Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
We've put together a comprehensive list of frequently asked questions - along with our responses - to the most common GRC and SAP security issues.
30 October 2019

Risk management must go beyond spreadsheets



A traditional approach to risk management sees the board or risk committee define the key risks that threaten the non-achievement of their strategic objectives. This typically results in a list of ten to twenty very high-level risks such as loss of brand reputation or non-compliance with applicable regulations.

This top-level list needs to be ‘unpacked’ or subdivided into the more tangible risks that might contribute to them. There are a number of ways that this might take place, but it typically results in the management of risks being delegated (by departments, operational units, etc) to risk owners, who will be expected to quantify and manage, through relevant responses, a subset of risks. 

An organisation’s responses to a risk can take various forms. A specific risk might be managed through the implementation of controls, or there might be an option to take out insurance against it occurring for example. In some cases it may be acknowledged that a risk exists but accepted that it is unavoidable, or the likelihood of it occurring is minimal; ‘do nothing’ is always a legitimate option.

Limitations of traditional risk management
Reporting is one of the biggest challenges in the risk management function, which will typically spend a lot of time gathering relevant information to provide a view to the committee and the board. Often this will be based on self-assessments – surveys sent to risk owners in the business asking them to provide information about the measures they have taken to respond to known risks and how effective these have been. In my view this is a key point of failure for most risk management functions.

A key principle of an effective risk management framework is consistent taxonomy – a harmonised view of how to categorise and quantify risk across the organisation is critical if this information is to be rolled up to give an organisation-wide view of the issue. However, if the material collected is primarily self-assessment data, even with consistent taxonomy, risk reporting is very much at the mercy of individual risk managers and their willingness to be candid in their assessments; there is a very real likelihood that they will either gloss over or under report risk.

In addition, risk management functions will often spend a significant proportion of their time collecting data from risk owners and consolidating and massaging it into reports for the board. Put simply, risk management teams are often reporting on risk but not actively managing it.

How can information security professionals help to resolve these issues?
Collecting and reporting on risk from a spreadsheet still happens in many organisations but the tools available to facilitate the gathering of information and the automation of reporting in a consistent and repeatable format have advanced significantly in recent years. Their implementation can free up risk management functions to spend more time actively managing risk within the business.

These tools can also be used to enrich risk reporting with fact surfaced from multiple data sources throughout the organisation. Building in feeds such as controls performance or risk remediation statuses can remove the dependency on self-assessment and augment board reporting with key risk indicators that are not subject to a human filter.

Cybersecurity and information security risks are high on the agenda for most boards today. Professionals in this area are able to provide information about their activities to the risk management function, and ultimately to the board, through risk reporting.

Integrated risk management
To illustrate this with an example, in a traditional, siloed approach, a risk owner completing a self-assessment questionnaire distributed by the risk management team might confirm that threat detection activity is undertaken to identify external attacks on the organisation’s IT networks. Information provided might include a description of the activity, perhaps with an evaluation of how much this reduces the risk and some metrics, although these probably won’t be given a great deal of context. Crucially, it is unlikely that the risk owner will volunteer any more detail than is requested, unless something fundamental changed around the processes operated for threat detection.

Using the same example in an integrated risk management scenario the self-assessment element might be bypassed entirely, instead using risk management technology to generate analytics about cybersecurity risks. These analytics might be displayed in the context of data from previous months to illustrate trends and highlight when the risk of an IT security breach might be increasing because the number of identified attacks is increasing. There is also the potential to combine threat-monitoring analytics with other related data such as the completion of software patching to give additional context to the overall management of cybersecurity risk.

Information security professionals occupy a unique position in the enterprise; they have responsibility for a number of key IT-related risks combined with the IT literacy to understand how they can be managed with technology. Organisations’ increasing adoption of these tools provides the ideal opportunity for the IS team to demonstrate to the board the work they do to support the risk management function (through the effective deployment of these technologies) and therefore the critical role they play in protecting the business from information security threats.


If you want to learn more about how to secure against increasing cyber threats watch our on demand webinar 'The increasing cyber threat to SAP and what to do about it' here.

SAP Cyber Security Thumbnail Twitter-min