Integrated Risk Management: Enterprise Level, Strategic Decision Making
The last several years have seen a shift in the business landscape thanks to the digital revolution. New and expanding risk, changing technology and increasing regulatory requirements have forced business to evolve in how they address governance, risk, and compliance.
Two years ago, Gartner shifted focus away from GRC to Integrated Risk Management (IRM) because it enables simplification, automation, and integration of strategic, operational, and IT risk management processes and data.
In this presentation, we will discuss how IRM goes beyond the traditional, compliance-driven GRC methodology to provide a complete view of risk from across the organization. Security and risk management leaders need to add value and long-term benefit by aligning with business strategy to make enterprise level decisions.
Doug: Hello everyone and welcome to the Cybersecurity Virtual Event: Insights to Combat Today's Evolving Threats. We would like to thank you for joining us for this session titled Integrated Risk Management Equals Enterprise Level Strategic Decision Making. Before I turn things over to our presenters I would just like to say that Lynx Technology Partners is honored and excited to sponsor this event. At this time I would like to introduce our co presenters, Gina Mahin, CEO at Lynx Technology Partners and James Wilkinson CIO, F35, at Lockheed Martin. Gina.
Gina Mahin: Thank you, Doug. I'm Gina Mahin and I have 30 years of experience in IT, and cyber security, and risk management. I am currently the CEO of Lynx Technology Partners. We are a cybersecurity and risk management solution provider across multiple highly regulated market verticals. We support the financial sector, health care, energy, industrial controls, and the federal government. This topic is very meaningful to Lynx Technology Partners. We definitely leverage it to strategically execute our customers program. I am thrilled to be joined for this presentation by James Wilkinson. James, would you mind introducing yourself?
James Wilkinson: Hey Gina, thank you very much for your time today and thanks for inviting me to participate in this conversation with you. So I'm James Wilkinson and I work on the F35 program. And so, I am in the defense sector or defense space if you will. So, a little bit about myself Gina and to the audiences, I served in our military for over two decades and as a person working in the defense sector now I also have experienced in the tech sector and the financial sector. And so, you begin to learn a lot about valuable leadership, self-awareness, organizational management, and the ability to drive in states from an organizational risk approach. Being some of my military experience working in a special operations that's the only way they operate is in an integrated approach to decision making and it's all mission-driven.
So, before we get into our discussion today, me being a student of military affairs and national security one of the things our our leadership and all of us had to do was learn about other great leaders. And so, one of those in particular was [inaudible 00:02:54] And so, I think today's topic is very suitable because one of the leadership principles he used to talk about or we had to learn about and it's one I actually remember to this day and I still use it to this day is he said, "Can you imagine what I could do if I could do all I can?" And so, to me this means that integrated risk management will allow you to be able to look at doing all you can with all the tools and resources that are available to you. So with that Gina I'll turn it back over.
Gina Mahin: Thank you so much. And that's a fantastic set up to really talking about what is IRM. Essentially we're focused on risk management as it relates to the strategic objectives in the performance of the business. It's an integrated view of how well each organization manages its unique set of risks. And what you can see on this slide is a graphic that just identifies those key fundamental areas and how they tie back to either performance, resilience, assurance, or compliance, where you've got your digital risk management, vendor risk management, business continuity management, audit management, corporate compliance, and you have enterprise legal management. We're going to drill into each one of those use cases and not only help you understand what each one consists of but also some direct experience that James has experienced through his career.
So, we'll move to the next slide and the first one we're going to talk about is digital risk management. And this directly impacts the performance of an organization because we're all adopting new technology very quickly. This also encompasses the internet of things going to the cloud. It's all about being able to be innovative but also ensuring that you're aware of the risks associated with bringing on that technology. In the past under a GRC approach this was something that was done in a silo. Under the integrated risk management approach the business owners and the people that are bringing this innovation to the organization are now aware of the impact of risk and what it has on the organization. James, have you ever experienced anything where you're bringing new technology maybe on the battlefield, or in one of your programs, or any of your experience where either it's taken too long to be able to implement it so you don't get the reward or give us something from your experience.
