Aligning Resources to Address the Risk Behind the Curtain
As companies go down the path of working on identifying and managing risks within their organizations, it’s hugely important to take the opportunity to make critical resource allocation decisions based on what is uncovered to mitigate that risk.
Identifying risk and mitigating it is a fairly simple concept. For example, you suspect Mrs. Gulch is really the Wicked Witch, and once you’ve confirmed that fact, that bucket of water sure does come in handy mitigating that particular risk. But what if you don’t have a source for the water and bucket to haul it in?
While corporate initiatives to identify and manage risk are critical in making informed decisions about risk mitigation resource investment, the line of business leaders are the ones tasked with the resource load planning that reduces exposure to risk. In turn, IT budgets are heavily influenced based on the assumption that money spent here will help to protect against corporate risk.
Once the key strategic issues are identified and mitigated throughout the organization, what remains is the day-do-day preventable operational risk where each instance of risk needs to be identified in the context of operational processes, and specific mitigation needs to be applied. It is in this process context that resource decisions about controlling and mitigating risk gets to the heart of the issue. It is at this level that audits pass or fail based on these resource allocation decisions.
So in the context of these operational processes, there are 4 key components in gaining the necessary transparency so resource investments can be allocated appropriately to mitigate risk:
- Identify risk instances on activities that may encounter them and consider using forward looking KRIs (Key Risk Indicators) on these instances to accurately assess likelihood and impact.
- Aggregate risk to the process level based on risk instances at the activity level to better handle the ongoing change to these business processes and the corresponding impact on risk assessment.
- Apply control instances to risk instances and use KCIs (Key Control Indicators) to assess effectiveness of control instances. These KCIs might include consideration of process automation or manual test metrics on controlling processes.
- Rollup and/or report on KCI values in conjunction with risk criticality to highlight hotspots and opportunities for resource investment to improve risk mitigation effectivity at the exact spots in your processes. This will make the greatest impact and provide positive audit outcomes.
Understanding risk in the context of your operational business processes is key to effective and demonstrable risk mitigation. This kind of transparency is critical for organizational alignment and solid business decisions around resource allocation.