Three Prerequisites of Managing Enterprise Risk Effectively
1. Establish the Right Risk Management Strategy and Processes
2. Manage Risk Across the Three Lines
- Operational Management: Risk is understood, taken, and owned by the first line of operational management. Since the front office (first line) employees and managers are the people who make risk and compliance decisions every day, they can either protect or expose your organization to unwanted issues. Hence, it is essential to educate them with effective training on policies and what is an acceptable and unacceptable risk, and how to report issues and incidents.
- Risk and Compliance: Risk management is coordinated, analyzed, and modelled by the second line of risk management comprising the risk, security, and policy owners and managers. This second line functions to facilitate conversations with the first line while ensuring that the policies they bring into force are recent and understood in the organization. It works towards defined processes and technologies to govern policies and implement an effective policy management lifecycle.
- Assurance through Audit: The third line comprising defense, audit and assurance professionals provides assurance and validation on how risk is taken and managed in the organization. These assurance professionals ensure that the policies are appropriately managed, communicated, and implemented across the organization. They work towards maintaining integrity, mitigating risk, and reliably achieving organisational objectives.
3. Use both Left-brain and Right-brain Thinking
Organizations also need to approach risk management with both left-brain and right-brain risk thinkers. Historically, risk management has been influenced by left-brain thinking on risk with structured risk models, simulations, and analyses. We always try to put uncertainty/risk in a box. As long as that box is close to reality, then our analysis can be fairly sound.
Good risk management involves structured thinking about risk with robust data and analysis, but it also needs creative thinking. Business is complex and dynamic. There are so many variables that can hamper us from achieving business objectives. Some of these can be fairly evident and real, some can be very abstract, remote, and hidden in the weeds of the organization. Creative thinking about risk demands good risk models from the structured risk thinkers, but then to think out-of-the-box on how those models fail or what they do not cover. Right-brain risk thinking requires a lot of visuals of risk and carrying out risk scenarios.
The Bottom Line
Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC). With 28+ years of experience, Michael helps organizations improve GRC processes and choose technologies that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in 2002 while at Forrester.