I’ve been giving some thought to what makes a good risk management function. What follows is a summary of the 7 key attributes or processes I settled on, in no particular order. It is worth noting that this is not specific to IT or information security, but any environment where risk needs to be managed.
Be firm but fair. Always exercise professional scepticism when evaluating the effectiveness of a control environment. Just because someone says something works doesn’t necessarily mean it works as it should. Independence in also important – those too close to a process are not always in the best position to identify risks.
2. Risk assessment and reassessment
People, processes, the environment, technology, everything and anything changes. Consider the rate of change and other factors (such as incidents) and define a formal plan for revisiting the risk assessment phase. Check that your attributes, ratings and area of assessment are still valid.
3. Refinement of controls
In conjunction with #2 revisit controls and associated processes to validate these are effective and efficient. Even if the environment (and risk) hasn’t changed, there may be a better way of managing the risk such as with a new technology. Using maturity models can help to track and measure changes in the effectiveness of controls. Although monitoring controls is a fundamental part of risk management (as in the prescribed Plan-Do-Check-Act methodology), this does not constitute independent review. Make sure your audit team has a look at the control environment to give their view.
4. Collaboration with other risk management functions
Work environments can be very complex. Many systems, processes, laws, regulations and other attributes combine to keep a business working. It is nearly impossible for a single division to have 1) the knowledge required to understand all risks, and 2) the visibility of all components of the business. Even those teams with similar skill sets (such as IT security and IT audit) have different objectives and so need to work together to help the business manage risk effectively. Rather than working in isolation there is more value in assurance providers and risk managers working together to ensure appropriate lines of defence are in place while avoiding duplication of efforts (i.e. combined assurance).
5. Awareness and training
The possible high rates of change in an environment (systems, business processes, risks, technologies or regulation) pose a challenge to those that are responsible for identifying and managing risks. Continued learning and awareness are fundamental requirements to obtain and sustain the necessary knowledge of the environment and associated risks. At the same time we are challenged by having too much information easily available, so it is important to filter out what is relevant and to identify trustworthy sources. Engaging with other professionals within this pretext is a great way of keeping up to date with changes relevant to your environment.
6. Collaboration with business
Apart from making the work place more pleasant, there is value in building a trusted relationship between risk managers/assurance providers and business stakeholders. The more these parties engage the more opportunity there is for knowledge transfer. The more a risk manager knows about the environment in which they operate the more effective they can be and the more value they can demonstrate.
Most (if not all) divisions have the business’ best interests at heart, including risk functions. A risk manager’s job is not to always err on the side of caution and drive the control environment to such an extent that all risks are fully mitigated as this hinders the business’ ability to operate or perform successfully. Many businesses need to take risks to make money, and it is the responsibility of risk functions to allow them to do so while managing risks to an acceptable level. Managing risks is not always about fully mitigating them.