Sometimes it helps to view a topic from an opposite perspective. So while there are many blogs, articles and consultants who are sharing best practices on how to enhance the risk management program in your organisation, let me take a contrarian view. Here are the 7 things you can do to ensure that your organisation fails in its risk management efforts:
1. Do not connect risks with business objectives: Ensure that when you create your risk library and define new risks, these risks are not linked to any business objectives. This will ensure that there are many risks in your risk library which have little relevance for your business and risk managers will waste valuable time on thinking about these irrelevant risks.
2. Do not try to consolidate multiple risk assessment methodologies: In a typical medium to large organisation, different teams will have different methodologies to assess risks e.g. OpRisk team’s risk assessment methodology may be completely different to the IT team’s risk assessment methodology, which may be completely different to the Business Continuity team’s risk assessment methodology. Such disparate methodologies will ensure that the senior management will never get a consolidated picture of organisation’s top risks, which will in turn ensure that organisation will always be caught off-guard, when key risk turns into a loss event/incident.
3. Do not try to consolidate risk management systems used by multiple teams: In a typical organisation, there are three most important teams responsible for improving effectiveness of risk management. These are group risk management team, compliance team and internal audit teams. Each of these teams will use their own systems for managing risks. Ensure that you don’t consolidate the disparate systems used by these three teams, which will result in duplicated effort, wasted resources and minimal collaboration between these teams.
4. Use multiple spreadsheets for all risk management activities: Ensure that everyone in your organisation uses different spreadsheets for risk management activities such as recording risks, assessing risks, capturing action plans etc. More spreadsheets you use the better. This will ensure that no one in the organisation can get a consolidated view of critical risks and risk managers will spend 60% to 80% of their time in just updating and maintaining these multiple spreadsheets.
5. Record all risk mitigating actions in unstructured format: Typically, when risk and control assessments are conducted, various risk mitigating actions may be required to address weaknesses identified in the way risks are being mitigated. Ensure that these risk mitigating actions are kept in unstructured format such as emails, hard-copies, Word documents etc. This will ensure that there is minimal consistency in implementing risk mitigating actions resulting in duplication and waste of effort.
6. Share and publish minimal risk management reports and information: Ensure that minimal risk management related reports and information is published to stakeholders such as business units, senior management, board etc. Minimize the frequency of these reports to once a year to ensure that no key stakeholders are aware of critical risks and hence do not get opportunity to prepare to appropriately respond to these critical risks.
7. Involve only a very small group of experts in risk and control assessment activities: Ensure that the group of experts involved in risk and control assessment activities is kept to minimum. This will avoid the broader expertise available within the organisation to be incorporated in the risk and control assessment scores, which will ensure that the risk and control assessment scores do not always reflect the real risk exposure level. As a result, any risk mitigating actions taken based on these risk and control assessment scores will never adequately mitigate the risks.
For jobs in GRC, jobs in Risk or jobs in Audit, please click here
Author: Manoj Kulwal, Director and Founder at GRC Solution People.
The mounting pressures Risk Management professionals face today were initially compounded by the financial crisis and the resultant legislation and regulation (Basel III, Dodd Frank Act, Solvency II); now they are also additionally burdened from Information Security, Business Continuity and Reputational Risk Management issues that relate to further regulated environments. It’s not surprising that senior practitioners are increasingly united in their desire to have an enterprise view of their organisation's risk exposure.
As more organisations implement a GRC program, the staff who are leading and implementing GRC program related initiatives are now looking to professionalise with certifications.
If you would like to keep one step ahead and know more about becoming a certified GRC Professional (GRCP) or GRC Auditor (GRCA) with OCEG’s globally recognised certification standard, or attend a forthcoming training seminar that awards this this certification please click here.