry status quo, a board of director mandate, or an event that shook the organization and brought to light a critical gap. Every company strives to be proactive, integrated, informed, and resilient … but how does one get there if today the organization is reactive, stale, siloed, unprepared, and vulnerable?
It may seem pedestrian, but determining your approach in the context of why, who, what, and how ensures all bases are covered.
Understand your company’s motivation to implement risk management – WHY…
…are we focusing on risk management now?
…should the company dedicate resources to this effort?
…are shareholders, clients, customers, executives, and board members concerned about the company’s risk profile?
A clear vision and agreed upon objectives are essential to the success of any program. If the foundation is not sound and does not resonate, the program will flounder and stagnate. Documenting the reason for action and the value to be gained will ensure downstream support and impact.
Establish a governance model and supporting resources – WHO…
…will sponsor, lead, and champion the program?
…will provide the resource support to execute the program?
…will be the decision makers?
…will ensure program objectives are met?
…will ultimately be responsible for the success of the program?
Integrated risk management requires agreement, support, and input from across the organization. Establishing this model first and foremost and cultivating the culture of governance and collaboration throughout the program’s lifecycle will enable the program to make a true impact.
Determine the information to be collected and analyzed – WHAT…
…is the company trying to understand?
…do we need to know to make decisions?
…information is already accessible?
…does leadership care about?
Making informed decisions is the goal. To do that, understanding the universe of data within your organization and identifying the gaps that exist ultimately lands you with the picture of what needs to be collected and analyzed.
Determine the means to enable your program – HOW…
…do we gather the right information?
…can the company use resources wisely?
…can we utilize subject matter knowledge?
…should we leverage technology?
The appropriate methodology and process will support the collection of relevant information. However, standing up the program from a tactical perspective can be quite challenging. There are many areas in risk management to explore such as information risk management, but following the below makes it manageable:
- Define the context through which risk management activities will be performed, such as by business or functional unit, legal or geographical area, etc.
- Agree upon foundational taxonomies, beginning with process, risk, and control hierarchies to ensure aggregation consistency and comparable reporting/dash boarding
- Execute foundational risk management activities, including risk and control identification, assessments, and analysis
As the information foundation begins to form, companies can consider where to grow into after. Areas of ongoing monitoring such as key risk indicators, control framework mapping, and control testing and attestations are next to explore.
Unsure how to build a risk management program?
For more basics of continuity, risk, and resilience information, check out our podcast Building a More Resilient World that further discusses these topics, from getting started and understanding your organization to protecting your people.
Want to see technology in action? We are here to help! Discover what’s possible with Fusion and request a demo.