Embedding a company-wide risk culture

The same is true for business – with praises given to the brave, devil-maycare entrepreneurs and patronising pats on the head reserved for those who prefer the ‘belt and braces’ approach. Risk exists ‘somewhere over there’ and there may be a chief risk officer or executive team that needs to deal with it, but for the rest of the organisation? Not so much.

There are, of course, places and people who are more attuned to the topic than others. Japan builds its infrastructure and trains its citizens to be aware of the risk of earthquakes at all times, but this is rarely a consideration for anyone living in Australia.

If COVID-19 has shown us anything, however, it’s that the unimaginable can happen. Risk is real. The unexpected can turn the entire world upside down in an instant and, if your business is not properly prepared to cope with whatever gets thrown at it, disaster may well prevail. It’s a truth some began to learn during the 2008 global financial crisis, when many organisations were left open and vulnerable, without solid risk management strategies in place. Institutional failure and significant financial losses followed because attitudes towards risk were poor.

In more recent times, the advent of technology and business continuity plans has meant that some businesses were better placed to adapt when COVID hit, with strategies in place to deal with challenges like unavailable data centres and remote working.

But to ensure continued business success, a company-wide approach is not only advisable but necessary. The weakest link is not just a game show idea, it could well be the instrument bringing down an entire company if a strategic risk management system is not developed and implemented.

IRM

Integrated risk management (IRM) and risk culture means that every single business unit has risk and compliance functions embedded. Added to this is the necessity of ensuring control over the risks attached to all your key business partners, suppliers and outsource entities. It is vital to have some measure of control over how those third and fourth parties manage their own risks too.

But what are the different steps to creating an IRM and how does an organisation ensure it is implemented correctly? There are five basic stages:

• Decision – the first step is to gain a strategic and company-wide understanding and acceptance that a risk management strategy, which incorporates information security, is necessary.
• Assessment – this is where the risks identified within an organisation’s environment are individually itemised, looking at those of other similar organisations, consulting staff members and listening to the executive team.
• Response – once the risks have been identified, cost benefits can be worked out and priorities set, with each risk categorised as to whether it should be accepted, mitigated or transferred. Some risks may be considered too expensive or unlikely to eventuate to address, while others will require the implementation of mechanisms to mitigate or control them. Still others will be transferred, which translates to buying insurance. Cyber security insurance coverage, for example, would be used for those aware that, despite all efforts, they are unable to make their software systems watertight. If the worst comes to the worst and they do suffer a breach, however, they know they have insurance in place to cover it.
• Communication – a risk register is not ‘secret business’ and its details must be communicated to all units of a company with regular updates. To maintain a risk culture, awareness and buy-in across the entire organisation is mandatory.
• Monitoring – a risk register is also not a ‘set and forget’ affair. Risk levels change all the time. Organisations would generally keep all risks on their register for at least a year, but continually check the register and re-evaluate each of the entries upon it. In the software sphere you may find you have mitigated a risk one month and then six months later a whole new raft of SaaS products have been introduced and brought with them an accompanying array of new risks.

The final piece to an effective IRM solution is installing the technology to run it. Doing this means you have a continuous cycle of all the necessary component tasks and actions of the solution, each assigned to individuals via a shared tool with deadlines. This ensures they must be acted upon and no one can conveniently forget or delay their contribution. Because, just as that weakest link won’t win the prize, one staff member in the chain not being compliant or completing their part of the cycle will leave the organisation vulnerable to risk and in danger of being compromised.