SBN

Risk Management: Addressing Shortcomings and Paving the Way Forward

Risks are like icebergs. Will you sink or sail?

In today’s ever-changing business landscape, managing risk is crucial for the success and longevity of any organization. From financial risks to operational risks and cyber threats, businesses face a range of challenges that require a robust and secure risk strategy. 

With the complexities of modern business, risk management can no longer be put on the back burner, and companies will need to keep up with the latest practices and solutions to stay afloat. 

Two SMEs from the TrustCloud team paired up to tackle a few hot topics:

  • Why companies should care about risk management
  • Current issues with risk management practices and solutions
  • Where they see the future of risk management heading 
  • How teams can start paving the way forward 

Read on to see how they weighed in, or check out their conversation on Youtube

Meet our subject matter experts

Molly Mullinger, Director of Product Solutions – Molly helps potential TrustCloud customers determine how to best leverage the TrustCloud platform. She joined TrustCloud from AuditBoard, and began her career as an auditor with EY.  

Abheer Bipin, Senior Product Manager – Abheer is product manager for TrustOps and TrustRegister, working with customers to gain a deep understanding of their needs and pain points, and with engineering to build products that turn GRC into a profit center. He previously worked at Deloitte and OneTrust. 

What is risk management?

Molly: Risk management is an organization’s way of defining and understanding all of the risk events that could occur, or anything that could go wrong when operating upon and meeting your organizational objectives. 

It’s something that organizations are doing on a quarterly & annual basis in order to make sure that they understand exactly what risk events could occur, based on changes in the market, economic environment, sociopolitical climate and other factors.

It’s increasingly important for companies to make sure that as they’re focusing on risk management, they’re thinking not only about what’s happening right now, but also considering what could happen and what could go wrong.

Abheer: It’s kind of like you’re on the Titanic, and you’re crossing the Atlantic Ocean, and the risks are icebergs. They’re going to be there, they’re a part of your organization, you’re not running away from them.

image

What risk management, as a function, can do is not only help you steer around those icebergs, but if you do hit one of those icebergs on accident, it’ll at least give you enough life rafts or a big enough door that two people can float on. That’s really risk management in a nutshell. 

You’re not getting away with it, you have to start at some point. The sooner your organization really starts looking at risk, the better and easier the process gets over time and the more insightful and data- driven the process gets. 

Why should companies care about risk management? 

Abheer: There are a few reasons why a company really needs to care about risk management. Quite frankly, the current situation we’re in in 2023 – there’s a certain level of risk in the market, and it’s important for organizations to understand the challenges ahead as well as actively prevent risks from taking place as a result. 

There’s also heightened sensitivity from stakeholders and regulators. Boards of directors and leadership teams are asking about risk, and they’re making risk-driven decisions. 

Most importantly, risk is an essential component of how businesses operate and grow. If you were to look at a startup customer who’s predominantly focused on achieving a standard or a framework so they can enable their sales teams, for them, monitoring risk is a compliance obligation.

Whereas if we move towards more advanced use cases for public companies and enterprises, risk becomes a tool to guide the organization to avoid obstacles and to drive decision making.  

So wherever a company or individual sits on that spectrum – between a startup and an enterprise customer – risk is an essential component for how they operate, and more importantly, how they grow. 

Who’s asking about risk management? 

Molly: For standards such as SOC 2, ISO, and NIST, regulators require that you go out and perform a risk assessment in order to meet that requirement. That’s the simple example. 

As organizations are starting to be more forward-thinking, and as they’re trying to think through how they can make sure that they’re meeting their strategic objectives, we’ve seen more and more interest from boards, leadership, and investors.

We’re probably going to see a continued increase in the number of people who are asking about your risk protocols and risk approaches as the number of requirements continue to increase and change and evolve. 

It’s interesting when we talk about boards and how they’re requesting risk information because it looks a little bit different from the regulators:

When regulators are asking, people tend to approach it as a check-the-box type of exercise. 

When boards are asking about it, they want to know more about how their organization is performing the way they want it to, and how to make sure that they can maintain business continuity. It’s starting to shift into a type of decision-making exercise that teams are using to understand where to invest to make sure that they’re appropriately protecting their company. 

