A couple of years ago, I asked Sumner Blount, a director in the security business unit at software firm CA, what he meant when he used the term "Risk IQ."
The notion of risk intelligences remains relevant in 2012 because of a widespread sense among risk managers and GRC experts that there has to be a better, smarter way of managing governance, risk management and compliance at a time when the pressure to do more with less from an operational perspective seems extraordinarily high.
Risk IQ, Blount explained, is "essentially a measure of an organization’s risk management maturity. One of the most important aspects of a mature risk approach is the existence of a common risk management framework across the organization. This means that risk processes (identification, assessment, measurement, monitoring and mitigation) are handled consistently across the organization, using centralized, timely and accurate risk-related information." (Blount expands in his point in this interview.)
This suggests that a framework, such as those that the Open Compliance and Ethics Group (OCEG) has developed, should be in place.
However, even if an organization has not implemented a formal risk-management and/or GRC frameworks, that does not mean that it cannot be smarter about managing risk more efficiently.
A short paper ("Lean GRC Overview") co-authored by Blount and OCEG’s principals presents three core "LeanGRC" (a term OCEG has trademarked) principles; these include:
- Eliminate waste
- Focus on individuals who add value; and
- Use pull demand to drive value.
As you can see, the paper takes specific lean principles and applies them to the GRC. For example, one of lean manufacturing’s core approaches involves pull demand fulfillment; rather than "pushing" demand by manufacturing a product and then storing in inventory (which can create higher carrying costs), pull demand calls for products to be manufactured when demand exists.
How much risk and compliance information are you creating relative to the demand for it? If the answer is more, that does not mean you should necessarily halt production of risk information; however, it does mean that there is a gap that should be addressed. Either consumers of this information need to be educated on its value, or the information itself needs to be pruned or improved.
It sounds simple enough, and maybe it should. After all, effective risk management is not rocket science. Yet, it frequently falls prey to reactive tendencies and check-the-box (compliance) mindsets – complications that make risk management more complex, and less efficient, than it can be. Instead, the mindset of "We do this because we have to" ought to be replaced by an attitude of "We do this because we gain value from it." By focusing risk management and/or GRC efforts on value, practitioners can more easily focus on increasing value through greater efficiency.