All risk rating scales are not created equal. The new year is a good time to consider critiquing yours…and honing them, as advisable.

Here are some thoughts for severity and likelihood rating scales:

1) Mere adjectival identifiers (e.g. high, rate etc.) are worthless, open to a multitude of individual interpretations. Instead, be brutally specific.

2) Consider allowing severity to be predicated on a variety of different indicators (e.g. financial impact, brand/reputation, regulatory, strategic etc.). Whatever column particularly lends itself to the risk in question – and best resonates with the risk owner – that’s how potential severity for that risk should be viewed.

3) Likelihood rating scales should not measure the chance of incurring any risk event (why worry about fender benders?) but, rather, the likelihood of a “significant” event (rated 3 or above), based upon the severity table that you formulate.

4) Customize your likelihood scales with absolute clarity. For instance an “almost certain” rating might expect a significant event once every year and, on the other end of the spectrum, a “rare” rating might project a significant event only once every 50 years. Focus on the likelihood a significant event and establish explicit temporal measures.

5) Rating scales can be equally applied to risks both before controls (inherent) and with controls in place (residual).

6) Risk results – the multiplicative product of severity and likelihood – is an eminently justifiable and understandable approach that melds together severity and likelihood, in order to put the combined ratings of all risks in your universe on an even playing field.

In summary: Break down your rating scales. Don’t be afraid to modify them. Don’t let “good enough” be good enough.

“Be Brave” Resolution #2 – Critically Evaluate Your Risk Register Reality

Immediately investigate the possibility of implementing an automated risk register solution that is customized, straightforward, intuitive and pragmatic.

Consider leaving behind your current use-case, whether it consists of merely performing ERM by hand (e.g. excel spreadsheets) or trying to make-do by utilizing someone else’s application (e.g. audit, insurance company, claims handler) that is inflexible and ineffective.

Double-down on emphasizing the importance of the risk register to your ERM program by establishing one risk owner for every exposure in our universe and identifying and monitoring controls for each risk, by line of defense. With this ERM governance structure in place, roles and responsibilities will be defined, accountability expected and ERM risk culture will benefit.”

One possibility worth consideration: ERM One is a viable alternative for those: a) without an automated tool or b) saddled with someone else’s application.

“Be Brave” Resolution #3 – Think in Terms of 60-Second Blocks of Time

Why 60 seconds? What are some actual tangible examples of why this strategy might work?

1) Develop ERM elevator speech #1 – a succinct one-minute summary of the strategic importance of ERM, an explanation that ties together the company’s key objectives to the iterative, tactical execution of risk management. You never know when you will need this. You are well served to be ready. Clear and simple, with conviction and passion.

2) Construct ERM elevator speech #2, of the same duration, encapsulating the key strategic ERM initiative of the moment (e.g. cyber risk, ESG etc.). There’s always a hot topic for ERM – that’s the beauty of the profession. Let your voice show the excitement. Revel in describing it.

3) On every single piece of written correspondence, force yourself to lead with a Summary or a Summary Recommendation paragraph that the reader can digest in one minute. No more than 225 words. Straight to the point. Make your best case. Don’t bury your key points at the end of a meandering e-mail. Captivate the audience up-front.

4) Use the entreaty “can I have one minute of your time on the phone?” via e-mail or text. If you have built a reasonable reputation, the person being beseeched will have a tough time refusing this request…do so judiciously and respectfully. Stick precisely to a minute – be uber-prepared as to what you are looking for.

Think 60 seconds.

Be Brave Resolution #4 – Focus on “Words Matter” and Actions Count” to Achieve GRC/ERM Excellence

Two (2) maxims for ERM/GRC excellence – 1. “Words Matter” and 2. “Actions Count”. Hand-in-hand, this pair of principles drives ERM/GRC performance.

Here’s the reasoning:

” Words Matter” – The disciplines of ERM and GRC demand precision. There is no room for inaccurate, nebulous, or empty wording. Ditto for jargon or obscure acronyms. Less is more. Get and give everything in writing. Record the chronology. Be explicit and date-specific in expectations. Hold to your deadlines. When in doubt, ask questions. Don’t assume anything. This world (of ERM/GRC) is far too important to merely guess. There is no place for the esoteric, academic or hypothetical. Total clarity is the byword, whether in establishing ERM/GRC context, laying down its foundational elements such as governance or culture or explicitly detailing the steps in tactical execution. Rating scales must have exact and rigorous definitions so there is no confusion. Language should be energetic and convincing. There’s a whole lot at stake, each and every single day.

“Actions Count” – Thrive on the adjective “actionable” and the noun “deliverable”. How are you converting context, philosophy and strategy into tangible and decisive action? Does your ERM/GRC program stop at the ivory-tower, risk appetite level (e.g. high, medium, low) or does it drill down and manage to explicit tolerances, through the establishment of key risk indicators (KRIs)? What is the escalation provision associated with every exceedance of risk tolerance? Is the three lines of defense a conceptual diagram or an embedded, day-in-and-day-out demonstration of risk culture? Are risk ratings from deputized risk owners appropriately critiqued and challenged in order to ensure the validity of risk priority rankings?

Two ideas worth remembering on ERM/GRC – “Words Matter” and “Actions Count”.

About the Author:
Michael Cawley is a risk management executive with a 35-year record of broad and diversified accomplishment in the strategic and tactical elements of corporate enterprise risk management (ERM). He performed day-to-day development and execution of a risk management program that covered all elements in the identification, assessment, mitigation and monitoring of all exposures within the corporate risk universe. Specific experience involved being a corporate risk manager for a service-related conglomerate (15 years) and then a biopharmaceutical manufacturer (10 years) before assuming an ERM governance and disclosure leadership role (10 years, through 2021) for a major worldwide financial entity. Currently, Mike serves as a Subject Matter Expert (SME) in an advisory role for ERM Best Practices for the advancement of DoubleCheck’s new ERM One application.

The post Four “Be Brave” Resolutions for GRC and ERM Programs in 2024 first appeared on DoubleCheck Software.

1. Mission Statement

• Purposeful connection of strategy and tactics

2. Framework – Part A

• Strategic context (“Who are you and what are you trying to achieve?”)
• Without this, there is no reason for ERM or GRC

3. Framework – Part B

• Foundational underpinning (Culture and Governance)
• Connective tissue existing between strategy and tactics
• Underlying essence; these foundations are in place at all times

4. Framework – Part C

• Tactical Execution (4-Step iterative process: identify, assess, mitigate and monitor)

5. Governance Structure

• Clear-cut roles and responsibilities
• Best portrayal: Three lines of defense

6. Universe

• 4 categories – 3 common (“Finance”, “Operational” and “Strategic”) and 1 unique (“Core Business”)
• Dynamic; encompasses emerging risks
• Aligns with always-changing nature of risks themselves

7. Rating Scales

• Understandable
• Severity, likelihood, direction and velocity
• Inherent and residual

8. Policies

• Major risks (dozen or so)
• Each comprised of: definition; goal; roles and responsibilities (1st/2nd/3rd lines); appetite; tolerances

9. Language

• Succinct; simpler is better
• Don’t throw in unnecessary phrases (“I was able to…”)
• Precise; exact
• Iterative; over and over
• Powerful
• One shot; on the mark; needs to resonate
• Use present tense whenever possible (alive, here and now)
• Pragmatic (understands dynamics, keeps big picture in mind)
• Embedded and actionable
• Positive (figure out a way, convince)
• Purposeful and insistent
• Rigorous and disciplined
• Not merely esoteric, hypothetical or academic
• Put away the pom-poms; self-praise is no praise

10. Reporting

• Risk arrow heat map
• Risk owner report

11. Overall Cultural Model

• Code of ethics
• What do your people do when no one is watching?
• Behaviors you expect and tolerate

12. Risk Culture

• Shared understanding towards risk

13. Deputized Risk Owners

• Subject matter experts
• Hold them accountable
• Don’t be afraid to critique or challenge
• Ensure that people are not just going through the motions (e.g. no changes year-to-year)
• Educate them; understand this is not their day job
• Depend upon them, and their perceptions, heavily
• You are only as good as what they provide
• Be respectful of their time

14. Risk Owner Surveys

• Take the opportunity to ask special, “hot-button” questions each year
• Don’t overdo it

15. Risk Appetite

• High, medium, low
• Tolerances – exact point at which appetite exceeded

16. Configurability

• Collaborate with a vendor having a matching mindset

17. The Fuel of Passion Fuel

• Get excited and stay excited
• How many people have this opportunity?
• Keep turning insights into actions
• Don’t be dragged down by leanness of resources, staggering workload, sometimes-mundane nature of work or undervalued role by others

