Some form of risk management occurs on a daily basis in any organization currently in business. In many enterprises, risk management activities are ad-hoc, compliance-based, focused on the latest threat in the news, uncoordinated, and use arbitrary means for analyzing whether the risks warrant any action. As a result, enterprises are not benefiting from a systematic, coherent means to manage the risks that have the greatest potential for business impact.
Risk management is the process of identifying, analyzing, and responding to conditions throughout the day-to-day enterprise operations with an eye on meeting the business or mission objectives developed in the strategic planning process. Often enterprises take on a certain amount of risk, defined as risk appetite, in order to achieve one or more objectives. This risk-taking can have a positive or negative impact on the enterprise and must be managed within limits, or risk tolerances, in order to know what actions or behaviors are necessary to achieve success and minimize negative consequences.
Including risk management as a focus area of the broader enterprise governance activities is necessary to align the stated mission, vision, values and actions of the enterprise with the management activities needed to ensure those objectives are met. The responsibility of effective governance is to align the risk behaviors with the organization’s risk appetite and tolerance. If your board or other senior leadership governance committee is only receiving information on risks from the audit committee, then there is a lack of knowledge about the difference in roles between risk management and audit. Each area, risk management and audit, has a role to play in the organization, but senior leaders cannot expect to understand the totality of the risks that the enterprise faces with only audit committee internal control and compliance-related reporting.
Whether your organization is just getting started with a more formal risk management process or you have a process but want to make sure it is aligned with best practices, there is a new ISACA publication, Getting Started With Risk Management, that can help. The guide is intended to build awareness of the risk management process and is not focused on control selection or internal control deficiencies as contributing to risk. The paper’s reviewers are primarily risk practitioners, and I believe this guide has the potential to improve the effectiveness of your enterprise through the implementation of sound risk management processes.
As you read the publication and begin to use it in your enterprise, please feel free to pass along constructive feedback and leave it in the comment section of this post. This will allow us to understand what worked well and what could be improved. In the meantime, we hope this guide is beneficial to you and your organization.