Risk is a given in any business; it’s how companies view it that matters. Those that don’t shy away from focusing on risk can meet challenges head on, prepare for future potential issues, and enhance business processes.
The three lines of defense model for approaching risk includes frontline managers who manage risk on a day-to-day basis (first line), senior managers who own the overall risk management process (second line), and internal audit (third line), which maintains distance and objectivity and generally reviews processes and procedures in set intervals.
First and second-line risk managers measure success in various ways, including attaining successful audits, executing timely remediations, and most importantly, experiencing zero breaches. In turn, these managers can enhance their contribution by focusing on the following five priorities.
1. Understanding day-to-day business processes. Many times organizations only see the end product but don’t understand the various vulnerability points in daily work processes. Most importantly, organizations need to put value into doubling up on resources; there should not be a single point of failure for anything. In some cases, top Fortune 500 companies rely on a manual spreadsheet to be updated daily on someone’s hard drive—not the best way to track information.
2. Leverage the frameworks. The blueprint for a well-protected organization is available from various sources, such as NIST, COSO, FedRamp, and COBI. People need to take the time to read these frameworks, understand them, and put them to use. Managers should take the time to review and assess against their current risk structure and triage the gaps with a high sense of importance. They don’t need to “reinvent the wheel.” The work is done; put the effort into implementation.
3. Adapt. According to Moore’s Law, technology changes at an unprecedented rate. Software evolves and so do the risks associated with it. Many times, first- and second-line managers are simply catching up to a vulnerability exposed six months ago. By the time it’s remediated, another one may already be infiltrating their systems. In addition, testing strategies need to shift so managers aren’t always rushing to catch up.
4. Invest in writing skills. Believe it or not, managers need people with good writing skills to maintain effective risks and controls. This information must be written clearly and follow a set standard. A control statement should not be left for interpretation. People who work with controls within the organization should understand what the controls mean, as well as their goals and purpose. If an auditor cannot understand what they are reading, they will want to dig deeper and ultimately stretch audit season.
5. Prepare for the unexpected. Both lines need to think outside of the box when assessing what other risks are out there or their organization’s vulnerability. Risks are infinite; cash to pay fines is not.
Infinitive consultants have extensive experience managing risk and helping our clients do the same. Reach out to start a conversation and let’s talk about how we can help enhance or create your company’s risk management program.