18. The Importance of Pride

• No slouching
• Do not accept a back seat
• No sloppiness or mistakes should be tolerated; prompts the question – what else is wrong? How can I have confidence in anything?
• It’s a huge job; don’t ever forget that
• Keep the mission statement in mind
• Cognizant of the overall framework that melds together strategic context and tactical execution

19. Transferability to Other Risk-Related Areas

• Every single risk-related area could benefit by adhering to these 20 elements

20. Risk Register

• Organizational (“tree”) view as well as workbench view
• workbench for risk owners
• doesn’t need to be exorbitant $
• seemingly fashionable these days to downplay or disparage importance of the risk register
• ERM One – a viable alternative to:
  • doing without an automated tool or
  • tolerating someone else’s system

Closing Thoughts:

• Get ready for the elevator speech
• Trapped in the elevator with CEO and asked to give him/her your impressions of GRC/ERM priorities in 30 seconds
• No excuses – take the time to do the dirty work beforehand
• Connect the dots, dot by dot
• Build the program, brick by brick
• Bold, presumptuous goal (“World-Class”)?
• Shoot for the moon; even if you miss, you’ll land among the stars
• Common denominators
• Better every day; better than yesterday
• Incremental improvements
• Keep attacking
• Heed the children book classic – “Little Engine That Could”
• Mission: reach the boys and girls on the other side of the mountain
• When it found itself in trouble in trouble, neither a shiny new passenger engine, with all sorts of compartments, or a big strong engine was necessary
• All that was needed was a little blue engine who “tugged and pulled”, “pulled and tugged”
• “I think I can” was converted into “I thought I could”

About the Author:
Michael Cawley is a risk management executive with a 35-year record of broad and diversified accomplishment in the strategic and tactical elements of corporate enterprise risk management (ERM). He performed day-to-day development and execution of a risk management program that covered all elements in the identification, assessment, mitigation and monitoring of all exposures within the corporate risk universe. Specific experience involved being a corporate risk manager for a service-related conglomerate (15 years) and then a biopharmaceutical manufacturer (10 years) before assuming an ERM governance and disclosure leadership role (10 years, through 2021) for a major worldwide financial entity. Currently, Mike serves as a Subject Matter Expert (SME) in an advisory role for ERM Best Practices for the advancement of DoubleCheck’s new ERM One application.

The post Why Settle For Less? Twenty (20) Elements in a World-Class ERM or GRC Program first appeared on DoubleCheck Software.

An ice cream headache, for sure, trying to understand the similarities, differences and connectivity between all these terms.

You need to do it, however.

Simplify, simplify, simplify.

Break it down and truly comprehend everything.

Get ready for the proverbial elevator speech, if the need for one materializes.

Toward that goal, here are several recommendations:

1. Establish Enterprise Risk Management (ERM) as Your North Star

• • This is not meant to diminish or disparage other acronyms but merely to state an undeniable fact that needs to be accepted.
  • ERM is the granddaddy of them all.
  • Every component of all other risk-related acronyms or topics emanates from ERM or the framework established around ERM (Risk Management Framework).
  • In other words, the world revolves around ERM.
  • If you don’t like that fact, get over it.
  • Get on with the business of managing risk.

2. Don’t: Quibble, Be Smarter by Half, or Get Hypothetical, Esoteric or Academic with your Language

• • Every word matters.
  • Take no chances.
  • Leave nothing up in the air.
  • Use precision in all matters in such an important discipline.
  • Several useless debates, for example:

1. 1. 1. Three Lines of Defense vs Three Lines of Responsibility. Use the former.
      2. ERM vs Integrated Risk Management (IRM). Use the former.
      3. ERM vs Strategic Risk Management. Use the former.

3. It’s All About the Risks, Stupid

• • I say this with affection, and as a reminder to myself, as much as to others.
  • Easy to lose sight of.
  • Treat risks as if you are bare-naked; do not rely on the safety blanket of insurance.
  • Remember: in the long-term, you will pay all your losses.
  • Another way of saying this: if a company had the financial wherewithal, it could (and should) self-insure all risks. No insurers, no brokers – just risk managers.
  • Imagine that.
  • GULP! 

4. The Risk Register

• • It can also be termed a Risk Universe; that’s OK
  • It’s not, however, a Risk Taxonomy (ouch, that sounds painful) or a Risk Catalog (when did we end up in the library?)
  • Call it Severity, not Impact, so that everyone in the organization is on the same page.
  • Define Severity in multiple ways, Using a 1-5 Rating Scale (e.g. Financial (% of Capital), Brand/Reputation, Regulatory Intervention, Strategic)
  • For the same reason, call it Likelihood, not Frequency.
  • Define Likelihood in a temporal manner, using a 1-5 Rating Scale (e.g. significant event happening every one, 5, 10, 25 and 50 years)
  • Bottom line: the fewer terms you use and the more rock solid certain those terms and definitions are, the better

5. ERM vs GRC

• • GRC is a well-accepted, more bite-sized, subset of ERM, plain and simple.
  • The R (Risk) in both acronyms is identical – refers to ERM
  • The C in GRC is Compliance, an operational risk in the ERM risk register as well as one of the foundational components (Culture and Ethics) of ERM
  • Finally, G refers to both Corporate Governance, an ERM Operational risk, as well as to another ERM Foundational component, namely Governance. There, the various roles and responsibilities in the ERM equation are definitively laid out (e.g. Three Lines of Defense)

6. ERM vs Compliance

• • As stated above, the C refers to Compliance, an operational risk in the ERM risk register
  • There is nothing to prevent the Compliance function from deciding to further break down that exposure into sub-risks, in order to better delineate and manage on a more granular basis. (The last company I worked for broke down Compliance into 62 such sub-risks)

7. ERM vs Internal Audit

• • Internal Audit plays a vital 3^rd Line of Defense role in all risk matters
  • Audit Planning should align with risk priorities
  • Certain risks on the ERM risk register are more logically tied to Audit (e.g. Fraud); Head of Internal Audit could, in fact, be risk owner for those exposures

8. ERM vs ESG

• • The G (Governance) in ESG has already been covered, within ERM.
  • The S (Social) in ESG can be tracked to the ERM foundational component of Culture (Overall Cultural Model, Ethics and Compliance).
  • E, for Environmental, will align with the Climate Risk particulars enumerated on the ERM risk register.

9. ERM vs DEI

• • There is not a more important risk related acronym on the horizon today than DEI (Diversity, Equity and Inclusiveness)
  • Start before you are ready on this – just get going.
  • If it needs improving, do so tomorrow from the base of today.
  • All of these items (DEI) need to be embedded in your Cultural Model, a vital ERM foundational component.
  • A crucial ERM risk like Human Resources – Management Development needs to be appropriately expanded and honed to yield the type of organization you want. How do you develop diverse talent, then grow and mentor them?
  • You need to operationalize DEI throughout the culture of the organization.
  • Set up key risk indicators (KRIs) in your ERM risk register to allow you to monitor – and constantly improve – your controls.
  • Like ERM, DEI is an iterative, evergreen process.

About the Author:
Michael Cawley is a risk management executive with a 35-year record of broad and diversified accomplishment in the strategic and tactical elements of corporate enterprise risk management (ERM). He performed day-to-day development and execution of a risk management program that covered all elements in the identification, assessment, mitigation and monitoring of all exposures within the corporate risk universe. Specific experience involved being a corporate risk manager for a service-related conglomerate (15 years) and then a biopharmaceutical manufacturer (10 years) before assuming an ERM governance and disclosure leadership role (10 years, through 2021) for a major worldwide financial entity. Currently, Mike serves as a Subject Matter Expert (SME) in an advisory role for ERM Best Practices for the advancement of DoubleCheck’s new ERM One application.

The post De-Mystifying (and Explaining the Connection Between) Risk-Related Acronyms and Phrases first appeared on DoubleCheck Software.

From a vendor’s perspective, GRC refers to an automated suite of capabilities designed to address a broad range of challenges associated with critical disciplines managed by the client (e.g. compliance, risk management, audit, corporate governance etc.), allowing that same company to reduce uncertainty, achieve the entity’s key strategic objectives and meet its stakeholder obligations.

Again, that perspective on GRC, which sounds straightforward enough, is being viewed through the eyes of the vendor.

Probably the same for every vendor, right?

Not so fast.

More holistically, would it be identical to how the client defines GRC?

Another no.

Let’s look at the delineating factors.

From a vendor perspective, what comprises each individual GRC system is totally dependent upon each vendor.

Simply put, not all systems are created with identical features.

The rationale is straightforward and understandable.

Look no further than the broad construct of the GRC umbrella – consisting of risk, compliance and a final element of governance that, drilling down to more specific risks, can be incredibly broad and wide-ranging (e.g. audit, corporate governance oversight, policy management, fraud, model, ESG, AI etc.).

