How can information security professionals help their organisations move from traditional governance, risk and compliance to integrated risk management that integrates risk activities from across an organisation to enable better strategic decision-making?
Integrated Risk Management – the operational approach
Integrated Risk Management (IRM) is becoming an increasingly popular term to showcase the importance of risk at the forefront of corporate governance, as well as inferring that traditionally, these activities have been siloed within a corporate enterprise. However, even in an IRM world, a variety of activities and disciplines are required from many different teams, while there are alternative ways to achieve an integrated view.
Top-down versus bottom-up
A top-down approach to IRM requires the executives and management layer to source accurate information and view it in a consistent manner to make appropriate decisions.
In contrast, an operational, or bottom-up approach tends to value having each and every business unit taking responsibility for risk management. This assumes that if all the risks are captured and filtered at the lowest relevant level, those that are of greatest impact will naturally, or systematically, be visible further up the chain; it depends on risk management processes rather than a technology solution. To be effective, it requires risk managers at the operational layer to be aware of the business strategic objectives and understand how these are impacted by their identified risks. Similarly, risk managers need clarity on the way that risks should be identified and classified; without this the risks may still be inconsistent and the overall clarity reduced.
Rather than raising strategically important risks from the lowest level in the business, the key is to understand which risks are important to each particular function.
Generally speaking, those at the top of an organisation are interested in business strategic risks that will have a material impact on the ability of the enterprise to trade or grow according to its strategy. Many different aspects will impact these risks; some (process efficiency for example) are controllable from within the company, and some (such as government policies) are not.
Operational decisions require detailed information
However, these risks tend to be more generic in nature and informed by more detailed activities that may be taking place further down the line, where objectives and perspectives will be very different. Far more granular information is required to make a more operational decision based upon the risk at hand.
Here the risk of IT failure provides a great example. A strategic top down view may be as simple as reviewing whether IT assets are sufficiently controlled for the business to operate, or if they are at significant risk of compromise.
Whilst this is a noble question to ask, it is not sufficient to meet operational resource planning where much more detailed information may need to be factored in: which operating systems are running on which assets; the assets that are affected if a vulnerability is found; what data is stored on which server and the risk that poses if it is impacted; etc.
These detailed questions are highly relevant for an IT asset driven risk management approach as, from an industry perspective, they may contribute directly to the operational risk of not meeting compliance objectives. However, much of this information is not relevant for the executive table in anything other than a summary statement based upon the influencing factor that may occur on the top-level corporate risk.
Integrating top and bottom
Joining these two worlds is the crucial element of an integrated risk management approach. It’s not about everyone knowing everything about the whole of the enterprise; rather it is about each individual businesses understanding how it is part of a whole and where it has an influence.
Technically focused individuals may raise legitimate strategic business risks, but generate a false impression of their criticality because they are important to them, or define them in terms that are overly technical for the organisation overall. However, something being technical doesn’t mean it is not justified. It may also identify a business-killing event such as a cyber-attack or zero-day vulnerability. The key is to have the right filters in place to allow information to be centrally captured, without being mutated, while also ensuring there is a coherent understanding of the risk, wherever it is sourced.
Managing risk is not a competition. People should be able to raise risks where they’re identified, but avoid flagging them for the sake of it (in an organisation that is culturally risk averse for example, or to protect their reputation if there are related issues at a later date). In most cases, the optimal solution is a centrally-run risk management function that has inputs and representation in all business units to inform on the risks. They can then act as the filter, spot duplication and help to facilitate the integration into the wider strategic agenda.
Adopting an operational, or bottom-up approach to risk management requires the following to be in place:
- Processes need to be consistent, as well as simple enough for everyone to understand what is expected of them and how to do it.
- People can be empowered to do the right thing through an understanding of what is a great outcome for the organisation, reinforced with enabling materials that support the message. They can also be encouraged to perceive risks and controls as a part of their job, rather than an abstract extension of it.
- Technology should also make it easy to act correctly when it comes to risk. This should allow processes and risk information to be standardises, but not be so prescriptive that reduces the ability to tap into the expertise available.
At its core, integrated risk management is focused on everyone having access to the right level of information, that is relevant to their job function, at the right point in time. Centralising and integrating this information allows it to be viewed from the top for the summary, but also drilled into so that the specific details of the problem can be found.