INFOC & CYBER SOC INSTITUTE

DJ-Image Slider

  • Welcome
    Welcome
     

Enterprise Risk Management

Over a decade ago, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued Internal Control – Integrated Framework to help businesses and other entities assess and enhance their internal control systems. That framework has since been incorporated into policy, rule, and regulation, and used by thousands of enterprises to better control their activities in moving toward achievement of their established objectives.

ITGCSI demystifies the Enterprise Risk Management – Integrated Framework expands on internal control, providing a more robust and extensive focus on the broader subject of enterprise risk management. While it is not intended to and does not replace the internal control framework, but rather incorporates the internal control framework within it, companies may decide to look to this enterprise risk management framework both to satisfy their internal control needs and to move toward a fuller risk management process. Among the most critical challenges for managements is determining how much risk the entity is prepared to and does accept as it strives to create value.

Enterprise risk management encompasses:

  • Aligning risk appetite and strategy – Management considers the entity’s risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks.
  • Enhancing risk response decisions – Enterprise risk management provides the rigor to identify and select among alternative risk responses – risk avoidance, reduction, sharing, and acceptance.
  • Reducing operational surprises and losses – Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses.
  • Identifying and managing multiple and cross-enterprise risks – Every enterprise faces a myriad of risks affecting different parts of the organization, and enterprise risk management facilitates effective response to the interrelated impacts, and integrated responses to multiple risks.
  • Seizing opportunities – By considering a full range of potential events, management is positioned to identify and proactively realize opportunities.
  • Improving deployment of capital – Obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation. Get in touch with ITGCSI for more information or any training requirement

1Setting up a winning an
Information Security
Program

Striking the right balance between risk mitigation and the commercial demands of the business is an essential skill, which must be adapted according to the nature of your industry and the size, culture and risk appetite of your organization. This role needs to have clear ownership at senior management level.

Organizations need to take a systematic and proactive approach to risk mitigation if they are to be better prepared to satisfy evolving legal and regulatory requirements, manage the costs of compliance and realize competitive advantage. Achieving and maintaining policy compliance becomes more difficult to sustain as organizations grow, become more geographically dispersed and more highly regulated. But, it doesn't have to be this way.

The Purpose of Policies and Procedures

Policies and procedures establish guidelines to behavior and business processes in accordance with an organization's strategic objectives. While typically developed in response to legal and regulatory requirements, their primary purpose should be to convey accumulated wisdom on how best to get things done in a risk-free, efficient and compliant way. Policy Pitfalls Here are some of the most common grounds for policy non-compliance:

  • Poorly worded policies
  • Badly structured policies
  • Out-of-date policies
  • Inadequately communicated policies
  • Unenforced policies
  • Lack of management scrutiny

So, what is the secret for effective policy management?

Six Steps to Policy Excellence

Step One: Create and Review

It is important to understand, when creating policies, that those created purely to satisfy auditors and regulatory bodies are unlikely to improve business performance or bring about policy compliance, as they rarely change employee behavior appropriately. While satisfying legal departments, and looking impressive to auditors and regulators, busy employees will instantly be turned off by lengthy policy documents full of technical and legal jargon. External factors that affect policies are evolving all the time. For example, technology advances may lead to information security policies and procedures becoming obsolete. Additionally, changes in the law or industry regulations require operational policies to be frequently adjusted. Some policies, such as Payment Card Industry DSS compliance, have to be re-presented and signed up to on an annual basis. Typically, most "policy" documents are lengthy, onerous and largely unreadable. Many are written using complex jargon, and most contain extraneous content that would be better classed as procedures, standards, guidelines and forms. Documents must be written using language that is appropriate for the target audience and should spell out the consequences of non-compliance. Inadequate version control and high production costs can be reduced by automating the entire process using an electronic system.

Step Two: Distribute

A key step in the policy management lifecycle is to ensure that staff are aware of relevant policies and procedures. Organizations need to effectively distribute policies, both new and updated, in a timely and efficient manner. These need to be consistently enforced across an organization. After all, what is the point of expending considerable effort and cost to write and approve policies, if they are not effectively distributed and read?

Step Three: Achieve Consent

In many cases, regulatory requirements call for evidence of policy acceptance, demanding a more pro-active and thorough approach to the policy management lifecycle.

A process needs to be implemented that monitors users' response to policies. Policy distribution should be prioritized, ensuring that higher risk policies are signed off earlier by users than other lower risk documents. For example, an organization may want to ensure that a user signs up to their Information Governance policy on the first day that they start employment, whilst having up to two weeks to sign up to the Travel & Expense Policy. Systems need to in place to grant a user two weeks to process a particular document, after which the system should automatically force the user to process it.

Step Four: Understanding

To monitor and measure staff comprehension and effectiveness of policies and associated documentation, organizations should test all, or perhaps a subset of, users. Any areas that show weaknesses can be identified and corrected accordingly. Additional training or guidance may be necessary or, if it's the policy that is causing confusion, it can be reworded or simplified.

Step Five: Auditability

In many cases regulatory requirements call for evidence of policy acceptance, which demands a more pro-active and thorough approach to the policy management lifecycle. The full revision history of all documents needs to be maintained as well as who has read what, when and, if possible, how long it took; who declined a policy and why. This record should be stored for future reference and may be stored in conjunction with test results.

Step Six: Reporting

To affect change and improve compliance it helps if key performance indicators relating to policy uptake are clearly visible across all levels of an enterprise. Dashboard visibility of policy uptake compliance by geographical or functional business units helps to consolidate information and highlights exceptions.

Being able to quickly drill down for specific details in areas of poor policy compliance dramatically improves management's ability to understand and address underlying issues.

2Bringing
It All
Together

To check the level of policy compliance that exists within your organization you need to periodically answer the following questions:

  • Where are you current policies? - Are the accessible to staff?
  • Who has seen your current policies?
  • Who has read your current policies?
  • Do your staff understand them?
  • Are your policies being followed by everyone?
  • Are your policies effectively managed?
  • Are your policies up to date?
  • Can you prove this to the Auditors?

For those organizations that are serious about staff reading, understanding and signing up to policies, they should consider adopting automated policy management software. This raises standards of policy compliance and provides managers with practical tools to improve policy uptake and adherence.

You are here: Home Solutions Enterprise Risk Management