It’s not hard to understand how the inevitable differences in system emphasis and packaging could (and do) result.

As a consequence, the GRC marketplace has found itself flooded with competing vendor-centric solutions, each seemingly in search of the next, new GRC challenge.

A skeptic could argue that each successive GRC solution becomes more inflexible, costly, complex and/or esoteric than the prior one.

With all these drivers, the “ask” of the GRC client often becomes to:

• Accept a system that is unwieldy and inflexible
• Tolerate system features that you don’t need
• Sacrifice other elements that you (or your Board of Directors) really want
• Endure a bevy of reports, scorecards etc. that are neither pertinent nor understandable
• Tolerate service standards that seem average, at best

Needless to say, this is not really music to the client’s ears.

From a client’s perspective, therefore, the pursuit of a GRC solution all too often narrows to a choice that is best termed as “one-size-fits-all” or “take-it-or-leave-it”.

That’s not the way it’s supposed to be, if you roll back the tape and try to comprehend what GRC means, at the 40,000 foot level.  Maybe it’s time to take all this in and perform a sanity check of your GRC system.
After all, system capabilities and design should be all about the client.

With that in mind, how does a client think about GRC and, as a result, how should the vendor “ideally” design the system to meet those client needs?

First, the basic governing premise for GRC needs to be established, as follows:

The profound, pervasive and vitally important challenges that drive GRC emanate from the company, not from the vendor.

This principle, which always has been, and always will be, true, cannot be overstated.

It’s not about forcing the client to perform contortions – and sacrifice functionality – to align with an inflexible, rigid tool.

As a 35-year real-life practitioner in the GRC space (25 years as a corporate risk manager and 10 years in the ERM Governance and Disclosure world), I know whereof I speak.

While the concept of GRC is said to have been created over 20 years ago (2002), the underlying challenges actually constituting those GRC exposures have been around forever.

They were certainly there in front of me on my first day as a risk manager in 1985, well before that “umbrella” concept of GRC was “created” and/or the first automated tool was developed.

Having said that, and mindful that there is no one “best” prescribed system or solution, it can be stated with certainty that a GRC automated tool should possess the following attributes:

• Capable of evolving and growing over time
• Potential upgrades should be straightforward
• Solution must be dynamic, nimble and agile
• As such, it should be configurable
• Can be either modular or holistic
• Data must be able to be shared across modules
• There needs to be cross-functional coordination
• The system must be unified and linkable
• There should be rich, robust functionality
• The system needs to understand the business context of the company (what it does) as well as its culture and stakeholders
• GRC strategy must be aligned with the overall business objectives
• The tactical execution for each of the constituent parts of the GRC automated application must be part of the tool
• Monitoring of GRC system performance must involve a robust, fully-embedded business intelligence platform

With all these features in hand, a unified approach to GRC capabilities within the overall solution should allow a company to leverage GRC information across the enterprise.

By linking key elements across risk, compliance, audit and corporate governance (as well as related disciplines), the solution should be able to streamline processes and maximize utilization of information dashboard and analytics that cross boundaries.

Similarly, linked solutions reduce overlap, share overall insight, reuse work and tackle siloed GRC responses while securing what’s private.

A representative listing of GRC system activities might be, as follows:

Compliance

• Document controls, assess performance, manage exceptions
• Tools to manage regulatory change and document compliance framework
• Test or assess performance, manage remediation and share status results with stakeholders
• Financial (SOX, PCI); Industry (NERC, HIPAA); Departmental (HR, IT)
• Approvals, Attestations, and Certifications

Risk

• Systematic approach to identify, assess, mitigate and monitor risks
• Centers on risk register
• Empower Risk Owners to manage and assess their own topic risk set
• Goal is to collaborate with risk owners and other internal and external associates in a clear and transparent manner
• Board-level reports and scorecards should be available to be generated in order to assess performance and establish risk priorities

Audit

• Program definition based on client-specific reporting
• Management insight into audit execution and planning
• Management review, overrides to final plan
• Engagement planning
• Electronic workpaper management
• Issue and remediation management

Governance

• Policy definition
• Policy review and renewal
• Demonstrable performance

Other GRC-Related Activities

• Model risk surveys, including reliance on Artificial Intelligence (AI)
• Fraud-risk studies
• Cyber risk (information security)

Summary

An “ideal” GRC solution revolves around specific customer needs. Enterprise GRC software that supports Compliance, Risk, Audit or Governance needs should be highly configurable solutions that can be tailored to a company’s users, data and processes. Embedded Business intelligence features should generate dashboards and reports that are needed for internal and external purposes. GRC Solutions should support business processes, not the other way around. Each of the components of GRC are integrally linked to the achievement of a company’s corporate objectives.

About the Author:
Michael Cawley is a risk management executive with a 35-year record of broad and diversified accomplishment in the strategic and tactical elements of corporate enterprise risk management (ERM). He performed day-to-day development and execution of a risk management program that covered all elements in the identification, assessment, mitigation and monitoring of all exposures within the corporate risk universe. Specific experience involved being a corporate risk manager for a service-related conglomerate (15 years) and then a biopharmaceutical manufacturer (10 years) before assuming an ERM governance and disclosure leadership role (10 years, through 2021) for a major worldwide financial entity. Currently, Mike serves as a Subject Matter Expert (SME) in an advisory role for ERM Best Practices for the advancement of DoubleCheck’s new ERM One application.

The post Governance, Risk and Compliance (GRC) – Pursuing the “Ideal” Frame of Reference first appeared on DoubleCheck Software.

The successful management of risk, therefore, is integrally connected to the achievement of the company’s strategic objectives.

Enterprise Risk Management (ERM) is an essential discipline that all companies need to install, embed, and inculcate into the organization, in order to:

• Set risk priorities and actionable resource allocation.
• Uncover organizational weaknesses.
• Expose hidden, value-add opportunities to exploit.
• Assure the active and continuous process surrounding the management of risks, since the universe of company risks doesn’t manage itself.
• Enable the timely flow of risk information to all company stakeholders
• Gain support from organizational leadership (people with a true and holistic view of company) since those individuals are the key decision-makers who establish budgets and allocate resources.

As a vital first step towards the establishment of a robust and meaningful ERM program, all companies should develop and agree upon a mission statement for that critically-important discipline of ERM, one that:

• Explains the here-and-now (not aspirational) purpose of ERM
• Centers on actionability, not empty buzzwords or jargon
• Is succinctly expressed, intent upon inspiring understanding, consensus and transparency
• Combines ERM strategy with its tactical execution

To address all those points, how about considering adoption of this concise mission statement, one that ties together the “what” with the “why” of ERM?

“Enterprise Risk Management (ERM) is the process to identify, assess, mitigate and monitor all enterprise-wide risks that might impair the company’s ability to achieve its strategic business objectives.”

Every word matters in this ERM mission statement. It is boiled-down, simpler-is-better, with eyes always on the ERM “reason-for-being”.

Specially, the ultimate goals of the ERM mission statement are to:

• ensure ERM is given its full importance within the organization, not perceived as an adjunct to other corporate functions, like Compliance or Internal Audit
• establish ERM as a pragmatic and usable regimen, not some stand-alone, academic hypothesis, to realize its maximum impact
• pinpoint the risk register – covering the universe of all enterprise-wide risks – as the centerpiece and starting point of all ERM activity
• underline the iterative, four-step tactical execution process (identification, assessment, mitigation and monitoring) associated with ERM and that company risk register universe
• meld together the ultimate strategic importance of ERM in ensuring that the attainment of key high-level company objectives (e.g. earnings performance, capital adequacy, liquidity, reputation) are best promoted

Quite simply, the engine that drives a powerful ERM mission statement is the risk register.

Toward that end, ERM One is a revolutionary, yet straightforward, risk register application the DoubleCheck LLC has, over time, been privileged to learn from its clients.  ERM One is out-of-the-box tool that delivers an integrated ERM process together with a comprehensive, high-level categorization of exposures (Financial, Core Business, Operational and Strategic), fully loaded with over 60 pre-populated risks to be used as a starting point for the risk register.

In short, ERM One incorporates into one, intuitive turn-key risk register product the best-practices tools and content to help optimize ERM and thereby put your firm on a path to achieving its strategic business objectives.

About the Author:

Michael Cawley is a risk management executive with a 35 year record of broad and diversified accomplishment in the strategic and tactical elements of corporate enterprise risk management (ERM). He performed day-to-day development and execution of a risk management program that covered all elements in the identification, assessment, mitigation and monitoring of all exposures within the corporate risk universe. Specific experience involved being a corporate risk manager for a service-related conglomerate (15 years) and then a biopharmaceutical manufacturer (10 years) before assuming an ERM governance and disclosure leadership role (10 years, through 2021) for a major worldwide financial entity. Currently, Mike serves as a Subject Matter Expert (SME) in an advisory role for ERM Best Practices for the advancement of DoubleCheck’s new ERM One application.

