7 key steps in planning a successful risk management program
What is Integrated Risk Management?
Integrated Risk Management has the potential to be a powerful tool for organizations, promising the ability to be proactive about risk, identify potential problems before they come to the surface, and embed risk activities in every aspect of business.
At the same time, companies frequently struggle with how to implement their Risk Management Programs. Where do I start? How do I get there? What steps do I need to take?
While every risk management program is different, and while there are also different domains of Risk (such as Business Resiliency, Cyber Risk, Third-Party Risk and so on…), they all have specific steps that are necessary for the long-term success of your program. In this article, we will share with you Iceberg’s view of the seven (7) key steps for a successful risk management program.
Step 1: Be prepared for a journey
Integrated Risk Management is never truly solved by the implementation of a tool or the creation of a spreadsheet. Make no mistake, you are embarking on a journey that will grow and change as your business and the market around you changes. While it is certainly possible (and highly recommended) to have quick wins and make small changes that can have a very deep impact on your business, the rapidly changing world of business means that risk is constantly evolving as well.
In this journey you will likely:
- Make mistakes;
- See the real benefits integrated risk management can bring to your team, department or organization;
- Be required to change direction suddenly when priorities shift abruptly;
- Get better insights that will enable your organization to make more informed decisions;
- Discover that no plan quite survives its contact in reality
- Find opportunities for improvement you did not expect to find.
Step 2: Know where you’re going
Every great strategy starts with a vision, and a risk management strategy is no different. Be prepared to consider what you want your risk management program to look like in a year, three years, five years, and consider what are the most logical steps that you need to get there.
This step is key for getting your risk management program off on the right foot – because you will know where you are going, even if you do not have a perfect plan on how to get there.
Examples of an Integrated Risk Management Vision can include:
- Understanding the cost versus value for control implementation in your organizations’ risk posture
- Become HIPAA Compliant
- Be able to consistently manage risk issues and know where they are in remediation
- Be able to assess risk and manage the metrics required for continuous monitoring
- Understand your crown jewel business services and where operational resiliency could fail
Step 3: Don’t go it alone
Getting buy-in is a critical step in any significant organizational change. In building your risk management program, getting buy-in comes from two specific and equally important groups, those who own the vision for your organization, and those who are primarily responsible for performing the activities once it’s implemented.
Essentially, your executive team and your end-users. These two groups will have two completely different perspectives that are critical for the success of your risk program – one is the oversight and organizational information needed to make your risk program truly effective, and the other is the perspective of the day to day activities and how to manage risk management processes to make them truly efficient.
Step 4: Get buy-in from your executive team
Executives should own the vision. They will be the final decision-makers when stakeholders are having conflicting requirements and will provide invaluable insight into priorities for the overall Risk Management strategy. They will have insight into the overarching outcomes of a risk management program that users of the risk management tool and would be one of the most receiving the benefits of those outcomes, as the risk management program enables them to make stronger, better business decisions.
If an executive has not sponsored the program, a strong and empowered delegate should own the risk management vision and speak for the overarching needs that will increase the effectiveness of the risk program, ensuring the program generates data which aligns with your organization’s core objectives to make more effective decisions that positively impact your business.
Step 5: Get buy-in from your risk participants
Buy-in from the participants in your risk program, such as the first line of defence who are responsible for providing assessment answers or self-identify issues is also critical, especially when implementing a tool to support the program. The people from whom you receive buy-in will become part of your group of advocates that will help with adoption of the procedural and organizational changes required as part of the risk program.
The goal is changing your reluctant participants into enthusiastic ones. The more you allow your participants to speak up in how they will interact with ‘their’ risk program, the more they are likely to advocate for your risk program as you roll it out for a wider audience. The more you can make sure the participants of your risk program are convinced of its value (as opposed to feeling like they have been forced to do something arduous “because Risk Management told me to”), the easier they will be to engage and the faster you will get the answers you need to manage the risk.
Step 6: Start with a single step
Quick and short term wins will help with getting buy-in – as you make it easier to generate the necessary data to make informed business decisions and/or make it easier to enter the data or respond to risk assessments, you can help generate excitement over your risk program, show it’s value in a short time frame and start your ROI in the shortest time possible.
A single and valuable step may be:
- Responding to a regulatory requirement with a looming deadline
- Implementing a “Matter Requiring Attention” or MRA from a previous audit or regulatory exam
- Automating processes that currently require a heavy lift by the business
- Create a centralized location for your data instead of having it all in disparate folder locations.
- Remove the necessity for the risk management team members to manually send emails and follow-ups by automating the notification process.
- Create a “self-serve” portal for risk owners to see the results of risk analysis.
Identifying which step should be first is very organizationally specific – it usually involves an analysis of current pain points and the effort required to alleviate those pain points. The items with the lowest effort and highest value filter become early priorities. Note that none of the potential steps are features or functions based – they are still based on outcomes that a company can achieve during their risk management program. By focusing on the goals or capabilities you want to achieve as part of your risk program, you focus on the larger picture, rather than becoming mired in the details of the features, which can easily lose sight of overall goals and can result in slower implementation times and lower program success rates.
Step 7: Keep an eye on the map
Finally, as you work through the implementation of your risk management program, keep an eye on both where you are coming from, and where your vision is going to ultimately lead you. It is easy to get focused on the details and become very reactive with your risk program. It is important to regularly level-set on how your program is succeeding, what gaps may exist, or been introduced during the implementation of recent phases and how to best move forward to achieve your overarching goals. This regular “check-in” can help organizations course-correct on a regular basis as the ever-changing world of both business and risk management can change the landscape.