WHAT ED SAYS
Most businesses are doing some form of risk management. Managed risks are one thing, but unmanaged risks can be pretty difficult to estimate and accommodate for. It may be hard to accept, but wearing your lucky scarf and the torn jersey you've had for 20 years, while sitting in the EXACT same chair every game doesn't impact your team's chances of winning. So really just "hoping" that your business risks are well, "manageable", isn't a very sound way to operate either. A much more sophisticated approach is necessary for a business to really have a better view into potential risks.
Crystal balls need not apply
Many businesses have evolved their approach beyond just wishful thinking and have indeed developed sophisticated methodologies for identifying risks with associated probability of occurrence, and estimation of loss. These are often developed into operating frameworks which include these risks and the related controls which mitigate these risks. Conceptual frameworks for risk and controls are prevalent, which allow you to abstract from operating frameworks to better ensure coverage across the business. These concepts have always been critical to sustaining an ongoing and healthy operation of any business.
More recently, leading organizations have begun to realize the importance of identifying risk in the context of business processes. This means that the risks can be associated with specific processes or activities within a business or business unit. Not only does this provide a context for the risk, it also establishes clear ownership of each instance of this risk based on who owns the process. This integrated risk management and business process approach exists at varying levels of maturity within these companies. Hello visibility!
Getting out of second gear
The quickest way to gain some of the benefits of this integrated approach is to capture processes in general diagramming tools with indicators in the diagram where risks, controls, etc., exist. This allows for communication and collaboration of risk occurrence. In parallel, there may be spreadsheets or other manual report formats specific to each process which list each activity and the associated risks and controls. Along with other related data possibly derived from various systems of record, this helps to define what the diagram is attempting to show. This information might then be used by auditors to verify the correct controls are in place based on the risks identified within the processes.
This is certainly a process-centric approach which has important benefits, but more integration and sophistication is desirable if a company wishes to leverage all of this data across the entire business unit.
Like a fine wine…
Higher levels of maturity include leveraging a combined content and metadata repository, allowing diagrams to reference the process landscape and risk/control operating frameworks. This is required to allow reporting across multiple dimensions. One critical part of this evolution up that maturity scale is to leverage existing information captured in these diagrams and spreadsheets or other databases/systems of record.
In addition, the use of dashboards to monitor development of this risk management analysis is important. The generation of reports for auditors reduces errors and is always up to date. This can include test results which validate that the controls are in place. Other advantages include the streamlining of the change management process, as well as impact/gap analysis and risk/control reuse. Capturing this information enables it to be fed into a more extensive Governance, Risk and Compliance (GRC) initiative where Strategies and Goals can drive desired outcomes. Meanwhile, Legal, Regulatory and other influences can determine the requirements to be evaluated for compliance all in the context of this integrated risk/process approach.
By adopting this method, you no longer have to bust out your lucky gear to try to influence a positive outcome with such risky business - you've got a real harness on managing what may have seemed "unmanageable".