This is part 1 of our video series on "Disparate and Disconnected Risk Processes and Information". In this video, David Tattam talks about the key building blocks of a good risk management framework and how these can help form an integrated view of risks in your organisation.
Hi, I'm David Tattam, Director of Research and Training at the Protecht Group. One of the common issues we find when we talk to clients about implementing and managing a risk management framework is they'll often highlight that they face a series of disparate and disconnected risk processes and, as a result, disparate, disconnected risk information.
The second problem is that a lot of the information they use is at a point in time, and often that point in time is historical, and as a result is not overly valuable. The solution to this is really two fold:
- Number one is to identify what the key building blocks of a good risk management framework and, as a result, what risk information should look like. What are the parts?
- Secondly, once we understand those parts, how do we bring all that information, those processes, to an integrated combined view?
The Building Blocks of Risk Management
Let's go back to the building blocks. There are six:
- Risk taxonomy
- Risk assessment
- Control effectiveness
- Risk metrics (Key Risk Indicators)
- Control weaknesses and gaps
The first building block is to come up with a really good series of risk descriptions. We often call these the risk categories, the risk taxonomies. This allows us to aggregate risk up to the highest level, the board by using the risk information underneath.
The second one is to carry out a periodic risk assessment. This identifies the risks that we face together with the key controls.
Thirdly, once we've identified the key controls, we should then be doing periodic control effectiveness assurance to let us know or tell us how effective our controls are.
Fourthly, because our risk assessments aren't very dynamic, we should also be collecting risk metrics. We call these key risk indicators that give us a more up to date view of our risks and our key controls.
Fifthly is our past incidents. What has actually gone wrong? What can we learn from those mistakes?
And lastly, from all of this we may identify areas we are not happy with. We call those control gaps or control weaknesses and out of those we can come up with actions to improve and make ourselves stronger.
Once we have those building blocks we then move on to bringing them all together into a consolidated view. We call this a dynamic risk profile. We at Protecht call this RiskInMotion.
So please check our other blogs and our other videos, and until then take care.
Watch a recording of our Risk Taxonomies webinar and learn about the common mistakes we see in risk libraries and what you can do to deploy a strong and consistent risk taxonomy:
Other videos in this series:
- Part 2 - Solving the Problem with Risk Taxonomies
- Part 3 - Risk and Control Self Assessment (coming soon)
- Part 4 - Are you intimate with your controls? (coming soon)