The post The Compelling Case for an ERM Mission Statement first appeared on DoubleCheck Software.

Turn Your Focus Inward
Many researchers and cyber experts point out that internal risks are often found to be the root cause for serious breaches and cyber incidents. This is also the case for many operational incidents and events. Frankly, such concerns also fall well within your risk program’s ability to manage and mitigate. Also, they often fall within the realm of matters where operating controls you can influence will address such risk opportunities. The scope of internal focus is broader than you might perceive at first consideration. Included in this category are staff, of course, but also processes, policies, internal audit findings and recommendations, operating metrics, tools, education, and communication. This is not an exhaustive list and depending upon your line of business there may be even more. Moreover, fine tuning or upgrading controls addressing these business processes and practices are often economical to determine and execute—relying upon current resources and staff and as a result, not necessarily as seriously impacted by corporate belt tightening that may have deferred staff expansions, or other resource costs.

Revisit Insider Risks
How often have incident investigations lead to determinations of internal root causes, specifically through the actions of insiders? Insiders may be staff, or contractors performing services within your organization. The recent FAA “event” that shut down domestic air travel nationwide is a current example of a reported error by an internal contractor. Insider risks need to consider how you detect and address actions that are intentional and accidental. Do your critical processes have steps to catch malicious or accentual errors that would result in serious loss of services? I recall often asking software development groups if they had a staging server setup that always mirrored current production. Making changes to that environment, loading new products, etc., was a great step to prove an apparently well tested and documented change would, in fact, flow into the production environment without causing disruption. Many groups resisted this as unnecessary, until, upon detailed review, it was often disclosed that there were “helper” or supporting bits of code or other resource configuration adjustments, not in production, that were needed to accompany any live implementation. The extra step of implementing into a staging server prevented a lot of downtime and lost confidence in products, as well as lost revenue, by this seemingly “over-cautious” change in practice.

The incidental or accidental risks associated with insider threats are often addressed through training and communication. These programs are likely already in place, but often left out of consideration for regular attention and upgrade. Is the content of your staff training really current to your technology, processes and policies? How often is it reviewed? What did your most recent risk assessment tell you about the strength and validity of your training efforts? Likewise, how do you promote and communicate policy and process changes? Are they well documented? Can users easily identify and source current versions? What controls are in place to assure critical staff are kept current? These are often not expensive matters to monitor and control, nor to fine tune and update where needed. And this is a great time to refocus attention looking inward at them to do so.

Sharpen Your Tools
Great cooks and chefs alike know that sharp tools are safer than dull ones. This practice generalizes well to many business practices, including risk management. Take a good, hard look at your risk management systems and supporting tools. Are they current? Have you maintained control set updates, standards, reporting software, policy repositories, linkages to related systems for internal audit, distributing assessments, and whatever else you may use to assess, detect, mitigate and monitor risk? Are you using old software on older hardware that might gain efficiencies or performance upgrades by a modest upgrade in either, or both? Have you outgrown the old systems, found maintenance fees excessive and might you gain efficiencies and functionality through something new offered through an “as-a-service” arrangement? How about the reports you produce? Do they answer critical business questions? How well do they keep your leadership informed about risk? Do they help executives examine and re-assess their risk appetite as business conditions change? What key information might you provide to do this better, and, will your current tools produce the data you need in a form you can utilize in your reporting?

Looking back at the analogy to cooking tools, do you have more knives than you need, and equally important, do you have the right ones? Risk management systems built by cobbling together many pieces intended for other applications, but offered over to help “make due” don’t offer economic operating solutions. And keeping big, overly complex solutions that don’t serve the needs of today are like trying to use a cleaver when you need a paring knife to do detail work. The result is clumsy, inefficient, ineffective, and often prone to waste and error. Sometimes, the acquisition of something new, incorporated with the retirement of something already in place, can yield financial and operating economies. Such opportunities, where they may be present, offer rich gains to your program and the overall management of risk across your enterprise. Examine the tools, but also the processes they require to make them work, and any additional steps, supporting practices and materials needed to perform risk assessments, detect risks, events, and anomalies, and to analyze findings that you can report and discuss in meaningful business context. For example, can you distribute access to risk assessment content, gather results, aggregate findings, and produce reports all within one platform’s framework of services, or do you have to string together a number of separate services, and manage those connections manually, to make the whole system work? Factor in the staff resources needed to do that, because they could be assigned to other duties yielding more meaningful and valuable outcomes if not otherwise occupied with keeping a series of plates spinning.

Outsource Services
Many executives firmly believe outsourced services are economical compared to internal operations. And, in many cases, this may be a valid approach to working through times in a down turning economy. Risk management, and cyber risk in particular are important functions for any company, but rarely are the core competencies or services offered to their clients and customers. For example, banks and other financial services institutions all promote security as core aspects of their services, but at their root, offer money, investments, insurance, or other financial products to their customers. Their core competency lies with those financial services, with security, (and risk management by inference) as value adds to their product and service features. Security may be a discriminating feature or a particular promotional benefit, but mortgages often sell on their interest rates and fee structures, not security, which is often presumed to be in place. If you are relying upon a burdensome, aging, and difficult to operate enterprise risk management (ERM) platform, that consumes a lot of resources just to perform the basics, you may be positioned to reap economies of service, staff resources, and even finances by outsourcing your tools to an as-a-service platform provider. Today it is common to outsource aspects of security and risk management technologies where significant expertise is needed to configure and maintain them, such as data loss prevention (DLP), network, and other monitoring and data analysis services. It’s also now possible to operate your ERM platform as a cloud based service hosted by a third party. This reduces your dependence upon centralized IT resources, and any need to duplicate them locally in your operation. Technical training burdens, upgrade management, maintenance and support costs are all off loaded to an expense for a third party vendor.

Strengthen Third Party Management
There is some low hanging fruit to be harvested from careful, thoughtful third party risk management (TPRM). Much of it pertains to linking risk assessment to your third parties, and even more from careful monitoring of contract terms and conditions. Incorporating key suppliers into your risk assessments makes your assessment more complete, and reflective of your true risk footprint. Keep in mind that loss of a key supplier without adequate backup options, or using one whose security provisions don’t match your company, industry, regulatory, or contractual obligations, is a very risky, and potentially expensive move. A good ERM platform should be able to assist your monitoring and performance of both. Factor that into your plans for risk management. Also, make sure you are tracking when payments are due, opportunities for discounts, obligations to provide material or services in support of the supplier’s services, and other contract terms. Keep in mind that TPRM is an internal process, often tied closely to procurement. But it also has lines into finance, audit, compliance, and fulfillment that can lead to many dollars expensed or saved depending on how well it’s managed.

Opportunity Is Always There
An economic downturn is a challenge. It’s also an opportunity to look inward and refine what works, and address what doesn’t. You can use it to take stock of what is done well and what improvements, within the scope of services and processes that “really need to be done” can be made with the resources at hand, or new ones that can economically upgrade or replace them. It would be wise to focus upon essentials. By identifying those, you can also see where some process, activity, or service pruning may be possible, without sacrificing the quality and scope of your risk program. Risk does not recognize a down economy; rather it takes advantage of one and feeds off the convenient moves managers make without consideration for their consequences. Your risk program can help draw a map pointing out the obstacles and dangers in the waters, offering guidance to executives to help them navigate a down economy safely with a sound enterprise equipped to address whatever comes its way.

How can ERM One help?
ERM One is a DoubleCheck offering uniquely positioned to help address the challenges of risk management in a down economy. It incorporates into one intuitive, turnkey application the best-practices tools and content to help optimize the crucial discipline of Enterprise Risk Management (ERM) and thereby put your firm on a path to achieving its strategic business objectives. DoubleCheck fully understands and supports the merits of ERM and the benefits of its adoption by all companies.

ERM One centers on the successful implementation of that ERM mission statement.
Although ERM does enjoys general theoretical support as an important business discipline, it has become undeniably evident to DoubleCheck that there are shortcomings in ERM acceptance and program structure. Challenges range from no ERM platform in place all the way to a complex and inflexible infrastructure in effect but one that is not delivering as effectively and efficiently as needed. DoubleCheck has concluded that the time has come for a responsive, alternative solution. With the design and rollout of ERM One, DoubleCheck is stepping in to fill these voids in a unique, get-it-done manner.

