7 key steps in planning a successful risk management program
Integrated Risk Management has the potential to be a
powerful tool for organizations, promising the ability to be proactive about
risk, identify potential problems before they come to the surface, and embed
risk activities in every aspect of business.
At the same time, companies frequently struggle with how to
implement their Risk Management Programs.
Where do I start? How do I get
there? What do steps do I need to take?
While every risk management program is different, and while
there are also different domains of Risk (such as Business Resiliency, Cyber
Risk, Third Party Risk and so on…), they all have specific steps that are
necessary for the long-term success of your program. In this article we will share with you our
view of the seven (7) key steps for a successful risk management program.
Step 1: Be prepared for a journey
Risk Management is never truly solved by the implementation
of a tool, or the creation of a spreadsheet.
Make no mistake, you are embarking on a journey that will grow and
change as your business and the market around you changes. While it is certainly possible (and highly
recommended) to have quick wins and make small changes that can have a very deep
impact on your business, the rapidly changing world of business means that risk
is constantly evolving as well.
In this journey you will likely:
- Make mistakes;
- See the real benefits integrated risk management
can bring to your team, department or organization;
- Be required to change direction suddenly when
priorities shift abruptly;
- Get better insights that will enable your organization
to make more informed decisions;
- Discover that no plan quite survives its contact
- Find opportunities for improvement you did not
expect to find.
Step 2: Know where you’re going
Every great strategy starts with a vision, and a risk
management strategy is no different. Be
prepared to consider what you want your risk management program to look like in
a year, three years, five years, and consider what are the most logical steps
that you need to get there.
This step is key for getting your risk management program
off on the right foot – because you will know where you are going, even if you
do not have a perfect plan on how to get there.
Examples of a Risk Management Vision can include:
- Understanding the cost versus value for control
implementation in your organizations’ risk posture
- Become HIPAA Compliant
- Be able to consistently manage risk issues and
know where they are in remediation
- Be able to assess risk and manage the metrics
required for continuous monitoring
- Understand your crown jewel business services
and where operational resiliency could fail
Step 3: Don’t go it alone
Getting buy-in is a critical step in any significant
organizational change. In building your
risk management program, getting buy-in comes from two specific and equally
important groups, those who own the vision for your organization, and those who
are primarily responsible for performing the activities once it’s
Essentially, your executive team and your end users. These
two groups will have two completely different perspectives that are critical
for the success of your risk program – one is the oversight and organizational
information needed to make your risk program truly effective, and the other is
the perspective of the day to day activities and how to manage risk management
processes to make them truly efficient.
Step 4: Get buy-in from your executive team
Executives should own the vision. They will be the final decision makers when
stakeholders are having conflicting requirements and will provide invaluable
insight into priorities for the overall Risk Management strategy. They will have
insight into the overarching outcomes of a risk management program that users
of the risk management tool and would be one of the most receiving the benefits
of those outcomes, as the risk management program enables them to make
stronger, better business decisions.
If an executive has not sponsored the program, a strong and
empowered delegate should own the risk management vision and speak for the
overarching needs that will increase the effectiveness of the risk program,
ensuring the program generates data which aligns with your organization core
objectives to make more effective decisions that positively impact your
Step 5: Get buy-in from your
A buy-in from the participants in your risk program, such as
the first line of defence who are responsible for providing assessment answers
or self-identify issues is also critical, especially when implementing a tool
to support the program. The people from
whom you receive buy-in will become part of your group of advocates that will help
with adoption of the procedural and organizational changes required as part of the
The goal is changing your reluctant participants into
enthusiastic ones. The more you allow
your participants to speak up in how they will interact with ‘their’ risk
program, the more they are likely to advocate for your risk program as you roll
it out for a wider audience. The more
you can make sure your participants of your risk program are convinced of its
value (as opposed to feeling like they have been forced to do something
arduous “because Risk Management told me
to”), the easier they will be to engage and the faster you will get the answers
you need to manage the risk.
Step 6: Start with a single
Quick and short term wins will help with getting buy-in – as
you make it easier to generate the necessary data to make informed business
decisions and/or make it easier to enter the data or respond to risk
assessments, you can help generate excitement over your risk program, show it’s
value in a short time frame and start your ROI in the shortest time possible.
A single and value step may be:
- Responding to a regulatory requirement with a
- Implementing a “Matter Requiring Attention” or
MRA from a previous audit or regulatory exam
- Automating processes that are currently require
a heavy lift by the business
- Create a centralized location for your data
instead of having it all in disparate folder locations.
- Remove the necessity for risk management team
members to manually send emails and follow ups by automating the notification
- Create a “self-serve” portal for risk owners to
see the results of risk analysis.
Identifying which step should be first is very
organizationally specific – it usually involves an analysis of current pain
points and the effort required to alleviate those pain points. The items with the lowest effort and highest
value filter become early priorities.
Note that none of the potential steps are features or
functions based – they are still based on outcomes that a company can achieve
during their risk management program. By
focusing on the goals or capabilities you want to achieve as part of your risk
program, you focus on the larger picture, rather than becoming mired in the
details of the features, which can easily lose sight of overall goals and can
result in slower implementation times and lower program success rates.
Step 7: Keep an eye on the map
Finally, as you work through the implementation of your risk management program, keep an eye on both where you are coming from, and where your vision is going to ultimately lead you. It is easy to get focused on the details and become very reactive with your risk program. It is important to regularly level-set on how your program is succeeding, what gaps may exist, or been introduced during the implementation of recent phases and how to best move forward to achieve your overarching goals. This regular “check-in” can help organizations course-correct on a regular basis as the ever-changing world of both business and risk management can change the landscape.