James Wilkinson: Okay. Not a problem Gina. I'll figure out if I can give you something that I can talk about. So, it's always a challenge implementing and integrating new risks and even in the acquisition arena, in the defense space, or if you're at a tech company and you're going through your life cycle development processes. So, one of the things that I've noticed is that depending on the business so when you're implementing or looking to implement vendor risk management some can do it a little quicker, have a little bit more agility if they're a little bit smaller. Those who are a little larger, the larger organizations, big, large enterprises may take a little bit longer time to realize the value but they know the numbers are there. So, the compliance, the ISO, compliance is not really going anywhere. When I look at vendor risk management it's evolving to more comprehensive integration of the business objectives and aligning them in alignment of cybersecurity.
So, we're basically taking the NIS and applying that to the business and aligning the NIS cybersecurity to business principles, objectives for the organization. So, I'll give you an example of what I mean by that. So we all are aware, most of us anyway, if you work in the defense space or if you're going to work in the defense space, or support organization in the defense space, we all see the Cybersecurity Maturity Model Certification, the CMMC, is coming out and it's going to be out next year. And we all will be able to, will be expected to comply with that. So, what it's going to do is it is going to require organizations that are doing work in the department of defense or with the government that you have to not only have a system security plan and plan actions and milestones, POA and M's, that's not enough to be able to secure your organization.
So, just because you're compliant doesn't mean you're secure. And instead they're also going to have vendors to be evaluated on their implementation of their controls, their documentation and policies. So that means they're going to have a third party to have to validate them to say, "Yes, we are handling your information and we are applying the necessary controls to protect the information in the defense sector." So with that, that third party evaluation is something that's going to be mandated going throughout. And so, that might be something organizations will have to adjust to when you're talking vendor risk management because some sectors don't necessarily do that and others are already doing it like in the financial industry. You have to have third party validation to be able to work with one of those organizations or get on to the network. So with that Gina, I hope that helps give you a [crosstalk 00:09:29] and I'll turn it back over to you.
Gina Mahin: And it absolutely does and I know that based on my own experience working with federal agencies that if you want to connect to a federal information system you have the FISMA flow down requirements as a vendor. That I was very used to when I entered into the commercial sector and I learned about other ways that organizations are looking at vendor risk management. The one thing that I will tell you is pretty consistent that without an integrated risk management approach it's almost looked like a module and handled completely separately than the government's risk and compliance.
Now with business continuity this is all about understanding the risks and being able to record the testing process and ensure that it's in place in the event of an incident. So, you can see how part of the equation we're talking about enabling the business through innovative technology, outsourcing for cost effectiveness with your vendors, but now you need to be aware of those risks and ensure that you're able to have visibility over business continuity and management. Now audit management is your third line of defense and you need to make sure that again now that you are making better risk decisions because you have visibility over those risks you now need to ensure that your auditors have the best solutions and are focused on the things that are most important to the business. James, do you have any things that you'd like to add about audit management?
James Wilkinson: Yeah, sure Gina. So, audit management, business continuity management, there's so much there. I don't think we have enough time to unpack all of that but I can tell you some observations I've seen through others in the industry and other peers in the industry is the business continuity is very key. Because I was reading the other day, 35% of organizations don't test their business continuity plan. And so, if you have critical systems that you are running and you don't test your business continuity plan that will shift or could shift your calculus for what is your most important risk and where you need to place emphasis as far as revenue and resources and what you need to invest in.
