Editor’s note: The ISACA Now blog is featuring a weeklong series providing tips for success in 2023 for practitioners in various digital trust fields. Today, we look ahead to 2023 for risk professionals.
2023 will force companies to continue navigating new risks to deliver a high-quality experience in a multichannel environment through new strategies and technologies. Organizations will have to do this while combating an inflationary and globally conflicted environment that suggests looming market shrinkage. This means that companies will need to creatively try new strategies that will meet their goals while simultaneously guarding against excessive capital consumption. There is no question that operationalizing strategy will continue to be an upward battle with constant market changes, competition and other external factors; however, the core concern that remains for me is that it is not always about a looming risk, as this is an emerging risk (a risk not realized). Instead, the question is, “What organizational risks are risk management professionals forgetting, and what can help remind them?”
Here are five actionable tips for risk professionals to consider as we move toward 2023:
1. Tone at the Top
Risk management professionals often get their authority from senior leadership or boards. It is paramount that a “tone at the top” is established with the CEO and the organization in the role of risk management. This is because many organizations are constantly prioritizing competing interests, deadlines and initiatives that are important to the organization. Setting a “tone at the top” from your CEO to the organization will help alleviate any confusion or misunderstanding on how business departments should interact and engage with ERM.
TIP: Work with senior leadership to incorporate an omni-communication cadence, alongside strategic initiatives, that speaks to risk management’s role with the organization and showcases the importance of risk management exercises within the broader context of the strategic plan.
2. Risk Identification Refresh
A cornerstone of risk management is risk identification. As risk professionals identify new risks and controls through RCSAs, they should also keep in mind the duplicative nature of documenting risk and controls. Duplicates in risks can cause inefficiencies in validating your high risks in the enterprise for remediation, because some risks are the same, but they are written a different way.
TIP: Identify a reconciliation process and conduct refreshes to identify unique risks within your organization. This will also help with reporting to governance boards and help the risk professional understand when to revisit risks with subject matter experts (SMEs) for further clarification. This process should be leveraged for your control environment, as well, and it will help reduce efforts in validating controls.
3. Policy Validation and Review
Some organizations struggle to keep relevant policies in place that help govern operations and serve to protect the organization from certain risks. Others suffer from not having the appropriate policies in place at all. In any circumstance, this happens to be an area of interest for external regulators/auditors. As a result, your organization can be hindered and/or fined from regulators. This can be prevented with a little more emphasis in operational detail.
TIP: Define a process where risk management reviews policies to ensure they govern the organization’s risk taxonomy and surfaces them to committee governance structures for ratification. Risk management should communicate out to the organization on whether the policy has been ratified, rejected or needs amendments. Risk management should oversee a common repository for hosting the policies of the organization, as well.
4. Revisit Incident Response Processes and Business Continuity Planning
Organizations live in a digital world and have a lot of access to their customers; and similarly, bad actors have a lot of access to organizations. It is not enough to only prepare for what can go wrong. Risk managers must also evaluate the correct response when something goes wrong, as well. Many organizations treat business continuity planning and incident response planning as a static endeavor that, once developed, should only “break glass in case of a fire.” This type of approach can lead to organizations’ insufficient responses, which can lead to more issues than solutions and open organizations to lawsuits, fines, and financial and reputational loss.
TIP: Frequently revisit incident response plans and BCP with other stakeholders, accounting for changes in organization structure, hierarchy and need. Some of your revisits and inquiries could be grounded in questions you want to answer (i.e., Do we have the right people in place to help us solve our worst-case scenario? Do we have insurance that covers us? If a decision maker is out that day, who has the authority to initiate the incident response or BCP? Is this well known or just known by some in the organization? Will our current plan keep up with our organization’s growth, and when should we revisit or augment our plan?)
5. Review Procurement and Contract Processes
Many organizations will leverage third-party vendors’ services to help manage their day-to-day operations and strategic initiatives. However, procurement processes, depending on maturity, can cause unexpected financial and operational risk due to hidden clauses in contracts’ renewal amounts. In some cases, business users develop relationships with vendors over the course of time, and business department heads may renew the contract, therefore circumventing procurement and the contract review processes. The result could be that the organization’s bottom-line becomes stressed in aggregate due to this behavior.
TIP: Work with legal and procurement departments to remediate potential risks when conducting renewals. Requests for proposals from vendors’ renewals should be included in a policy so that you can compare to other vendors for best cost and negotiating tactics.
While there are many areas for risk management professionals to focus on in our day-to-day operations, these are, in my experience, the ones that are often overlooked and that can hurt the organization over time. Assuming you are doing the big things well already, it is oftentimes the little things that can make a big difference.
About the author: Kerris Lee MBA, PSM (email: klee@ISACA.org), is currently a Global Director of Enterprise Risk Management at ISACA. He is an accomplished Enterprise Risk Officer & Technology Risk Management thought leader. He has successfully led several transformative and highly visible analytics and risk projects at multinational and midsize financial institutions. He is a frequent speaker on topics related to digital transformation and innovation in Risk, IT, and Finance. He previously consulted and worked for the biggest bank in the world, the Industrial Commercial Bank of China, one of the big 4 consulting companies, Midland States Bank top 5% regional banks in the nation, and several start-ups pioneering in technology and data management consulting services. Kerris Lee holds an Executive MBA in Digital Transformation Management and Business Strategy from the University of Illinois Urbana-Champaign College of Gies and a certification in Agile project management from Northwestern University and a certification in Viral Marketing from Wharton School of the University of Pennsylvania.