5 Questions Every Risk Professional Should Be Able to Answer for Their Board
Matt Kunkel | July 1, 2021
As a risk professional, you know that risk is everyone’s business—across departments and across roles, everyone plays a part in ensuring that your organization is managing and mitigating risks appropriately. When it comes to sharing information and analysis about your organization’s risk with the board and executive team, knowing what you should report on is essential to not only conveying accurate information but providing the insights that they need to know.
On a recent episode of LogicGate’s podcast, GRC & Me, Emily Heath, Chief Trust and Security Officer at DocuSign shared the five questions risk professionals need to know the answers to when talking with the board or the executive team.
These five questions are:
What is it that matters the most?
Where does it sit in the environment?
How are we currently protecting it?
Where are we most at risk?
How resilient and prepared are we to deal with something going wrong?
These five questions, if answered well, prove you know everything you need to know about the business, Emily explained: “The board wants to know that you have a full understanding of your environment.”
But how exactly can you go about answering these questions?
What matters the most: this question addresses the internal processes which generate both financial and non-financial outcomes. For example, these could be critical knowledge transformation processes or maybe a physical process. You should be able to articulate all of the specific critical processes for the organization while acknowledging that others are important but not critical to resilience.
Where does the critical process sit in the environment: this is less straightforward than you may first imagine. Where does a knowledge transformation process occur? Is it in the servers or within the roles of specific individuals? Are these people centrally located, or are they distributed, working from home, or even out delivering your products? Getting to grips with the physicality of what matters is central to building resilience and embedding agility.
How are these processes protected: protection comes in two forms: prevention of occurrence and reduction of impact. Preventative measures should always take precedence, either to avoid the event in the first place or to minimize the likelihood of an event occurring. Protection should seek to minimize an event's impact both physically and financially, with insurance being considered the final element if all previous mitigation strategies fail.
Where are we most at risk: often presented graphically as a risk matrix, this is one of many tools that can help communicate risks to the board. However, care needs to be taken as the low-likelihood, high-impact risks (such as COVID-19) are often overlooked compared to the high-likelihood, high-impact risks. But all risks with a high impact, regardless of their likelihood, should be considered in detail.
Are we prepared to deal with something going wrong: this is an essential question if the board's full confidence is to be obtained. The traditional route to determine the degree of resilience is to undertake a desktop exercise based on various scenarios and stress test the process. An alternative to this is to conduct a pre-mortem by assuming a critical process has already failed and then working backward to determine the cause of the failure. This backward-looking approach often yields some unexpected results.
A Web of Knowledge
You may not know every answer to the aforementioned questions without considerable investigation. So learning who within your organization has first-hand knowledge and experience in such matters becomes an essential skill. Like a spider sitting in its web, sensing the vibrations on each of the threads, you need to position yourself in a web of trusted relationships so that you can hear about issues and concerns as they arise.
You have to talk to people on the inside, said Emily, to figure out what matters: “That comes from a series of interviews with the business. And it's constant. It's a constant feeding of the machine. You understand what matters, you know where it is, you know how you're protecting it, you understand why you're at risk. And then you understand how well you are prepared to deal with it.”
A bonus of such interviews with managers and senior leaders is that it keeps the GRC agenda alive in their minds. Maintaining a constant dialogue, including feeding back relevant information into the business, is the quickest way to create trust and a resilient mindset in those who may eventually need to implement the resilience plan.
How LogicGate Can Help
When you are responsible for managing this web of relationships and information, using a GRC platform like LogicGate’s Risk Cloud helps you manage your risk program in one, centralized location. To learn more about how LogicGate’s Risk Cloud can help you manage your risk program, visit logicgate.com or request a demo.