GRC Tuesdays: Harmonizing Different Risk Management Terminologies
Amy is in charge of Customer Relations at Corporate Inc. and Ian is the CISO. The following is an extract of a short call they had recently.
[Amy] Ian, I wanted to talk to you about the report on cyber security you sent earlier. You list a lot of threats that could lead to loss of customer data and this is quite daunting. What are we doing about it?
[Ian] It’s all there. We’ve started a vulnerability analysis and we’ll be able to launch detailed investigations to patch where necessary.
[Amy] And in layman’s terms that means?
[Ian] That we’re doing a risk analysis to find the root causes so that we can address them efficiently.
Remind you of any situation you may have been involved in?
Well, actually this is one of the key issues that I hear companies mentioning: the multiplicity of risk approaches, terminologies, and methodologies across the organization.
Indeed, it seems that each department has its own way of assessing (if not describing) risk and it’s often up to the risk management team to harmonize the definitions and ratings in order to be able to provide a coherent and consistent consolidated view to management.
But this raises two major issues to my mind:
- The same risks may very well be raised and managed separately in different teams. This reduces the efficiency of the risk management process and increasing resource consumption.
- It prevents cross-silo collaboration. In our example, the risk “Loss of customer data due to malicious intrusion” resides with the IT department. But in order to be able to fully assess the impact on customers, or legal implications, Amy and her colleagues from Legal should be involved in the assessment. Indeed, the preventative responses might be managed by IT, such as the patches mentioned by Ian, but corrective measures should be prepared by other teams if they want to respond appropriately to any loss of customer data.
So, What Can Be Done?
As you have probably gathered by now, I’m not in favor of a siloed approach that is then harmonized by the risk management department. In my opinion, this means that only reactive solutions are found, and that data being analyzed is not only partial but also biased since it’s just coming from one team.
What I would recommend is to follow the simple steps below to harmonize the process and avoid facing a “Tower-of-Babel syndrome:”
1. Do the Mapping
Different teams describe risks differently? Try to do a mapping table of the terminologies.
I provided a mapping below based on a fictional example of a company that would have three departments assessing risks, but this of course has to be adapted to your own purpose.
2. Agree on Common Labels
Once you have the table above, gather the key stakeholders and then agree on what labels to use across the entire group or opt to select a well-known framework. If this doesn’t work, then the ultimate option is to leverage the terminology used in the current risk reporting to the board.
3. Explain and Train
As for any project that induces change, there will be reluctances. But explain that the benefit of sharing information supersedes hesitations and that this can actually help each department avoid pitfalls and even gain help from other areas of the company when creating adequate response strategies. Having your colleagues by your side to help you protect your objectives — isn’t this a great situation to be in?
There are of course many more labels, and even the issue of the risk calculations that could be harmonized, but the intent of this post was not to list them all, but simply to try and provide a best practice to get you started.
Have you ever been confronted with this situation? If so, how did you manage it?
I look forward to reading your thoughts and comments either on this blog or on Twitter (@TFrenehard)!