A Robust Risk Assessment Needs a Shared Vocabulary, a Seat at the Table and the Right Tools

GRC professionals believe risk and compliance should be an executive priority as they can drive revenue and inform business decision-making. But they can lose their payoff if other teams are unfamiliar with “risk speak” and the necessary tools and processes are not enacted to help translate those insights into actions.

Making risk a revenue driver comes down to adopting a quantitative approach to risk while putting the right management solutions in place. When this happens, it’s easier to translate risk and generate better, more informed decisions throughout the entire business. This is done by creating a common taxonomy, giving risk and compliance leaders a seat at the “mission-critical table” and thinking creatively about leveraging common control frameworks.

A Common Taxonomy Helps Drive Collaboration and Efficiency

A well-defined taxonomy structure is a useful tool for translating risk language between teams and departments. In order for the entire business to look at risk as a business driver, the identification and naming structure needs to be customized for a specific organization. When an organization has a taxonomy as a functional reference, it allows for easier aggregated reporting and decision-making across the business.

This will help team members avoid using the “weasel words” that all risk professionals like to use; these are phrases that leave room for ambiguity. Businesses need to leverage quantitative insights, data and reporting in order for a common taxonomy to be turned into revenue generation. Risk discussions should never include words and phrases like “decent,” “could happen,” “maybe” or “it’s a possibility.” Be exact and quantitative with reporting, because nobody really knows what someone means when they say those weasel words. For example, what does it mean if someone says, “there’s a fair chance of a data breach?” It can mean something different to everyone.

Additionally, if a common cross-department vocabulary isn’t already in place, technology adoption will be extremely low. In most cases, it will become shelf-wear. A GRC solution is a force multiplier for businesses, especially those that incorporate automation capabilities. If unpolished processes are multiplied before an updated taxonomy is put in place, it’ll only slow down GRC professionals and confuse the entire organization, including the board and C-suite executives.

A Seat for GRC Leaders at the “Mission-Critical Table”

GRC leaders need a seat at the table with the other mission-critical business stakeholders, like the CFO and the CEO. Risk professionals, because of their underlying knowledge of risk processes and language, truly understand business drivers of risk. This goes beyond just knowing the technical controls and necessary data pieces and functions. Having GRC leaders at the table results in risk language becoming more commonplace among an organization’s leadership circle, creating more valuable and meaningful risk-driven conversations.

When finding common language of risk among departmental and business-critical leaders, it’s easier to showcase the value of GRC processes and the impact of risk’s quantitative insights in everyday conversation. And, simply put, when a department’s leader establishes and enacts the agreed-upon language, the vocabulary better falls into place throughout all levels. A consistent structure is put into place to optimize processes, reporting and decision-making in all business areas.

When GRC leaders are at the mission-critical table, they also create a more collaborative environment. With cross-departmental control and intervention, they can connect and bring employees into the risk conversation, better explain core technology concepts and translate operational processes into easily digestible control points. All core business functions are then easily tested, monitored and assessed.

Translating Between Teams and Departments

Technology and sound processes enhance the conversation for risk as a business driver. It can be done without complexity or excessive nuance.

A valuable tool to enable cross-team communication is a risk-rating matrix. Oftentimes, before the introduction of GRC solutions, risk is weighted using an unscientific high, medium or low scale. But, when organizations start to enact common business language to further define those rating scales, they help increase the value of those parameters. The goal, then, is taking your rating scale and making sure you’re capturing financial and operational impact.

The risk-rating matrix must incorporate reputational influence based on local, national or global market dynamics. It must also account for strategic components that come into every department’s processes. It helps your business’ stakeholders and partners throughout the entire organization truly understand how those ratings come together. When an organization has clear reference points for the risk-rating assignments, the rating and information a business gets out of that process are even more valuable.

When a risk-rating matrix incorporates all of those business areas and is accepted and used across departments, the entire organization now has a common point of reference for recent resource allocation, decision-making and risk commonality. GRC and risk solutions that can provide ratings with common business-speak and break it down in terms of dollars and cents have a significant amount of value for an organization.

In the compliance and risk space, everyone needs to think creatively about how we’re leveraging common control frameworks and how we’re leveraging translation tools and reading structures. To turn GRC and risk into a business driver, organizations need to make sure they’re using them consistently and applying them thoughtfully across different areas of work. And, in order to truly bring all of those distinct pieces and requirements together in a thoughtful and effective way, it requires GRC leaders removing spreadsheet-, email- and SharePoint-based processes and leveraging the right technology to highlight insights and the established language of risk.