The ideal risk management program arms leadership with the information needed to accurately understand risk within the operating environment, strategize upcoming initiatives, and highlight risk reduction progress made over time.
Seems pretty straightforward, yet so often that dream outcome is prevented by unavailable data and incomplete or inconsistent reporting. So where do we go wrong? Do we need to re-evaluate our risk assessment process? What about updating our questionnaires?
Maybe. More often though, the root issue is the lack of a well-defined Risk Methodology to drive these downstream activities and ultimately achieve the reporting outcomes that provide value to the organization.
Whether your focus is information risk, operational risk or enterprise risk, establishing a risk methodology is essential for a successful ServiceNow’s Risk Management implementation; it will provide a solid foundation upon which the other program elements can be built.
An effective risk methodology minimally has three core components:
#1) A Risk Framework forms the lens through which risk is viewed in your operating environment. Beginning with the end in mind, the risk framework must be structured in a way that enables desired reporting results while also being inclusive of the types of risk the organization is exposed to.
Related ServiceNow Items: Risk Frameworks, Risk Statements.
#2) Codifying Risk Rating Scales and a Risk Matrix will guide the consistent application of risk ratings during assessment activities, ensuring you're comparing apples-to-apples when looking at risk across systems, functions and process areas. Factors at play here include qualifying the criteria for each impact and likelihood rating to define real-world meaning.
Related ServiceNow Items: Risk Criteria, Risk Heat Maps
#3) Risk Tolerance Thresholds help answer the “so-what” question following the identification of a risk and ultimately drive the reduction of risk across the organization over time. These thresholds can be used to govern risk treatment actions, ensuring that unacceptable risks above organizational tolerances follow prescribed mitigation paths.
Related ServiceNow Items: Issues, Risk Mitigation, Risk Acceptance, Risk Avoidance, Risk Transfer
In short, risk assessment processes and questionnaires are important, but they won’t be able to produce meaningful reports and data unless they are built upon a deliberate risk methodology.
What are you basing your risk management program on? If you need help setting up a risk methodology in ServiceNow or would like to validate your current approach, please reach out to info@lionwarellc.com and request a free consultation.
Your success is our mission.
Comments