ERM One adheres to ERM best practices and, very importantly, presents a risk register system that has been preconfigured and prepopulated in a manner not before seen in the GRC marketplace. DoubleCheck has structured the tool in a modular manner, with options available to add incremental GRC functions or advanced business intelligence (BI) capabilities to extend functionality. Further, services and features are highly integrated into one package. Reporting is embedded rather than independently aligned to content and processes, making the risk management practice a seamless effort rather than a disjointed one.

About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.

The post Risk Management In A Down Economy first appeared on DoubleCheck Software.

Start With The Risk Register

Your risk register is at the foundational core of your program. It’s the compass and map of your program. If it’s no longer complete, nor aligned to your business, your ability to effectively manage risk across your lines of business will falter.  Examine its detail.  Does it still account for all the operations, services, practices, commitments and obligations the business has in place or plans to enact in the year approaching? Were there audit or regulator reviews that pointed out issues you can monitor by adjusting details in your risk register?  Have you expanded the number of third parties you rely upon to deliver services and products to your customers?  Have other stakeholders requested information you haven’t collected and evaluated because there’s a gap related in your register?  Look back at the process you went through to create your register initially.  Repeat that effort to ascertain the risk register detail is as complete as needed for your business as it stands now.  Then examine your business goals for 2023.  Are there any further changes needed?  Keeping your risk register in top condition, and well-polished is a vital first step.

Policies and Procedures

A dynamic business and risk program needs current policies and procedures to govern its efforts. Policies take the most work to adjust, given the lengthy approval process many businesses employ.  Procedures need to reflect the “how” of work to be done.  Often, policies grow out of new requirements, new business obligations, or changes in laws or regulations. Procedures need to align with policy. They must also describe methods and practices crafted to deliver outcomes to achieve useful work, within the proscribed policy guidance. Too often, resistance to change, performing tasks one way because “that’s the way it’s always been done” can cause procedures to fall out of alignment with policy.  Worse, that process inertia can cause issues with regulatory and contractual compliance obligations, which are likely to be more fluid and dynamic over time. Process inertia’s opposite twin, process acceleration, occurs where changes are made on the fly to address an exceptional event, and then become instantiated going forward.  In these cases, they distort what the business needs and how it needs to operate.  Both situations create risks.  There may be metrics you normally use to measure process effectiveness.  It’s useful to have threshold values associated with such metrics.   Below threshold outcomes may be indicative of process inertia, while excessively high values might indicate acceleration.  Look back to your risk register again.  How is it incorporating process related risks into its content?  It’s important to assure your register doesn’t ignore process risk opportunity.

Workflows And Risk Assessment

When you tune something, it’s important to examine your tools to make sure they are also operating correctly.  This helps you prevent introducing anomalies as an outcome of their detection and correction.  Examine your workflow schemes, whether manual or automated.  Has your organization, reporting structure, or assigned subject matter experts changed since your last assessment?  Did your escalation practices, where present, trigger in efficient timeframes to the right levels of leadership? Did you experience bottlenecks that can now be remedied by adjusting workflow configurations, timing, direction?

Also, look at your recent risk assessment and any post mortem notes you might have on process feedback. Are there refinements to participant training that you may make? Are your risk scoring methods clear to participants and providing useful information to analytics? Were communications to stakeholders specific, clear, and timed to inform the process and keep it moving effectively forward? What problems occurred along the way and what might you do to address them in your next cycle?

Gap Analyses

Gap analyses seem to be a practice analogous to a skeleton key.  No matter the situation, there’s always room to evaluate where you are, compared to some target state, i.e., where you want to be. They’ve been around under many names and presented as part of many processes.  Simply put they are about measuring how far away from some planned for or worked toward state your current situation may be.  If you’ve developed metrics along the way to measure your risk management process effectiveness this may be a really simple and quantitative process.  If you haven’t such metrics, you’ll need to be a bit more qualitative. Don’t leave your desired target state out of your review.  Is it still realistic or not aggressive enough?  How does it align with your company’s risk appetite, stance regarding compliance, and regulatory performance? Are there new metrics that would help you measure and monitor “gap performance” in the future?  Does your current process produce the data you’ll need to calculate those metrics?  So many questions to consider.

Integration With Audit, Compliance, Operations And More…

Quality risk management programs do not exist in a vacuum! As part of your tune-up, take a look at how well your risk program incorporates data from other processes, while delivering information to inform the efforts of other disciplines throughout your company.  Meeting contractual compliance and regulatory obligations can have a financial, operational, and reputational impact.  Does your risk program contribute to understanding and measuring these risks?  Have internal and external audit findings been used as a data validation for your risk scores where findings and remediation were reported?  You’re your risk program inform audit processes of areas for scrutiny? From a leadership perspective have your program leaders from risk management met with peers in audit, legal, operations, and regulatory compliance to discuss what can be done to leverage your combined efforts to the greatest value for your company, while working to reduce overlapping or redundant efforts that pose unnecessary demands upon participants and other stakeholders? While it’s useful to have such meetings on a regular basis, at least quarterly reviews should pay a dividend in efficiency while maximizing data value and process refinements.

Reporting

Good reports answer specific questions with clarity.  Great ones also do so, while inspiring additional questions whose answers provide useful, actionable direction and deeper understanding for executive leadership. Do you have good reports?  What would make them great?  What questions have your leaders asked that current reports do not answer?  What answers do you provide now to questions nobody asks?  Too much reporting is not good reporting.  When someone tells you they need to “know everything” it’s a sign of poor leadership.  They do not understand the key drivers of their business, and mask that by asking for “everything” in the hopes such volumes of reporting will provide answers to any question or circumstance that may occur. It’s inefficient, wasteful of resources, and ineffective.  One of the great values a risk management program can offer is guidance on what matters, and what does not.  Pointing out key metrics, and demonstrating why they are important to monitor, within a proscribed range of values, can help leadership learn to use risk management data effectively.  Doing so can cascade over to other management practices and lead to more efficient data gathering and reporting practices companywide.

Tuning While Operating

This is a great time of year to begin the process of performing your tune-up.  Business is focused upon a new calendar year, new goals, new initiatives, and eyes and minds are focused upon the horizon ahead. Factor the tune-up tasks into your risk management calendar.  Take advantage of low hanging fruit, tasks easily accomplished quickly and with minimal resources.  Identify ones you can do on the fly as you prep for an assessment or other activity.  These will be less disruptive than other larger ones.  And finally, plan for changes that are larger, require more resources, and commitments from others outside your own domain of control. By planning and distributing your tune-up tasks across your program calendar, you make the changes easier for participants to adapt and make the appearance of the volume of change seem lighter and simpler than if they were all gathered together into a single mass to be absorbed and understood by all affected.  This approach may also make the cooperation of other areas easier to gain, both for simple requests and ones requiring larger commitments of resources if and when necessary.

When Your Tune-Up Efforts Say It’s Time For Something New

Many years ago, I worked with another manager who performed a study about maintaining corporate vehicle fleets.  The task was to understand when it was optimal to stop repairing vehicles as they aged, and simply replace them instead.  His exploration was exhaustive, and the results, at first glance, surprising.  From a purely financial viewpoint the answer was “never.”  It was always cheaper to fix than replace. But his analysis did not stop there.  When downtime, repair frequency, process, and transportation disruptions, among other features were taken into consideration, a very different answer, a more definitive duration, became clear.  This study is now over 30 years old, and the result then was, as my dimming long term memory recalls it, about 8 years.  But that’s not the point.  Taken wholistically, there comes a time when things, processes, machines, and such, no matter how well maintained, are better replaced than continuing to band-aid them together for “one more round.”  Once you’ve done noting all the things needed for your tune-up of your risk management process, it’s also time to take an objective look at how much work it needs to continue to provide the services and value expected from risk management.  Change is more than time and materials for a discreet few doing the work. It may also incorporate re-education, work arounds to accomplish tasks that cannot be supported directly.  Deferring very useful processes or steps because your current system can’t support them, or requiring participants in assessments or other stakeholders to do more manually, or worse, just “do without” because of limitations in your tools or technology is not an effective risk management strategy.

If your tune-up needs are becoming more of an overhaul than refinement, you may be reaching that place where something new is the more effective, efficient, and over time more cost effective approach to extensive repair and shouldering increasingly complex burdens to keep the old systems functional.  Looking back to that fleet replacement study, you may find yourself in a place where continued extensive repair may no longer be the best approach for your business or your risk management program.  Taking that long hard look is an important aspect of the tune-up process.  As your new year begins, look well upon the vehicles you’ll ride into the year, and choose wisely!

About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.

The post Annual Tune-Up Time For Your Risk Management Program first appeared on DoubleCheck Software.

