March 25, 2021
Responsible Security and Responsible Disclosure: Why a VDP Matters
No organization has perfect security, so a VDP serves as one layer of many in a mature vulnerability management program. Learn about what a VDP…
This post is the first of our GRC 101 series, which will provide an entry-level overview of the business of governance, risk, and compliance. The first three posts will unpack GRC itself, starting with Risk Management.
Governance, Risk, and Compliance, typically shortened to GRC, refers to a company's coordinated strategy for managing the broad issues of corporate governance, risk management, and compliance with regulatory requirements.
In this post, we’ll take a closer look at one of these pillars: Risk Management.
What is Risk Management?
It’s easy for most people to answer that in a generally applicable way. At its absolute highest level, it involves any measure taken to avoid or limit the chance of a bad outcome—such as wearing a hard hat in a construction zone or buying insurance in case of a flood.
In a business context, things get a bit more specific. Let’s start with a definition:
Definition 1: Risk management is the ability to effectively and cost-efficiently mitigate risks that can hinder an organization's operations or ability to remain competitive in its market.
Meanwhile the Open Compliance and Ethics Group (OCEG) offers a more comprehensive definition:
Definition 2: Risk management is the system of people, processes, and technology that enables an organization to:
- Achieve objectives while optimizing risk profile and protecting value
- Set business objectives that are congruent with values and risks
- Understand and prioritize stakeholder expectations
- Operate within legal, contractual, internal, social, and ethical boundaries
- Provide relevant, reliable, and timely information to appropriate stakeholders
- Enable the measurement of the performance and effectiveness of the system
What does risk management mean for businesses?
The application piece is where things get complicated. Firstly, think of all the potential risks a business should think about. Examples of potential risk areas include financial risk, credit risk, market risk, strategy risk, operational risk, fraud risk, reputational risk, information security risk, technology risk, compliance risk, and natural disaster risk. Just within information security risk, you have security breaches, data loss, cyber attacks, and system failures—to name but a few.
An effective risk management process will help identify which risks pose the biggest threat to an organization and its resources, and provide guidelines for handling them. But that’s just the start. Risk Management can be divvied up into three steps: risk assessment and analysis, risk evaluation, and risk mitigation. Let’s take a closer look at each.
- Risk Assessment & Analysis—A risk assessment evaluates an organization's exposure to uncertain events that could impact its day-to-day operations and estimates the damage those events could have on an organization's revenue, resources, and reputation. According to The Institute of Risk Management, "This requires an intimate knowledge of the organization, the market in which it operates, the legal, social, political and cultural environment in which it exists, as well as the development of a sound understanding of its strategic and operational objectives."
- Risk Evaluation—After the risk assessment/analysis has been completed, a risk evaluation should take place. A risk evaluation compares estimated risks against risk criteria that the organization has already established. Risk criteria can include associated costs and benefits, socio-economic factors, legal requirements, and system malfunctions.
- Risk Treatment & Response—The last step in the risk management process is risk treatment and response. Risk treatment is the implementation of policies and procedures that will help avoid or minimize risks. Risk treatment also extends to risk transfer and risk financing.
Who is responsible for risk management?
It depends on the company.
At small companies, there may not be anyone designated to assess and manage the company’s risk. At larger enterprises, typically there’s a department whose sole job it is to monitor the company’s changing risk profile and put processes in place to manage it. The heads of such departments often have titles such as Chief Information Security Officer (CISO) and Chief Risk Officer (CRO). Lower-level employees will have titles like Risk Analyst or IT Security Manager.
How does risk management help companies?
Effective assessment, analysis, and management of an organization's risks pays dividends in a multitude of ways. It helps protect assets, improve decision making, and optimize operational efficiency. As a good steward of risk, the company can invest time and resources with a clear understanding of all potential outcomes—including the downsides. It’s a fundamental part of any company’s strategy to attain its goals.
Click here to read about Compliance and Governance.
For more on Risk Management, check out LogicGate's enterprise risk management solution or download our eBook below on How to Build Organizational Support for ERM.