Virtualization Technology News and Information
Enterprise Risk Visibility Empowers Better Decision-Making

Article Written by Adam Billings, Lockpath

When it comes to security, risk managers and C-level officers often face the same challenge: gaining a full picture of their organization's risk posture. 

For risk managers, communicating risk to the highest levels of an organization is a demanding, and increasingly pivotal responsibility in businesses that rely on information technology-in other words, almost every business. In a world where business and infrastructure run on digital technology, protecting those assets is quickly becoming Priority Number One, and C-level officers are being held accountable when breaches occur. 

This challenge is compounded when risk managers and C-level executives do not have a full understanding of what each department or business unit is doing in terms of risk management. This includes the risks they are exposed to, how they are being treated, and how they potentially impact the organization's goals and objectives. While the lack of visibility into the full risk landscape is a problem that poses additional risk, it is also an opportunity to improve and position the organization for future success.

The Challenge with Risk Visibility

Visibility is a huge issue in most organizations. The issue lies in how hard it is to "see" everything in a complex, technology-powered organization. Multiply the difficulty if you are a large multinational corporation that has a sizable technology footprint. As a C-level executive, the board expects you to be the eyes and ears. If you don't have an inclusive inventory of technology assets-data, hardware, software, and devices-then you only have a partial risk picture. 

Due to overlapping departmental processes, risk management is often inefficient and/or ineffective. Processes in one department often don't align with others, which poses a threat to the overall enterprise risk management narrative. For example, individual departments may grant risk exceptions that are in violation of policies or standards, leaving the company unknowingly out of compliance. These unknown risks, often due to the lack of communication or visibility within departments, can lead to incidents and breaches that damage the company's financials and reputation, which C-level officers are in charge of protecting. Oftentimes risk managers can't communicate severity of risks to executives, leaving the company at a disadvantage.

In the larger view of an organization, most departments dedicate resources to some form of risk management. This could be a job function, or an added responsibility for a senior level manager. In addition, departments have their own sets of data and processes for managing that information. The challenge comes when they don't communicate with each other about risks they're facing. This is due to the fact that the risks posed in one area often impact others; the lack of communication between departments leaves certain affected parties unaware of those risks altogether.

In a large organization, it is common for departments to use different sets of software, applications, devices, etc. These solutions, which are often unsecure, can pose risks to the organization and/or leave the company vulnerable to an attack or breach. As a company's risk management program matures, roles or functions are introduced to govern enterprise-wide risk issues. However, those issues become that much more complex when the various departments all manage and store their risk data in different locations.

To solve these challenges, many organizations are focusing on developing sophisticated governance, risk management and compliance (GRC) programs that combine data across the enterprise. Risk is present in all areas of an organization, from internal asset protection and monitoring to third-party management. GRC solutions allow departments to maintain ownership and uniqueness across their processes, while also introducing a means for connecting their data to other areas in the business. This leads to cohesion and communication, resulting in an integrated and holistic view of risk.

Making Visibility a Priority

It is clear that implementing a process by which each department creates visibility is key. Organizations need to move away from the traditional data silos and use a centralized technology to streamline risk management processes. This is commonly known as digital transformation, which means transforming the way you're doing business and adding efficiencies to existing processes through the digitization of information.

Using an integrated risk management solution to centralize and interconnect information will allow for a cleaner, comprehensive, and single-set of risk data across the enterprise. This will provide better visibility to risk for all departments, while also recognizing how such risks impact other areas within the business.

With the data interconnected, risk managers and C-level executives can see interdependencies. This allows them to plan ahead and understand the potential impact before making key decisions.  The real-time reporting gives organizations visibility into what is at risk at a particular point in time. Risk managers have a single view of all risks to the company to better prioritize remediation efforts based on severity and impact to the business.

Visibility into the interdependencies of departmental risks provides understanding of the impact to the overall business. This empowers the organization to make better risk-based decisions that support business goals and objectives.


About the Author


Adam Billings is a Principal Consultant with 6 years of experience related to process improvement and technical implementations. This includes direct GRC experience, leading onsite demonstrations and documenting extensive client processes across a variety of industries; managing clients through engagement life-cycles and strategizing for future process improvements; and facilitating options for integrating business processes into a GRC solution. He has a strong understanding of audit and SOX compliance activities, as well as other general business experience including monthly financial statement preparation, cost accounting, and database management. 

Published Thursday, March 22, 2018 7:31 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<March 2018>