Who is Responsible for Enterprise Risk Management?
Every company must consider a variety of internal and external factors that affect how well it can meet or exceed its stated goals. This collective…
This post is the first of our GRC 101 series, which will provide an entry-level overview of the business of governance, risk, and compliance. The first three posts will unpack GRC itself, starting with Risk Management.
Governance, Risk, and Compliance, typically shortened to GRC, refers to a company's coordinated strategy for managing the broad issues of corporate governance, risk management, and compliance with regulatory requirements.
In this post, we’ll take a closer look at one of these pillars: Risk Management.
It’s easy for most people to answer that in a generally applicable way. At its absolute highest level, it involves any measure taken to avoid or limit the chance of a bad outcome—such as wearing a hard hat in a construction zone or buying insurance in case of a flood.
In a business context, things get a bit more specific. Let’s start with a definition:
Definition 1: Risk management is the ability to effectively and cost-efficiently mitigate risks that can hinder an organization's operations or ability to remain competitive in its market.
Meanwhile the Open Compliance and Ethics Group (OCEG) offers a more comprehensive definition:
Definition 2: Risk management is the system of people, processes, and technology that enables an organization to:
The application piece is where things get complicated. Firstly, think of all the potential risks a business should think about. Examples of potential risk areas include financial risk, credit risk, market risk, strategy risk, operational risk, fraud risk, reputational risk, information security risk, technology risk, compliance risk, and natural disaster risk. Just within information security risk, you have security breaches, data loss, cyber attacks, and system failures—to name but a few.
An effective risk management process will help identify which risks pose the biggest threat to an organization and its resources, and provide guidelines for handling them. But that’s just the start. Risk Management can be divvied up into three steps: risk assessment and analysis, risk evaluation, and risk mitigation. Let’s take a closer look at each.
It depends on the company.
At small companies, there may not be anyone designated to assess and manage the company’s risk. At larger enterprises, typically there’s a department whose sole job it is to monitor the company’s changing risk profile and put processes in place to manage it. The heads of such departments often have titles such as Chief Information Security Officer (CISO) and Chief Risk Officer (CRO). Lower-level employees will have titles like Risk Analyst or IT Security Manager.
Effective assessment, analysis, and management of an organization's risks pays dividends in a multitude of ways. It helps protect assets, improve decision making, and optimize operational efficiency. As a good steward of risk, the company can invest time and resources with a clear understanding of all potential outcomes—including the downsides. It’s a fundamental part of any company’s strategy to attain its goals.
For more on Risk Management, check out LogicGate's enterprise risk management solution or download our eBook below on How to Build Organizational Support for ERM.
After the EU’s passage of the General Data Protection Regulation (GDPR) in May of 2018, fervid discussion about data privacy protection here in the United…
The investigation of last summer’s breach of British Airways—which resulted in 500,000 travelers’ personal data being compromised—has reached a verdict. And with it, it seems…