Risk is no longer seen as the domain of your finance area, IT department or even your health and safety people, risk is much more. Governance, risk and compliance (GRC) may be the pillars of building a resilient organisation, however there remains a key factor in all of these areas that require further thought, that is, your people.
Your people are uniquely placed to be expert risk managers, as they know their patch.
How are you supposed to know that the Cisco firewall currently protecting your servers with patch 2.453B means that your data is now exposed to the World Wide Web causing a potential privacy breach? Or that the chemical ethyl acetate stored in building 176 room 2B will cause harm to your staff as a result of exposure to hazardous substances, breaching regulation 5.15 – 5.18 of the OHS Regulations 1995? Or the fact that your customer services team is down two support personnel for the last couple of weeks due to illness and customer response times have increased to a critical point where they are now breaching SLA’s, potentially resulting in financial penalties? The answer is, you can’t, because you don’t know each business area’s business. You may be a highly qualified risk manager who knows the ins and outs of ISO 31000 and can risk assess pretty much anything blindfolded, but how can you apply these expert skills to business areas risks you have no knowledge of? The point is, you shouldn’t have to. You should help facilitate this process and actively spread the gospel of enterprise risk management throughout your organisation, however, your people are the ones best placed to manage their own risks and it’s about time they got to know their own risks, intimately.
However, how can you get your business managers to adequately assess a risk when typically they have no knowledge of risk management and ISO 31000? Here lies the conundrum. You know risk management, but you don’t know each business areas risks. Your business managers know their business areas risks, but typically don’t know risk management. Hhhmmm, an interesting dilemma coupled with recursion. Also, risk is profoundly subjective and requires people to make valued judgments based on their own knowledge and life experiences. People will perceive risk differently. It has been clearly demonstrated in research through many studies that risk is subjective. You need to be aware that not everyone will see risk the same way and they may not agree with your assessment of risk, after all who is right and who is wrong? As a result, the risk data between departments will be skewed and you will not achieve the holy grail of risk management – enterprise risk intelligence.
There are two possible solutions to this conundrum. Either you become an expert in every business area, every business function and process for your entire organisation.......... Exactly, a daunting task and likely, an unachievable prospect. Or your business managers, who are experts in their respective business areas gain the necessary risk management skills to assess risk methodically, accurately and free from ambiguity, just like you. In a way, your business managers will need to instantly gain the necessary risk management skills by stealth.
The solution to this dilemma is the marriage of human knowledge (business risk) inputted into technology advanced enough to facilitate the risk assessment process (ISO 31000) simply, intuitively and accurately and thus providing the business manager with the necessary risk management skills instantaneously. We call this Enterprise Risk Intelligence Software (ERIS). As companies move from GRC systems to ERIS systems and put their people front and centre of their risk management strategies and initiatives, only then will organisations truly gain the many benefits of enterprise risk intelligence.
RiskWare has been at the forefront and led the Enterprise Risk Intelligence Software paradigm and now has over a million users managing their own risks.
Contact us today and get to know your risks on a first name basis.