It Begins With Problems, Issues, Needs, and Requirements
No one just decides to invest in enterprise software. There must be an identified issue or problem, which is expressed as a need. That need leads to a question: “what must we do to satisfy the need?” The answers create a set of requirements, and they become the criteria for “shopping” for a solution. This must seem pretty straightforward, and it may be. However, sometimes cloudy thinking, brought on by participants who may have another agenda, or lack a deep understanding of your current business, its operations, and the issue or obligation that started the whole process, may alter this effort in unknown ways. Of course, different departments may insert requirements reflecting the “how” of any solution. Finance may be concerned with the costs. IT may have standards for platform technologies that favor some offerings over others. There may be existing relationships with some solutions providers that may incent purchasing and procurement managers to favor their offerings. You can see how this process could build quite the divers set of “requirements to satisfy the original business issue”. But the final, aggregate requirements list eventually becomes the evaluative tool for selecting a solution.

Shopping For Value vs Political Safety
There is no single process or means to this end. But there are some interesting factors that can come into play originating from sources extraneous to operating requirements determined in the process just outlined above. One is “political” risk related—the perceived risk of making an error in selection. Another is over-compensating. The first often leads to screening out all solution providers who don’t have an existing relationship with your firm. It can also lead to limiting consideration of only solutions with a significant brand reputation built by years of catering to Fortune 100 enterprises and providing solutions whose scope and power have been touted by many analysts, pundits, press, and business groups who follow industry leaders as determined by characteristics like revenue, employee population, number of installations, offices, and partners, to name a few metrics. These are valid considerations in some instances, where requirements merit. But in many cases, this can lead to only exploring battleship-scale solutions when a sailboat would suffice admirably. Once upon a time when considering computer hardware, company procurement managers were cautioned that “nobody ever got fired for buying IBM,” even when their product features were not the best match against identified needs. The second risk, of over-compensating, attempts to address all possible needs identified now while foreseeing any others that might occur tomorrow. It’s an aggressive approach that mistakes complexity and feature diversity with capability and fit to the specific situations and requirements of your own organization. This is analogous to the scenario where one person purchases a major home appliance based on all the bells, whistles, lights, and buttons, while the primary user’s need for some key, and simple features is completely overshadowed by the sparkling promise of a device that can “do everything”.

Either course of action leads down a path to encounter several problems for risk managers who need actionable solutions at appropriate scale that can deliver timely results and useful information to guide executive decision making that enables effective risk management:

• Complex, rigid enterprise solutions set in place as the institutional “standard”
• A user environment that’s not streamlined for ERM processes
• Dependence upon IT for ERM requirements and configurations… e.g. reports, workflows, etc.
• A GRC system focused on managing process related risks instead of enterprise risks, prioritizing the “how” over the “what.”

Let’s look at each of these in a bit more detail.

Complex Enterprise Solutions
The needs of specific divisions, subsidiaries, or other organizational parts of a business, however they are determined, may require more flexibility and adaptability than an enterprise solution may offer if it was installed and customized or configured to always address the enterprise as a whole. Such an implementation leads to standards-based rules and procedures binding its processes into a rigid framework that cannot easily flex for one area alone. Also, the process of making change is often bound to a management decision and approval hierarchy that’s slow to adapt.

A User Environment Not Streamlined For ERM Processes
Some systems are designed around a set of user standards and information management rules that can lead to panel designs, process steps, roadmaps and data groupings optimized to those standards rather than the key practices and requirements for ERM processes. Some enterprise systems began life focused upon one discipline or topical area, and “evolved” into enterprise ERM solutions over time, while retaining the user attributes best suited to their origins. This can make training users who otherwise understand ERM processes harder to achieve, take longer to complete, and may require much more supporting documentation that would otherwise be needed, adding time, resources, and cost to risk management processes.

Dependence Upon IT
This may be the most frustrating concern of all. Seeing the need for change, knowing what it needs to change from to adjust a process, trying to produce a report to communicate effectively with key stakeholders and executive management, or trying to respond to new configurations of workflows, organizational groupings, or compliance rules and needing to reach out to a centralized IT function with its own priorities and resource schedules can be deeply frustrating. Also, there may be inadequate training for this centralized support service so requests may lead to referrals back to the vendor, then to IT and finally, back to requesting units. This all consumes valuable time, and deteriorates the responsiveness and ability of the risk management unit to effectively perform in a responsive manner to the business and to its operating environment, and its regulatory and compliance obligations.

A GRC System Focused On The “How” Over The “What.”
Such a system really pays most attention to managing process related risks instead of enterprise risks, prioritizing the “how” over the “what.” It delivers rigid, difficult-to-change methods for performing ERM processes, to ensure consistency and reliable repetition. Such centrally controlled IT schedule and resource priorities may not match your business’ risk management obligations. Regardless, when you need specific reports, modifications to workflow parameters or escalations, email routing, or any other automated provisions of this ERM system, a request into a centralized IT department is necessary. And not all the changes you request may be granted. You may be focused upon the delivery of a risk assessment, seeking flexible response and input options to facilitate dynamic situations, or a simplified review workflow to speed findings delivery, while such an enterprise ERM may be managed to assure standardized process methods are followed without exception to address data integrity, management approval hierarchies or other internal process standards and practices.

Navigating Change In A Structured World Of Standardization
There is no single path to successfully garnering the use of alternatives to deeply embedded, standardized ERM implementations. There are some options that may provide leverage and lead to success:

• Find a solution that does fit your needs now, with means to extend in scope and function if or when needed. Show how using that solution would help you better align risk management with current business needs and foster achievement of company goals now. This can include noting that resilience to sustain and recover from incidents of all dimensions greatly improves with responsive, nimble, and informative risk management processes.
• Compare your local requirements to the enterprise ERM in place, highlighting opportunities to gain efficiencies, accuracy and responsiveness by employing a more responsive ERM solution, to demonstrate how this favorably impacts risk management and program value.
• Offer your situation as a trial test of a new solution’s ability to deliver more, with less support, while preserving quality, increasing alignment to your current state, and improving timeliness; all effectively increasing and returning value for investment while strengthening operating resilience. These are brand and bottom line contributions you can measure.

Demonstrating that your risk management program returns value to the business requires careful alignment of program objectives and operating business goals. You would have implicitly done some of that through your effort to determine requirements for your ERM solution. It also makes sense to examine the design of your organization to see how to best model it’s nature and culture in the ERM processes of your solution offering. Being able to demonstrate that alone can make a solution very appealing to management. And if a small scale solution can be extended in features and scope by building upon an initial implementation, rather than discarding and re-deploying a solution under a different configuration, that’s a real win for you, for Finance, and will be very attractive to your IT organization, particularly if they participate in those efforts. Lastly, being able to respond directly to management requests for reports, charts and other analytical information, without filing into an IT processing queue, will be a bonus for all.

Identifying Alternatives
There’s already an enterprise solution in place. And for any number of reasons, it’s not enabling your risk management program efforts, but adding to its burdens and obstacles. Evaluating ERM solutions in the marketplace that meet the requirements you’ve documented may seem at once daunting yet unavoidable. There are approaches that may reduce the task in size and duration. You know your requirements—don’t compromise. That will narrow your field quickly and dramatically. Seek providers who will offer a hosted solution, reducing reliance upon any IT resources, and time to deploy. See if there’s a sandbox or field test option to try and take the software for a spin on a trial basis. If not there may be other options offered by your vendor. Remember, you’re really seeking a nimble but fully functional ERM platform that will do what you need now, and give you control and operating autonomy. The best offerings will support your expansion in features to other areas or to manage larger organizations by growing your base install, not retooling everything from scratch. Include reporting and data analysis features that are simple to use in your search. A big part of the value you’ll enable will be timely reporting and risk guidance to leadership. It’s an area where tangible demonstration of why you are deferring use of the 10,000-pound instantiated ERM solution can be made. Also, your ability to operate without dramatic resource drain, relying upon a configuration approach to tailor workflow, naming, automated process features and output management will go far in showing gains in timely responsiveness to change. These are always areas of weakness for oversized, overdeveloped enterprise implementations.

From this vantage point, you should have clear artifacts to support your initiative to bring responsive, comprehensive, value-generating ERM services to your business in a clear, cost effective and efficient manner, demonstrating a model for operation and growth that’s compelling for today and tomorrow.

Enter DoubleCheck ERM One
ERM One is a revolutionary, yet straightforward, application that builds upon the lessons in Enterprise Risk Management (ERM) that DoubleCheck, over time, has been privileged to learn from its clients. In short, ERM One incorporates into one intuitive, turnkey application the best-practices tools and content to help optimize the crucial discipline of Enterprise Risk Management (ERM) and thereby put your firm on a path to achieving its strategic business objectives. DoubleCheck fully understands and supports the merits of ERM and the benefits of its adoption by all companies.

