Business intelligence 101

Every organization should focus on these four risk management questions

An organization that manages its risk can retain most of the upside while mitigating the downside.

When we think about business, we often think of the benefits. It’s Elon Musk striving toward Mars. It’s Amazon decimating the old retail landscape. It’s the local manufacturer with a game-changing process. With no risk there can be no benefit. Although organizations accept the risk and reap the benefits that come with it, there is a way to help improve decisions through risk management. Organizations still earn the benefits while addressing the risk presented by opportunity.

GRC: A framework for improvement

To improve risk management, we like to use a framework called Governance, Risk and Compliance (GRC). GRC is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity.

Put simpler, GRC takes a broad perspective of risk to ensure the organization can perform to its capability. It results in strategy aligned with the mission and values of the organization, objectives tied to the strategy, and actions and controls that allow the organization to act with integrity while addressing uncertainty.

We have found it is easier to explain GRC in four questions. These questions are based on the COBIT framework and come from John Thorp, an internationally recognized management consultant. They go beyond the typical IT risk assessment and look at the entire organization to ensure all business risk is managed well.

cybersecurity-email-series New call-to-action

Are we doing the right things?

This is the governance or strategic question. To answer it requires assessing the following questions:

  • What is your current activity?
  • What new activity or project is being considered?
  • What business outcomes are affected by the new activity or project?
  • How would the new activity contribute to the organization factoring in current activity?

Once completed, you can determine whether the current activity and any proposed new activity aligns with the mission and values of the organization. Dive deeper into activity that does not serve the core purpose of the firm (mission/values). Determine whether that activity should be discontinued or modified. If your current activity and any new activity align with the mission and values, you can move on to the next question.

Are we doing them the right way?

This is the execution or architecture question. Before answering, consider the following factors:

  • whether current activities are being executed well
  • what the proposed processes for proposed future activity will include
  • if the proposed activity will fit with either current or future capabilities

This assessment can determine if the strategy is right, but the execution is poor. Activities with ill-defined processes will fail the first assessment. These processes result in inconsistent outcomes, negative employee feedback about the work and other similar warning signs. Planning for new activity by determining the right way to do it will save time and money. There’s a difference between the bleeding edge and the leading edge. We encourage our clients to strive for the latter. It allows them to identify the right process and then scale that process.

By reviewing your organization’s execution, you can have more confidence in your actions and put better controls in place to ensure integrity in those actions. Activity with well-defined processes and safeguards in place can continue to the next question.

Are we getting them done well?

This is the delivery question. We’re determining the plan for doing the right work in the right way. To answer the question, it requires determining:

  • the plan for doing the right work in the right way
  • the resources and funds needed to carry out the plan

We find clients fail to adequately address this stage of the process. There might be a budget and a general idea of how to implement or improve the process. Rarely do we see clients develop a robust plan. They fail to instill the appropriate continuity plans. They forget to create alternative courses of action to meet market changes in a timely fashion. Addressing either of these would help ensure the work can deliver the value proposed.

Sometimes we see objectives that aren’t aligned with the strategy. Lost in the day-to-day firefighting, the wrong behaviors become incentivized. Teams become silos and there is no longer an organization-wide push to succeed. Bottlenecks appear in processes that once worked well. These all lead to uncertainty, inefficiency and a decline in the benefits earned from the risk taken.

By determining the resources needed and the processes required, the organization can create objectives that will deliver value in line with the mission and values. Once an activity is being executed well, you can move on to the next question.

Are we getting the benefits?

This is the value question. To answer this question requires determining:

  • how to deliver the benefits
  • the value of the activity within the context of the organization

We find clients struggle to make a cohesive business case on how they will deliver value to stakeholders when undergoing a new activity. When considering current or new activity performance, test whether the benefits roll up into the mission and values of the organization. All too often, we see organizations struggle when their activities begin straying beyond those core principles and the value from the activity itself is not delivered to key stakeholders. If you have instilled the right strategy, process and objectives, it should be clear where and how the value is delivered.

In summary

We posed four critical questions to get you thinking differently about your organization. Start by addressing whether your strategy aligns with your mission and values. Then address how you will execute those strategies. Identify how you will know if you are executing them well. Finally, assess whether the value from the activity is being realized into actual benefits for key stakeholders. By following this process, you can start reliably achieving your objectives, better manage your risk, and address uncertainty while acting with integrity.

Questions about your situation or how to get started with GRC? Contact Brian Johnson using the information below.

Brian Johnson

Senior Vice President
Technology Services

Brian joined AGH in 1992. He leads the firm’s technology services practice where he helps clients achieve measurable performance improvements through the delivery of specialized, competency-based information systems management, assurance, and advisory services. He has extensive experience in information security, network engineering, and solution development, with recognized specializations in governance, risk, control, and related consulting services.

Brian is a member of ISACA (previously known as the Information Systems Audit and Control Association), the Kansas Society of Certified Public Accountants (KSCPA), the American Institute of Certified Public Accountants (AICPA), the AICPA’s Information Management and Technology Assurance (IMTA) Section, and the Association for Supply Chain Management (ASCM). He is a Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT), Certified in Risk and Information Systems Control (CRISC), Certified Data Privacy Solutions Engineer (CDPSE), and Certified in Production and Inventory Management (CPIM).

Brian is also a Certified Public Accountant (CPA) and a graduate of Wichita State University, where he earned Master of Accountancy and Bachelor of Business Administration degrees.

Information security is more than technology, it requires educated staff.
See how we can help identify and mitigate your security vulnerabilities.