Challenges that companies run into when performing risk assessments

Abheer: Risk management is done predominantly through spreadsheets, and that makes reporting and collaboration very challenging. Spreadsheets are not real-time. You’re conducting an assessment, you’re evaluating your risk profile at a point-in-time, and then saying, “Okay, I’ll come back 6 months from now, 12 months from now, and reevaluate my risk posture.”

The challenge is, with our rapidly moving, highly digitized world, the risks that you’ve put in today may not be valid six months from now, or there might be more risks that pop up between your assessment periods. And that’s where one of the challenges comes in with spreadsheets.You’re not monitoring anything, and generating a report for your board becomes very challenging, therefore making actions difficult too. 

Similarly, we’re looking at point solutions as well. There are risk products out there in the market. This is not necessarily a new concept, but on their own, risk products also have the same challenge of real-time reporting. You’re looking at controls for mitigation, for example. A point-in-time risk solution does not connect to the rest of your ecosystem, nor does it connect to the rest of your GRC program. 

At TrustCloud, we want to build this trust assurance platform, where all of these different elements within a GRC space are connected. Point solutions are not really able to collect all this information across an organization and make data-driven decisions on what should or should not be done. 

One of the other issues is that people outside of the CISOs team don’t really pay attention to risk, which makes it hard to execute mitigation efforts or satisfy risk requirements, particularly within large organizations. 

Where is risk management going? 

Abheer: For 2023 in particular, it’s a catalyst for change. You’re gonna see four trends coming out of this environment. 

  1. Predictive risk assessments: whether they’re done at a six-month mark or a 12-month mark, miss out on a large number of events that take place between those two timeframes. So we’re gonna see a world where predictive risk, or risk alerting, becomes a fundamental component. You don’t have to wait for the assessment. You can do this on a more real-time basis as and when risks pop up within the organization. 
  2. Data-driven risk management: Right now, there’s a subjectivity with risk, and as more and more information comes and as more data-driven or data-influenced practices permeate throughout an organization, we’ll see the same trend taking place with risk where data is used to justify why a risk is high or low versus just a subjective element based on emotion or gut instinct. 
  3. Unified system of record: Point solutions or Excel solutions are very good at collecting information, but they’re not good at doing it in real-time. So we’re going to see a trend where a unified system of record that spans across GRC and sales enablement, thus becoming a connected ecosystem. You can pull risk information from different areas rather than focusing on manual input. 
  4. Financial impact and progression being tagged or assigned to risks: As mentioned earlier, leadership teams are looking to risks to drive organizational decisions, to drive organizational budgets. Being able to connect a risk with its financial impact / projected financial impact is going to be a critical component of where this industry is heading in the next 18 to 24 months, as our economic climate and macro world really changes. 

Paving the way forward, or as we like to say, preparing for icebergs

Molly: There are a couple of ways to get started, depending on where your organization is at from a maturity perspective.

If you do not have an existing risk program or risk environment, performing a risk rationalization effort is super valuable to go through your risks. Understand what is still applicable or maybe not so applicable anymore based on the changing and evolving world. 

If you don’t have a program, a really great place to start is your controls. What are the things your controls are helping to mitigate against? Why do you have them in place? What are they protecting you from in order to make sure that you really have a cohesive risk environment? 

There’s also a number of solutions that are out there, as well as free resources to help identify a starting point for a risk register in order to make sure that as you’re going though and you’re thinking about thing that could get in the way of your organization’s strategic objectives, and the different ways that you should be thinking.

The first step in a robust risk strategy is creating a risk register. Not sure how to start? Check out our step-by-step guide, which includes a downloadable template. 

 

Then continue to run assessments on a regular basis. Using a fully integrated system, such as TrustCloud, can allow you to not only see your risks, but get data-driven insights and programmatic results from your controls environment to understand what risks are out there that you can’t necessarily see with your naked eye.  

The post Risk Management: Addressing Shortcomings and Paving the Way Forward first appeared on TrustCloud.

*** This is a Security Bloggers Network syndicated blog from TrustCloud authored by Mimi Pham. Read the original post at: https://www.trustcloud.ai/risk-management/risk-management-with-molly-mullinger-and-abheer-bipin/