So, probably trying to actually do the test due to personnel resource constraints can also be challenging for maybe smaller organizations to do so but that's probably part of the calculus. From an audit management aspect your internal auditors auditing, they're providing advice to senior managers and senior executive leaders. Who owns that risk? So if you have organizations that have cylinders of excellence or we like to call them silos and they all are getting audited from an audit entity from different aspects of the organization whether you have development, or whether you're in a new business or whether you're looking at your operations, or production, or you're looking at part of your supply chain. When you start looking at audits across those you're looking at are they actually doing what they said they are going to do? Are they following their own process, procedures, and practices? But what you don't find sometimes is the integration of those findings across the organization.
And so, one of the things we learned and I'll cross reference to some of my military experience is that the after actions are very important to moving forward in the organization and decisions that it [inaudible 00:14:00] how it needs to conduct business. And so, it is very comparable to what we're seeing today and what other peers have experienced or expressed. So, trying to do an audit and share it across the organization and across all of your entities you will probably find there is a different calculation for where risk is important to one and not important to the other and it could be a very similar risk but you won't know it until you pull on that common thread. And I think we'll talk about that a little bit later. Back to you Gina.
Gina Mahin: Thank you very much. That was extremely helpful. So, the next area is corporate compliance and oversight and this is really encompassing your policy development and management and ensuring that it's aligned and harmonized with compliance and risk. And now what we're also doing is we're adding in those elements for ethics and behavior and we're really ensuring that we have version control in the oversight. As risk is becoming something that's becoming more visible and more important to the board it's extremely important to have a good plan in place that supports corporate compliance and oversight and enterprise legal management is really where legal meets compliance. These are areas where again you're looking at spend control, you're looking at the impact of legally what you need to comply with as far as regulations and what your risk is. Things like privacy and GDPR are now coming into the equation and becoming all part of that integrated risk management solution. James, do you have any closing remarks that you'd like to add in this particular area where we're talking about what is integrated risk management and those six use cases?
James Wilkinson: Sure Gina. Thank you very much for that. Yeah so, between the six use cases and integrated risk management I can probably maybe have some summary of that as being integrated risk management is how I would think of it as a set of practices and processes that support your organization becoming a more risk aware culture and to enable technologies to support that. And in that support you also improve your decision making and the performance because you have this integrated approach. So, you're not going to do away with GRC. We're not wanting to do away with ERM. But instead you want to be able to utilize those and have a cross section of that to be able to help you drive your decisions. So, that's how I would summarize that. So stronger performance, you have increased resilience, you have better assurance and more efficient compliance. Okay. Gina, back to you.
Gina Mahin: Thank you so much James that was extremely helpful. And now we're going to go into the section of talking about the longterm benefit of integrated risk management. Sorry for that background noise. That was unexpected. So, I would say one of the main ones is the consolidated reporting from across the entire organization and the removals of those silos. I think that organizations have, they shift to making better decisions that are based on strategy. But what other benefits can you think of, James?
James Wilkinson: Okay, Gina. So for me, some of them, the benefits, longterm benefits of it is I think you began to gain a comprehensive understanding of risk for decision making. So, it's kind of like, and I'm going to try to simplify this even though it's not that simple but if you had a master risk registry from risk, from supply chain, from new business, you would be able to look at all of those and say, "Okay, here's our business objectives, our strategic objectives." You're looking at those and then you're saying, "Okay, which ones are most important?" And sometimes they all are equally important which becomes the challenge, right? But you will now have a more comprehensive understanding of risks as it goes across the enterprise for those who are larger organizations.
I would say another one is your strategy is based on business objectives and the mission and not necessarily compliance objectives and we talked about that earlier. You can have your consolidated risk reporting, like a consolidated risk registry. It's not the only one but it's an example of one. And then, you also can minimize uncontrolled risk at the strategic level. So, sometimes those risks that are not yet realized or not yet explained you will be able to now hopefully explain them in a way that helps.
