Defining Risk IQ

In this Q&A, Full Disclosure Author Eric Krell asks CA Director of GRC Programs Sumner Blount to define “risk IQ” and to share some of the qualities he has witnessed in risk intelligent organizations.

Eric Krell: You use the term “Risk IQ.” What does the term mean?
Sumner Blount: The lack of visibility into the current state of enterprise risk is probably one of the most common problems in risk management in most companies. For example, risk information is often stored in multiple places across the organization, and as a result, it can become outdated or inconsistent. In addition, risk management processes are often not consistent across various departments within the organization. One group will use different procedures, terminology, and metrics to assess a given risk, for example. And, when this happens, it makes it difficult -- if not impossible -- to communicate effectively about the current organizational risk profile. The result is simply an inability to adequately measure, monitor, and mitigate enterprise risks.

Risk IQ is simply a term we use to indicate the level of visibility and insight that an organization has over its total risk profile. If risk information is not timely and accurate, or if there is no visibility across all areas of risk, then business managers do not have the insight they need in order to make effective risk-based decisions. In addition, when risk processes aren’t consistent (in some general sense) across the organization, it makes it very hard to get a true view of your current risk posture, in order to compare it to your organizational risk appetite.

Eric Krell: Based on what you see in the field, what are some common qualities among organizations with the highest Risk IQ?
Sumner Blount: Risk IQ is essentially a measure of an organization’s risk management maturity. One of the most important aspects of a mature risk approach is the existence of a common risk management framework across the organization. This means that risk processes (identification, assessment, measurement, monitoring, and mitigation) are handled consistently across the organization, using centralized, timely, and accurate risk-related information. For example, risk assessments are done using the same general procedures, and the metrics that one group uses to measure risks are consistent with metrics used in other groups. This obviously doesn’t preclude one group from assessing a given risk differently than another group – after all, that risk may impact one group much more than another. But, at minimum, all groups need to be at least “speaking the same language” when assessing and measuring overall risk.

As an example of a low level of risk maturity, consider if different groups use different terminology to denote essentially the same risk. These groups would never be able to effectively communicate about that risk, nor could upper management accurately gauge their total risk in that area. Or, what if groups use different numerical measures of the severity of a given risk? An accurate understanding of the actual enterprise-wide severity of that risk would be very challenging. Both of these traits are simple examples of the lack of a consistent approach to risk management which results in an inability to accurately gauge the total enterprise risk – hence, a low Risk IQ.

One critical element for a common risk framework is a centralized repository of risk (and compliance) information that is always up-to-date and accurate. This helps to eliminate the infamous “silo problem” that plagues many organizations today, in which risk information is maintained (typically in large spreadsheets) in multiple places across the organization. Centralizing this key information is the first step towards gaining some consistency in how risks are managed throughout the company.

You’re probably wondering where most companies would fall if asked to rate their own Risk IQ. It’s a bit tough to generalize because risk management varies widely by industry and company size, as well as many other factors. Most enterprises that have a dedicated risk management function – someone who owns and is ultimately responsible for overseeing risk management –are probably on the right path to improving their Risk IQ level, but there is always more work to be done.

Eric Krell: What are some of the most common roadblocks organizations encounter when they attempt to raise their Risk IQs?
Sumner Blount: Let’s face it. Any approach that requires significant process changes across any large organization will be a challenge to implement. When separate groups have their own way of doing things (measuring risk, etc.), sometimes there is resistance to change, especially if certain business processes are mandated from outside the organization. So, there are some political challenges that require careful planning and ongoing and continuous communication. Focusing on how the changes will lead to improvements and efficiencies, and more importantly, more insight into potential risks, is a good approach for any risk manager looking to suggest these types of changes.

Another challenge often relates to the centralization of information that previously had been maintained in organizational silos. As I said earlier, many local groups maintain their own risk-related information, and pass it upwards only when requested for periodic risk reviews. But, this leads to risk information that is often neither timely nor accurate at any point in time. By centralizing risk-related information and implementing business process changes that enable any changes in the underlying risk to be quickly reflected (caused, for example, by a failure of an individual control) in the risk repository, you can quickly improve the timeliness and accuracy of that risk information.

Finally, solutions exist that provide not only this centralization of information, but also mappings among this risk information. In order words, when a control fails, it is essential that the underlying risk that this control relates to is updated immediately. Otherwise, your risk information is always at least slightly out of date. Well, this is only possible if all data objects (risks, controls, policies, regulatory requirements, test results, etc.) are cross-referenced so that the impact of a change in one item on all the other items is well understood. Although these “GRC Management” solutions require careful planning and communication, we have seen in our local corporate risk environment that they can have a very significant beneficial impact on overall risk management.

While these roadblocks – particularly information centralization and business process changes -can be significant undertakings, they are essential to improving the overall Risk IQ of an organization.