How to build your risk management program from the ground up

Actually, when you build your risk management program from the ground up you’ll actually be building it from the top down. That’s because you start with the person responsible for managing risk for the organization. If you’re a startup that may be one of the founders or an executive. Later you may switch that role to the CIO/CISO or Risk Manager, or to the Board.

So how do you go about launching your risk management program? What are the key components and how do you actually manage risk?

Key Components

There are three basic components to risk management; measuring, managing, and communicating risk.

Measuring Risk

How you measure risk, and how you integrate that function into your organization is the single biggest cost factor in implementing a risk management program.

There are three ways to measure risk; qualitative, semi-quantitative, and using probabilistic Models. Qualitative methods are good and boil down to subject matter expert opinion. Semi-quantitative methods are better and involve using numerical values which help differentiate between similar risks. Probabilistic models are best as they are predictive and allow you to forecast risks.

Once you’ve decided how you will measure the risk you next need to decide who will do the analysis. The analysis is at the core of your risk management program. Qualitative methods don’t necessarily require a dedicated analytical resource as they’re easily provided by the subject matter expert. Semi-quantitative methods and probabilistic models are generally used by an analyst. This person is experienced in data preparations and basic analytical activities. The analyst receives data and performs analysis but is usually not a subject matter expert.

You can begin with qualitative methods and later shift to semi-quantitative or probabilistic models when you seek to add rigor to the analysis. If you are reporting risk to external stakeholders, probabilistic models are best.

Managing Risk

Each organization is unique, with different objectives but in general, risks can be grouped into a few common categories. Categorizing risks is one of the first steps to managing risk. How you categorize risks drives how you view risk across the organization.

Aligning risks to organizational objectives is a critical and often overlooked step. There can be conflicting interests and wasted efforts when managed risks aren’t aligned with organizational objectives. When this happens risk management is fragmented and less effective. One way to address this is with policy and procedures. A policy can align risk management efforts across the organization with objectives while a procedure defines roles and responsibilities for reporting risk to senior leadership.

Along with analysis, policy and procedures, there is a key tool for managing risk; the risk register. A simple register is little more than a list. More advanced registers can aggregate risk based on how risk is categorized or based on internal controls.

Communicating Risk

Communication should flow both down through the organization as well as up to leadership. These flows represent the analysis going up, and policy flowing down.

When communicating risk you want to have a standard vocabulary and standard values. This is closely tied to how you measure risk. Qualitative methods are descriptive, quantitative methods are numeric, and probabilistic models produce charts. The method of measurement leads to the means of communication; written descriptions, numerical values, and predictive charts.

Ready to start building your risk management program? Contact or schedule a free no-cost no-sales consultation here.

CISO Strategy