Risk Management Implementation – Best Practice Guide

Enterprise-wide risk management plays a key role in an integrated GRC , system as the specifications of risk managers also define the basis for the other GRC functions, such as corporate security management or compliance management.

Essentially, risk management ensures the handling of internal and external risks of all kinds. In addition, it is also important for raising awareness of existing risks across all departments, because risk management can only achieve its full effect in close collaboration with operating units, and along the 2nd line.

Based on the Three Lines model, explored in detail in our recent blog post, the tasks of risk management can be divided into the following 3 areas:

• Governance
• Strategy
• Operational implementation by the department

Division of tasks and competencies within a risk management system

Let’s take a closer look at the individual areas of risk management.

One of the tasks of risk management system’s governance area is to define the goal and purpose of risk management overall. This includes, among other things, defining the focus and selecting the risk categories and corresponding business processes.

The definition of the scope is ideally based on a process map. In this context, we can identify the processes that should be subjected to a risk analysis as a matter of priority.

Other tasks include compliance with standards and laws, as well as defining the interfaces between risk management and other GRC functions in terms of integrated GRC, covered in our webinar here.

The tasks of strategic risk management include…

• strategic planning,
• the provision of necessary organizational and technical resources,
• ongoing support for the departments (e.g. through training, provision of documents or coaching),
• the ongoing monitoring of implementation,
• evaluation and improvement,
• regular reporting and ad-hoc analysis.

Strategic planning encompasses all technical and organizational specifications with which the implementation in the company takes place. This includes the structuring of the risk landscape by means of risk groups, as well as the definition of an assessment method, and the risk tolerance limits.

Structuring of a risk portfolio with risk groups

In terms of the integrated and process-oriented approach, the definition of the process map, see more on this topic in our free process landscapes webinar, as the primary basis for risk analysis is an important part of the strategic planning. The 4-eyes principle supports quality assurance in the risk management process. Software tools, such as ADOGRC, can support this assessment workflow with email notifications and revision-compliant historization and versioning.

Monitoring the risk management is an essential task of the 2nd Line. The focus here is on risk assessment, risk development and quality assurance of the data inventory. The current status of the risk portfolio can be clearly visualized in the form of a Gantt chart.

Monitoring of risk assessments using a Gantt chart

Internal audits (discover more in our free audits webinar) are used to determine the degree of requirements implementation in the departments. Management reviews ensure the appropriateness and effectiveness of the system, measured against the organizational requirements for risk management. Actions for improvement can arise from both topics. Their implementation or progress can be tracked with the help of a workflow and clearly presented as a Gantt chart.

Regular reporting as well as ad-hoc requested evaluations of the company’s risk situation are carried out with the help of graphical analyses (e.g. risk matrix with error frequency and impact) or a risk-control matrix. This can be used to show the integration of the various elements of the process landscape (process map), risk management and ICS.

Risk control matrix with information about processes, risks and controls

The operational units –⁠ the specialist departments –⁠ have the task of implementing the specifications of strategic risk management within the department, or division. In terms of process orientation, the process owner also assumes the role of the risk owner. His or her task is to analyse the risks of the operational processes and evaluate them on an ongoing basis as specified in the workflow. The processes in the process map, to which the (operational) risks are assigned, serve as the basis for this.

Risk analysis based on a process map

For an individual risk, all the necessary information that the risk manager needs to regularly assess can be displayed in the dashboard form. This includes the risk development, the connection to processes (and other assets) and controls, as well as frequently used functions for the quick and easy creation of analyses and reports.

Thanks to the uniform and structured framework of risk management, the tasks along the 3rd lines can be clearly defined.  By using the process map as a basis, the risks acquire the necessary operational reference on one hand –⁠ with relevance for the internal control system –⁠ and on the other hand, the responsibility for the risks is clearly assigned to the process owner.

Want to learn about setting up a process-oriented risk management system in more detail? Check out our free webinar!