Risk Management Strategic Execution Gap
Organizations should increasingly grow concerned with the gap that is prevalent between the business strategy/vision and the strategy/vision for risk management in companies large and small. Whether your business calls it risk management, information risk management, information security management, governance, risk and compliance, cybersecurity, cloud security, , the objective from the C-level is usually the same: a risk-based approach. Without getting too hung up in the details, a simplified way of explaining a risk-based approach is as follows: Controls that are implemented, monitored and measured because they clearly address risks to business assets identified through a mature risk management process.
You may believe that organizations, especially large organizations, have a handle on how their risk management program vision should be driven from business strategy, which then allows them to drive risk management strategy and subsequently execute on that strategy, but the fact of the matter is that they’re simply not communicating strategy in a manner that resonates with both whom they report to (i.e. board of directors, executive steering committee, C-levels, etc.), and who reports to them (the people that are ultimately responsible for executing your strategy).
It doesn’t matter which C-level role you are in, be honest with yourself and ask yourself if this is an accurate statement: Our risk management strategy is a product of our overall business vision and is clearly documented and communicated so that my staff is clear on our strategy and held accountable for meeting strategic objectives necessary to execute our strategy. Can you answer yes to this question?
Logical, simple, yet often missing…
Okay, so it seems very logical. Taking the business strategy, finding areas from that business strategy where you can apply risk management principles in order to address said strategy (sometimes tying it to your business core values resonates with an executive or board audience quite nicely). In other words, looking at risk management as an opportunity to grow your business and bake it into the culture vs. as a cost of doing business.
Is simple: spend a little time documenting your vision and then make certain that everyone that works for you clearly understand that vision and how they play an important role in executing that vision. Answer questions like these:
1) What are our business core values?
2) Where do I see our risk management program in 3-years?
3) What does our Accountability Chart (Org Chart) look like in 3-years?
4) Create a sales and marketing plan for your risk management program that addresses both your internal audience (Board, Leadership, Employees, etc.) as well as your external audience (Customers, Auditors, Vendors, etc.) – You’re a bridge builder, right? If you don’t have the sales skill set, you are best served by delegating and elevating the program sales role to one of your direct reports, as bridge building should be part of any good risk management strategy.
5) What are my 3 to 5 high-level goals for this year?
6) What are my 7 to 10 high-level goals for this quarter to meet my 3 to 5 high level goals for the year?
7) Who is assigned as responsible for meeting these quarterly goals, which subsequently lead to achieving our annual goals?
8) What number or numbers can I use to hold those individuals accountable for hitting those goals?
9) What tools can I use to make this process easier?
Renaissance Data Solutions works with executive leadership from companies large and small to make certain that you have all of the tools at your disposal so that you can be successful in your role as a risk management leader. Working hand in hand with you, we can provide the tools necessary to help you in your role, which subsequently makes it easier for you to do your job. Thinks of a world where you can make an informed choice based on actionable intelligence before ever purchasing another product or service.