Editor’s note: ISACA recently welcomed risk transformer Luma Badran for an Ask Me Anything (AMA) session on Engage 10-14 October. Badran is Manulife's Global Head of Technology Risk Management and the Chief Information Risk Officer of the Global Wealth and Asset management business. With over 25 years of success in advising and delivering on C-level and mission-critical initiatives within the financial services industry, her experience focuses on non-financial risk, data governance and management, regulatory compliance and global change management expertise. The AMA session led to a fascinating community discussion of topics including risk transformation, best practices for the three lines of defense, internal audit, operational risk management and cybersecurity insurance. See highlights from the thread below, and for additional insights and conversations, the complete thread can be found here.To participate in the next AMA session, “I’m on the Digital Trust Ecosystem Framework Team: Ask Me Anything!” with Mark Thomas, join the conversation on Engage 7-11 November 2022.
Luma Badran is an advocate for “risk transformation,” despite “risk transformer” not being an official title in the field. She believes that risk professionals’ success is measured by simultaneously building a risk-aware, proactive culture and enabling business strategy and goals. This risk transformer mindset is crucial to deliver on the desired impact, she writes. Focus, curiosity, resiliency and building high-performing teams are key factors for success.
There are many operational factors responsible for enabling success. When asked if the three lines of defense operational model that risk professionals are commonly familiar with is still best practice, Badran said that she is a believer in it while also recognizing that it must evolve and improve. The concerns lie with the implementation and application of model by risk professionals, and each line of defense must focus on achieving its value proposition.
The conversation on organizational structure prompted a discussion of where risk and internal audit should fit. Should risk sit under internal audit or should it be its own department? According to Badran, risk and internal audit should be separate because they serve different purposes for the organization. In her experience, mixing the responsibilities for the three lines of defense does not result in better risk management. Audit should be its own independent entity.
Badran also believes it is good practice to separate information and cyber risk from operational risk. Having a robust interaction model and dedicated CIRO is becoming increasingly essential, as cyberrisks often appear on board agendas. The critical success factors of organizing these risk deapartments are possessing the skills and expertise to identify, assess and manage the risks and creating that clear, documented interaction model to govern interactions, monitoring and reporting.
Continuing the conversation around organizational structure and strategy, Badran emphasizes that insurance does not replace effective controls implementation but is an augmentation to the organizational strategy. When asked how a business case can be built to purchase insurance, she says the organization needs to assess its cyberrisk maturity and understand the relative industry context. The insurance premiums and coverage, and the control effectiveness posture, cost and duration to improve are critical factors for the cost-benefit analysis.
Badran concluded by writing that we are trying to view risk management as a science, “but in reality, it is an art ... each situation needs to be assessed within its context, and we need to build the tools and risk-based activities to inform these decisions.”