Enterprise-wide risk management plays a key role in an integrated GRC system, as the specifications of risk managers also define the basis for the other GRC functions, such as corporate security management or compliance management.

Essentially, risk management ensures the handling of internal and external risks of all kinds. In addition, it is also important for raising awareness of existing risks across all departments, because risk management can only achieve its full effect in close collaboration with operating units, and along the 2nd line.

The Tasks of Risk Management

Based on the Three Lines model, the tasks of risk management can be divided into the following 3 areas:

  • Governance
  • Strategy
  • Operational implementation by the department
Figure 1: Subdivision of tasks and competencies within a management system

Figure 1: Subdivision of tasks and competencies within a management system

Let’s take a closer look at the individual areas of risk management.

The Governance Area of The Risk Management System

One of the tasks of risk management system’s governance area is to define the goal and purpose of risk management overall. This includes, among other things, defining the focus and selecting the risk categories and corresponding business processes.

The definition of the scope is ideally based on a process map. In this context, we can identify the processes that should be subjected to a risk analysis as a matter of priority.

Other tasks include compliance with standards and laws, as well as defining the interfaces between risk management and other GRC functions in terms of integrated GRC.

Strategic Risk Management

The tasks of strategic risk management include…

  • strategic planning,
  • the provision of necessary organizational and technical resources,
  • ongoing support for the departments (e.g. through training, provision of documents or coaching),
  • the ongoing monitoring of implementation,
  • evaluation and improvement,
  • regular reporting and ad-hoc analysis.
Strategic planning

Strategic planning encompasses all technical and organizational specifications with which the implementation in the company takes place. This includes the structuring of the risk landscape by means of risk groups, as well as the definition of an assessment method, and the risk tolerance limits.

Figure 2: Structuring of the risk portfolio with risk groups

Figure 2: Structuring of the risk portfolio with risk groups

In terms of the integrated and process-oriented approach, the definition of the process map as the primary basis for risk analysis is an important part of the strategic planning. The 4-eyes principle supports quality assurance in the risk management process. Software can support this assessment workflow with email notifications and revision-compliant historization and versioning.

Monitoring the implementation by the specialist units

Monitoring the risk management is an essential task of the 2nd Line. The focus here is on risk assessment, risk development and quality assurance of the data inventory. The current status of the risk portfolio can be clearly visualized in the form of a Gantt chart.

Figure 3: Monitoring the risk assessments by using a Gantt chart

Figure 3: Monitoring of risk assessments using a Gantt chart

Evaluation and improvement

Internal audits are used to determine the degree of requirements implementation in the departments. Management reviews ensure the appropriateness and effectiveness of the system, measured against the organizational requirements for risk management. Actions for improvement can arise from both topics. Their implementation or progress can be tracked with the help of a workflow and clearly presented as a Gantt chart.

Reporting and analysis

Regular reporting as well as ad-hoc requested evaluations of the company’s risk situation are carried out with the help of graphical analyses (e.g. risk matrix with error frequency and impact) or a risk-control matrix. This can be used to show the integration of the various elements of the process landscape (process map), risk management and ICS.

Figure 4: Risk control matrix with information about processes, risks and controls

Figure 4: Risk control matrix with information about processes, risks and controls

Operational Implementation By The Departments

The operational units –⁠ the specialist departments –⁠ have the task of implementing the specifications of strategic risk management within the department, or division. In terms of process orientation, the process owner also assumes the role of the risk owner. His or her task is to analyse the risks of the operational processes and evaluate them on an ongoing basis as specified in the workflow. The processes in the process map, to which the (operational) risks are assigned, serve as the basis for this.

Figure 5: Risk analysis based on the process map

Figure 5: Risk analysis based on the process map

For an individual risk, all the necessary information that the risk manager needs to regularly assess can be displayed in the dashboard form. This includes the risk development, the connection to processes (and other assets) and controls, as well as frequently used functions for the quick and easy creation of analyses and reports.

Unleash The Full Impact of Your Risk Management

Thanks to the uniform and structured framework of risk management, the tasks along the 3rd lines can be clearly defined.  By using the process map as a basis, the risks acquire the necessary operational reference on one hand –⁠ with relevance for the internal control system –⁠ and on the other hand, the responsibility for the risks is clearly assigned to the process owner.

Want to learn about setting up a process-oriented risk management system in more detail? Check out our free webinar!

Learn more about how our tool can support you:

ADOGRC
Governance, Risk & Compliance

Learn more about how
our tool can support you:

ADOGRC
Governance, Risk & Compliance

Stay up to date on GRC

Expert articles on trending topics, monthly information on our free webinars,
events & announcements of new product versions.

Expert articles on trending topics, monthly information on our free webinars, events & announcements of new product versions.