Risk Framework: Five Easy Steps (yes, you can try this at work)

Last post, we went into what a Risk Ontology is, why we need one and what it contains. In this post, we look at Five Easy (some may say not so easy…) steps to get started. Remember that core to GRC is adopting a coordinated, coherent approach to risk management across the organization, built on a common risk ontology. And, at the core of a risk ontology, is a risk framework.  

Quick review: Risk Frameworks provide risk management programs with better:

• Coordination - Provide a basis for coordinating risk across  many activities in the organization

• Consistency - Since all activities across the organization involve risk, a Risk Framework can be consistently applied to an entire organization, at its many functions, projects and activities

• Visibility – While no single definition of risk exists, adoption of consistent concepts within a comprehensive framework can help the organization improve visibility into the true risk profile

• Governance – Risk Frameworks can help the organization establish governance and manage risk more effectively, efficiently and coherently both internally and externally with 3rd parties

• Flexibility – A Risk Framework, probably designed, can support variations of approaches, definition of threats and risk criteria across internal organization functions, partners and customers

• GRC Technology Platform Value – Risk Frameworks are essential for driving value out of GRC technology platforms and enabling tools; they are only as good as the underlying frameworks, processes and procedures that define their use.

What’s in a Risk Framework?
Here is main things you want to get defined in a risk framework - this is a subset of the GRC Ontology; the core or ‘engine’ of risk management.
1)       Risk hierarchy; which includes Class and Type
2)       Mitigating Controls (and procedures)
3)       Risk Scores, and
4)       Metrics.
Risks Scores (inherent and residual) will come as a by-product of assessments and can change.  

What are the key steps to follow in building a Risk Framework?
The diagram below shows five easy :-) steps to follow in building a risk framework. Step 1 is pre-work – you need to get a skeleton defined of risk classes and types, and gather as much as you can from stakeholders. The holes in the hierarchy should become apparent during step 1.  In steps 2-4, work with key stakeholders to further develop the hierarchy, and associate risks with policies and mitigating controls, risk scores and metrics if you can. At the end of the process you should have a reasonably good ‘tree’ and eliminated overlapping or redundant risk and controls. Top tier risks, those with High ratings, will surface to the top of the hierarchy. You can use those to recalibrate metrics to ensure you are focusing on the right things. Active risks in the framework become part of your organization’s risk register.  Most all GRC technology platforms automate this process, and the mappings between essential elements (shameless plug: RSA Archer’s Risk Management solution does this well)

Next post, we’ll show a best practice governance process flow for updating content in a Risk Framework.