ERM One follows the Best Practices of Risk Management. It is predicated on the understanding that there are three attributes of an effective ERM Solution (Product, Process and Content). These attributes, in combination, deliver the critical services, tools and capabilities that companies require to tactically execute upon the four elements of day-to-day risk management (Identify, Assess, Mitigate and Monitor) with efficiency and effectiveness.

DoubleCheck has structured the tool in a modular manner, with options available to add incremental GRC functions or advanced business intelligence (BI) capabilities to extend functionality. Further, services and features are highly integrated into one package. Reporting is embedded rather than independently aligned to content and processes, making the risk management practice a seamless effort rather than a disjointed one. It is delivered as an immediately-operational ERM platform, through a unified combination of its:

• Product – automated workflows; embedded business intelligence; project management; automated notifications; system generated heat maps, comprehensive risk reports, navigation through visualization; assessments; documentation management
• Process – risk identification, quantification, mitigation documentation, reporting and review
• Content – pre-populated (“running start”) risk universe, risk categorization, rating scales, individual controls by line of defense

Want to trial ERM One? Here’s what do you’ll get:

Key Features:

DoubleCheck ERM One trial includes all components of our innovative, turnkey ERM solution:

• risk structure pre-configuration
• risk content pre-population
• risk process integration
• modular construction, capable of significant functional enhancement
• embedded reporting and robust business intelligence (BI)s
• navigation through visualization
• alignment to ERM standards and best practices

Here are ten (10) top reasons to try ERM One at your firm:

About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.

The post Your Embedded ERM Infrastructure May Have Become A Risk Enabler…What You Can Do About It first appeared on DoubleCheck Software.

Establish A Business Context
Often overlooked, this is a vital beginning step to assure business relevance and promote meaningful dialogue with company leadership. Examine the business basics of your company, specifically who you are and what you do. Answering the following types of questions can help you document those business basics:

• What are your core products and services?
• What are your key strategic objectives (i.e., capital accumulation, liquidity, reputational excellence, service leadership, etc.)?
• How does leadership and other stakeholders measure value (i.e., revenue, earnings, stock appreciation, sales volume leadership, brand recognition, to name a few)?
• How is this value created?
• What places strategic objectives, operating performance, and resulting value at risk?
• What is the scope of your risk program (enterprise, organizational unit, business segment, other)?

Once you’ve done this evaluation, examine the content. Pay particular attention to the terminology and language that works best to communicate these answers clearly. Take some time to vet your responses with others to assure they are clear, concise, and accurately reflect your company and its business. These should be terms you continually reference when describing, reporting, and discussing risk in all your communications. Words matter. Everyone needs to be on the same page with regard to risk.

Define Risk
There is art and craft to effectively doing this. If defined at too granular a level of specificity, it become unmanageable; and conversely, if done too broadly, the definition evaporates into meaningless messaging. This is where your business context becomes a helpful tool. One solid definition could be the “effect of uncertainty on the achievement of objectives.” You may also find it useful to look at each core objective and ask, “what events or situations might hinder or thwart the achievement of this objective?” You may think of other questions to help you explore risks. For instance, consider value chains. These are situations where one operational event or outcome may lead to a series of others that result in a negative impact upon a seemingly unrelated area. An example would be:

Scheduled maintenance updates to patch a group of data servers fall behind plan, leading to a short term outage in scheduling software and requiring manual operation. This, in turn, results in delayed and missed product deliveries contributing to a decline in product revenue for the period.

Generally, server maintenance isn’t viewed as an item that is clearly linked to revenue. But such linkage can occur and the circumstance cited is actually a reflection of one company’s past experience. Having stakeholders with a deep knowledge of your operations and their process integration can help reveal some of these risk situations. Understanding and identifying such relationships in value chains can also assist in the development of mitigation plans to help address either likelihood and/or severity (in this case, by completing patch updates to servers). In some disciplines, this kind of thinking is referred to as “systems thinking”.

Expressing risks in terms of their impact upon operational achievement of objectives is a way of establishing clear relevance to senior leadership, those individuals who are responsible for allocating resources to your program to help mitigate and manage identified risks, and sponsor remediation efforts to manage them. They are the key decision-makers who establish budgets and allocate resources.

Once you’ve built your preliminary set of risks to objectives, you will then be in a position to enlist operational stakeholders as actual risk owners, individuals who are subject matter experts (SMEs) and who can add detail and specificity with respect to core disciplines. These should include, but not specifically be limited to, IT, Finance, Audit, Operations, Product Development, Support Services, Procurement, Third Party Management, Regulatory Compliance, and Facilities. Their input, aligned to your business practices and culture, will form the basics of your Risk Register. A crucial part of the risk survey process will be to ask what’s actually in place now to mitigate these risks. Keep those answers for consideration of controls, which you may map against regulatory or contractual obligations.

Process – Integrate The Register From the Bottom Upward
Make no mistake – your risk register is the foundational pillar for establishing an Enterprise Risk Management (ERM) program. It needs to be installed, embedded and thoroughly integrated throughout an organization in order to:

• Assure the active management of risks as a process
• Set priorities and actionable resource allocation to address risk
• Uncover and oversee the mitigation of the universe of risks
• Expose any hidden, value-adding opportunities
• Demonstrate itself as a usable, independent but integral regimen (not as a stand-alone, ivory-tower hypothesis), in order to maximize its contribution to the company’s mission

Very simply, consistent with the establishment of the risk register, the mission statement for an ERM program can be stated as

“…the process to identify, assess, mitigate and monitor all enterprise-wide risks that might impair the company’s ability to achieve its strategic business objectives.”
We’ve talked about the functions, processes and features of an ERM solution in many of our other blogs. A vital point: your ERM solution should clearly be understood as stand-alone and not a mere adjunct to other corporate functions, like compliance or internal audit. It is a discipline of its own and needs to be strategically designed and tactically executed, on an iterative (day-in-and-day-out) basis, using a risk register vehicle that is:

Going one step further, this Risk Register is not just a “nice to have” choice but rather a corporate initiative that is:

• Urgent – tomorrow is not soon enough
• Mandatory – avoids potential catastrophe and/or dereliction of duty
• Foundational – risk register “buckets” (causes, consequences, controls and key risk indicators) and metrics (severity, likelihood, and velocity) inform the components of ERM actionability – identification, assessment, mitigation and monitoring
• Collaborative – content provides operating managers and staff with a consistent framework and language to structure risk related actions and report accomplishments, issues, and recommendations.
• Connected – to the success of strategic objectives
• Value-oriented – satisfying myriad needs across a wide spectrum of stakeholders, such as:

Content – Applying Controls and Frameworks

Examining the all the attributes of the risks you’ve identified in your register allows you to accomplish two important tasks. First, you can readily see the reliance on, or the impact of, mitigation, for each risk. The sum total of mitigation serves to reduce inherent likelihood and severity to its current residual level. Secondly, you can use a framework to see if there are any significant gaps in your register you might want to address.

Process and Product – Enter The Risk Assessment
If there is only one activity to be used most often to define the core of ERM, the one aspect that is most readily identifiable and recognized, it’s the risk assessment! This is the action step that drives mitigation and helps prioritize monitoring. This is where your risk “health” is determined. If your risk register is a thermometer, this is where you take your company’s temperature. The register can critically evaluate which of the risks in your universe are appropriately addressed and where additional mitigation is most urgently needed. The findings of the assessment define your current state in the context of your business’ needs and goals, and drive your program’s response. The features of the tools you use to do this, through your GRC platform or whatever else you might use, are all focused upon a review of the content of the register, a determination of risk to your business by designated risk owners, with stated accountability. The information needs to be intentionally focused on a select few attributes (likelihood, severity, direction and velocity) and metrics need to be straightforward and clearly understood. Very importantly, you also need reporting tools to organize, analyze, and present the data into meaningful messages.

Product – Reporting
You’ve built your register, supplemented content, assessed your risk, and now you need to share what you’ve learned with decision makers and stakeholders. If you are working with a GRC tool where reporting is embedded within, where standard reporting, such as the generation of heat maps, counts and lists of most critical risks and such is generated right from your assessment data, that’s a strong beginning. If not, you want to generate visual and narrative statements of findings that answer some basic questions:

• What are our most significant risks?
• Which are most likely to have significant events occur?
• Where are they located?
• How are they prioritized, using enterprise-wide rating scales
• What is the current residual state (after controls) for each risk?
• What will it take, in terms of additional resources, to further mitigate them?

