Boards of directors and their C-suite colleagues are getting an education in enterprise risk management right now, as the discipline as a whole takes a turn toward a more holistic approach, and IT is largely taking the role as educator.
The Institute of Risk Management’s Risk Management in 2020 projection says since the 1990s-style siloed, narrow approach focusing mostly on insurance or safety and environment, risk management has moved through adding risk managers as facilitators and standard creators in the 2000s, to a “global age” in the 2010s, with risk starting to be embedded in the organization and risk officers reporting to the executive level. In the 2020s, risk management strategy will be fully embedded in the organization, or so the projection shows.
If that is accurate, one way business will get there is by learning to let go of event-driven risk management. Though that actually sounds a bit oxymoronic, it’s still a common approach, and one that can cause more pain than it alleviates. But this is a shift that is receiving global attention, with news about the precarious nature of financial markets and supply chains reaching even the least connected among us. At a recent Governance, Risk and Compliance conference held in Johannesburg, South Africa, enterprise risk management vendor EGIT’s director, Tichaona Zororo, told the gathering that:
“The board must also ensure that management has implemented a system to manage, monitor, mitigate risk, and that system is appropriate given the company’s business model and strategy. It must also see that the expected risks are equal to the expected rewards and ensure that the risk management system informs the board of the major risks facing the company.”
Organizations taking the embedded approach will understand that enterprise risk management as related to IT “consists of IT-related events that could potentially impact the business,” Zororo said.
Finding the balance between awareness of actual and potential events and a non-event-driven strategy is where IT can provide the leadership that the board will expect to receive. Are IT’s internal audit programs fully visible to the executive team and the board, for example?
Discussions on compliance are driving a lot of the conversation around this shift right now, it seems, as the realization that compliance does not equal safety and security is spreading. A recent report from the senior IT professional community Wisegate highlights the trend. At its core, the change IT is facilitating is to get senior management to “stop handling compliance as a checklist,” and allow IT to do what it does best by bringing intimate knowledge of controls to the creation of the risk management strategy.
Taking the stance that a board and executive suite that may be starting from a relatively beginner level on risk is an opportunity rather than a problem, some Wisegate members gave this advice for taking a leadership position and getting the conversation started:
“… having a document as a starting point facilitates these discussions. But it was also cautioned, ‘Don’t try to get it perfect. Don’t try to cover everything. It’s much more important to get a starting point and start the discussions.’”
The report is not long and well worth a read for solid tips on communicating with non-IT colleagues the need for a comprehensive risk management strategy, and more importantly, how to keep the discussions ongoing and productive after kick-off.