What is a risk—really? Does your risk profile make you look fat? What’s the difference between a mitigation and a response? Is a risk treatment something you get at a day spa, or two aspirin? If I have a big risk appetite, can I eat two desserts for dinner? Does governance really come in “layers?” Or is that an onion? Are ARMS, COSO and AS/NZS something on an eye chart?
At a recent conference, it wasn’t difficult to identify a range of problems faced by enterprises:
- Too little value from business-IT investments
- Too much risk for the return we are getting
- Slow decision making
- Project overruns and delays
- Lack of stability, availability, protection and recoverability
- Compliance surprises
These problems all cost enterprises time and money. This cost is especially painful in tough economic times when people are losing jobs at the same time that this waste is building up and revenue opportunities are being lost.
To address these problems, enterprises are looking for a better way. Because they are looking for “what works” and don’t want to “reinvent the wheel,” more leaders are turning to industry open best practices. Yet, in looking at the options, more questions are raised:
- Isn’t “governance” just more bureaucracy?
- What exactly is “governance”?
- What is “GRC?”
- My boss doesn’t want to pay for just “compliance.”
- We’re doing both network/firewall and access control risk management; is there anything left to do in IT risk management?
- As an IT leader, how can I better bring business leaders to the table on requirements and timelines?
- I bought a software package, but I am not getting much value out of it; how can I increase the value?
Frameworks and best practices offer big benefits because of how the good ones are designed and how they can be used. The key is selecting the right ones and blending them together to meet your business needs. Through clarity (and knowing where clarity doesn’t quite yet exist), you can learn how to use frameworks to help you more easily communicate and drive progress, without tripping over terminology.
I'll discuss this topic in greater depth at ISACA’s Virtual Tradeshow and Seminar on 22 June. This free online event, titled Building a Better GRC Program, will allow you to participate in live, educational sessions presented by knowledgeable experts; ask questions and interact with speakers and sponsors; and connect one-on-one with other industry professionals, ISACA members and staff. A resource center, complete with additional information and materials such as white papers and ISACA Journal articles, will also be available to you. Attendees can earn up to four free continuing professional education credits (CPEs).
Other presenters at the ISACA virtual event include Christopher McClean from Forrester, who will discuss how to understand and select GRC technology; Eric Holmquist from Holmquist Advisory, who will explain how to perform information security risk assessments; and Richard E. Mackey from SystemExperts, who will talk about the evolution of compliance programs.
Brian Barnier, with ValueBridge Advisors, has a practical and action-oriented perspective with his experience in business lines, IT and risk management. He serves on multiple best practice committees, including OCEG’s GRC “Redbook” 2.0, and ISACA’s Risk IT and COBIT 5. He is one of the select OCEG Fellows, writes widely, and contributed to Risk Management in Finance (Wiley, 2009). For ISACA, he chairs the IT Governance, Risk and Compliance Conference. He can be reached at firstname.lastname@example.org.