There are countless, additional questions that can be asked, based on the fulsome risk surveys received from subject matter experts. These further inquiries are healthy and will drive further conversation. Visualization is important to helping non-technical executives understand your assessment findings in business terms. It’s exactly why you built your register in the context of the business’ goals and mission. Further, you need a means of securing, publishing, and distributing this important information to key stakeholders, within control, in a secure manner. Risk assessment findings reports often contain highly confidential information, and you need the capability to manage publication and distribution carefully. Your Board of Directors, as well as your Executive Committee, are accountable for addressing and managing risk to their shareholders, regulators, customers, and other stakeholders. ERM is the discipline, and the risk register is the most valuable tool, that provides all of these varied stakeholders with the information and guidance to make quality decisions to manage and mitigate risk effectively

Product—Process—Content: The DoubleCheck Standard
While this, and many other blogs here, offer guidance on many risk management issues, they all point towards the benefit of utilizing a quality GRC tool to support execution. DoubleCheck understands that these three attributes of a GRC (Process, Product, and Content) are essential to delivering the critical services, tools, and capabilities companies require to tactically execute upon the four elements of day-to-day risk management (Identify, Assess, Mitigate, and Monitor) with efficiency and effectiveness. Further, services and features are highly integrated into one package. Reporting is embedded to rather than independently aligned to content and processes, making the risk management practice a seamless effort rather than a disjointed one. Whether out-of-the-box core functionality, or serving as a streamlined front-end to a larger enterprise (ERP) offering, or to an expansive, dedicated, tailored through configuration, custom fit to your company’s needs, DoubleCheck offers product, processes, and content designed to support all your enterprise risk management needs.

The next blog will expand upon the various use cases that can greatly benefit from a pre-populated, fully integrated ERM solution.

About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.

The post Building A Risk Management Program—The Risk Register first appeared on DoubleCheck Software.

Where Do Your CIO and CISO Sit?
Snarky responses aside, access to the rest of your company’s executive team is an important aspect and attribute of your cyber risk management and security program. If your organization’s structure assigns them to report to other “C” level roles you’ve established a potential barrier to clarity, transparency, and responsiveness. This is not in any way a slight to any other C-level roles, but a simple statement of operational, procedural, and behavior fact. It also sends a clear message to the rest of the organization that the importance of security and risk management is a secondary concern. That may create an additional hurdle for risk and security initiatives as middle managers place more resources and attention on the requests from those “higher level” executives, relegating ones from your CISO and CIO according to their organizational pecking order. Giving your CIO and CISO a seat at the executive table makes a number of high value contributions to your company:

• Enables them to establish and validate their roles as important strategic components to your company’s success
• Communicates the importance of security, cyber risk, and technology to the entire firm
• Gives your CIO and CISO firsthand exposure to these other disciplines, issues, and management concerns so they can participate in developing strategy and measuring achievement of business goals and success
• Affords open discussion between all C-level executives of how cyber risk and security, as well as technology contribute to and add value to the company’s business achievement.
• Reinforces and encourages representation of technical, security, and risk matters in terms of business impact rather than esoteric tech-eze.
• Affords direct communication and responsiveness to address and respond to incidents and issues with greater timeliness and efficiency, strengthening overall business resiliency during unforeseen events and incidents.

Leadership By Enablement
Often, when we think about goals, achievement, and leadership, it’s from a fairly internal perspective, answering the question “what do I want to do?”. Let me offer an alternative perspective. Consider the answer to the question “What do we need to be successful?” The answer is often fairly broad. But drilling into those generalized answers quite often will yield presumptions of reliability, persistence, accuracy, validity, and resilience, to name some attributes. These may depend upon processes, tools, technologies, people, partners, and even regulators or providers of basic infrastructure such as transportation, energy, or communications. Many of those attributes, often just assumed to always be reliably present, can and often are the victims of cyber attacks, weak security, and lax attention to practices that would otherwise thwart or at least minimize the risk of their compromise. Information technology and security leaders are well attuned to the vulnerabilities, threats, and presumed reliable presence other leaders count upon to manage and deliver their own contributions to business goals and achievement. By placing them into the discussions where plans and direction are being developed at a senior executive level, businesses enrich and empower planning with a fuller view of issues, opportunities, and a more complete understanding of the resources necessary to maximize the opportunity to achieve outcomes.

Who Manages Your GRC?
The CISO and CIO roles are not the do-all end points of everything related to cyber risk and security. A governance, risk and compliance (GRC) manager is more than someone responsible for administering a software tool, conducting risk assessments and reporting findings. Often this can be a leadership role supporting those C-level executives and others, one that is responsible for the design, development, staffing and operation of enterprise-wide delivery of many security and risk related services and processes. Often, this role will take a lead in delivery of security awareness training—content and delivery. Incumbents will also participate with other compliance managers and management to assure current and upcoming products and services meet established obligations. This may include interactions with external auditors, regulators, and third parties. Your GRC manager is at the focal point of your compliance, risk, and governance processes. Often s/he will be the primary author of your governance practices, compliance efforts, manage risk assessments, and serve as a valued participant in the implementation, delivery, and monitoring of data protection, authentication, recovery and resiliency programs.

Extended Boundaries
There are two more questions, whose answers help define the extended scope of your risk, security, compliance and governance roles:

• Who is responsible for third party risk management (TPRM)?
• Who is responsible for risk, governance, and compliance oversight when acquisitions are under consideration?

The ideal answers should be your GRC manager, under the executive guidance of a CIO or CISO who is part of the executive team, and has visibility to the Board of Directors. But is this the case in your firm? There are many moving parts to TPRM. Certainly, your procurement practices are key components. On and off boarding procedures necessarily entail information exchanges to assure proper vetting of third party candidates. This goes well beyond fiscal health, service and product quality, timeliness, and contract negotiation. How well integrated and informed are these practices by your risk, information security, and compliance expertise within your company? Is reliance upon critical partners a foundation of your resiliency, recovery, and incident management strategies? How do these processes and programs integrate to assure your leadership that your third party engagements preserve, and maybe even enhance presumptions of reliability, persistence, accuracy, validity, and resilience where these third party relationships integrate with your operations? Your procurement professionals, no matter how experienced, would gain value and support from the integration and engagement with risk, security, regulation and compliance expertise offered through GRC leadership.

And Then There’s The GRC Platform
A GRC platform is a critical technology tool that enables and strengthens these business and operational practices. For many who have followed these blogs this assertion will seem obvious, as will notations that GRC platforms facilitate data integration, validation, and reporting. There are some other, equally important but less recognized opportunities utilizing a GRC platform makes easier. A GRC is well suited to store, maintain, and serve as a consolidation point for compliance, risk and related process and remediation project data. Feeds from incident management, audits, compliance reviews, remediation projects, risk assessments, and more can all reside logically within its data stores. Using a GRC as a single point authoritative source for such data also simplifies data security, validity, distribution, and resiliency practices. Whether the system relies upon cloud storage, or more traditional means, there are tools and services available to assure data management and integrity. Much of the content of a GRC system is likely sensitive and would be considered highly confidential. Having this consolidation makes implementation and utilization of technologies such as data loss prevention (DLP), tighter multifactor authentication and access management, and backup and restoration services more economical to implement and operate.

Analysis, data mining, and reporting are facilitated by consolidating related GRC data streams onto the stores of your GRC platform. Data analysis tools can easily relate, and also identify discrepancies between alternative data views of specific operating practices or organizations. You can also explore specific controls or risks to see where recommended practices are consistently ignored. Doing so points out potential problems with control design, implementation, or understanding which afford focused and positive remediation strategies. Control management is an important aspect of risk management, one that’s often overlooked in binary pass/fail scoring. That’s why risk registers are an important design element of your risk and security programs.

Don’t Forget The Risk Register
Remember that your risk program needs to identify, assess, mitigate, and monitor risk to demonstrate “management”. Having a list of risks, whether identified through statements, measurements of control adherence, findings of audits or compliance reviews, or more, offers a scaffold upon which to design and construct your risk program. It’s a tool that presents context, direction, and definition, while also useful to manage scope and measure maturity. Risk registers aren’t static. They need to be elastic and flexible to reflect the changing nature of your business and the threat environment you operate within.

The risk register’s content is something your own senior risk and security leadership must work to explain to other senior business leadership and gain consensus to its alignment with your company’s goals and mission. This discussion needs to be an ongoing dialogue, and the exchange of ideals, opinions, priorities, and concerns is one reason why senior information technology, risk, and security professionals need a seat at executive leadership meetings. These experts need to understand the perspectives of the business from the views of operations, finance, marketing, compliance, product and brand management, and more. Likewise, those business leaders need to understand the integration of their own processes with those of their technology risk and security peers.

Without question, alignment of business goals with your risk register is a key foundational step to building, developing, and managing a comprehensive risk program that’s relevant and effective. But more on that in an article to come.

About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.

The post Cyber Security and Risk Management—Who’s Responsible first appeared on DoubleCheck Software.