So if you, I'll give you an example, so if you have new business in your business development team, and they're going after new business, and they're doing all the things they need to do to bring in new business to the organization, they have a calculus of, "Hey, we need to sell X amount of these services." And so, the total amount could, let's say, could be 10. "We need to sell 10 of these boxes." Well, if you sell 10 of those boxes the folks on your supply chain or the people that do sustainment of the business will look at it and say, "Hey, we've got 10 boxes. We're going to be able to produce, we are going to be able to support and maintain because they just sold the service."
Well, if the organization you're working with for some reason because of budget constraints and controls they can't afford to do all 10 boxes or service components they may only do five. Business development looks at that and says, "Hey, we still made a sale. Good for us but we'll phase it in." And on the back end, on the other side of your spectrum in your supply chain or your sustainment business they look at that as a loss. They'll say, :Hey, wait a minute. We had 10 orders for X and now we have five. What happened?" So, if they're looking at it as a loss that's an example of how this integrated risk is not really realized across the organization because to them that looks like a loss.
So, now when you try to bring those two together to understand how you look at the sale of items or services and the management of those services now they begin to understand because mutually supporting now you have a different perspective and view across all of them because now everyone wants to get to the same objective. "We want to sell X amount of services." And so, as we do that now everyone's aware of, "If I miss this point here it also has an impact on something else in a portion of the business." I'll turn it back over to you Gina but that's my short, quick, quick summary.
Gina Mahin: Well, and thank you so much for that James. That is fantastic. And it brings us right into our next slide where we talk about GRC to IRM. And I will tell you that a GRC focused GSL is one that is more focused on checking boxes then on really addressing true risk to the business. And what that means is that there's going to be investments in areas where they're going to spend a lot more than they need to in certain areas and not enough based on the unique risks that that business faces. So, when we talk about moving from GRC to IRM that's an important benefit that you're going to realize right out of the gate. Now that's not to say that you throw away VRC but we want to make sure that we brought in that visibility, incorporate areas that have not been traditionally considered as part of GRC as we are moving towards integrated risk management.
So, one of the key areas, and this is a difference, is that when you're thinking of GRC you are really trying to adhere to some form of an accrediting body whether it is a government accreditor or whether it is PCI, DSS, HIPAA, the sky is the limit. And you're typically looking at frameworks, sometimes in silos, and you are performing those assessments, creating packages. And it becomes more of a drill because of necessity not because you're looking at it as a means to grow the business.
When we broaden the spectrum and we start looking at those six use cases which we reviewed and you can see that you're focused on business performance and innovation and ensuring that you're secure while you're focused on that and you're also maintaining your resilience. You are also able to show the assurance and talk to your board as far as, "Are we really secure?" You can give an appropriate answer. And that you're compliant with your standards for auditing, your policies and procedures are able to be managed because you don't have separate ones for each regulation that you have to adhere to. And then, you're also encompassing your enterprise legal management. James, would you like to share anything from your experience of how one would transition from GRC into IRM?
James Wilkinson: Sure. I think, thanks Gina for that and yes it goes back to how you implement most frameworks in your organization. So, going from GRC to IRM you really got to have the leadership sharing across the organization so that that leadership buy in. You also need to be able to recognize potential new risks from company initiatives. So, from say for example digital transformation, or third party relationships and suppliers, or compliance and oversight, you will be able to do all of the above through recognizing potential new business because you will now have a better understanding of risks elsewhere in the organization and how they all relate to the mission.
Another point not like to bring up is collect and you want to collect and integrate a view horizontally and vertically. So, horizontally managed in the business areas as for example operational risks which are independent of other areas. And then your verticals, which we talked about earlier, is some of your independent functions and your silos that have a less emphasis on connecting the strategic business impacts. So basically your business and IT are separate, they don't necessarily connect risk mutually across the business. And so then, you also need a mechanism that allows you to be more dynamic and scalable and adapting risk management strategies. You've got to be able to communicate that in reporting and you need to be able to monitor it and then find the right technological solution that allows you to automate that and where possible, it depends on the size of the organization and what you all need to do. And that's how I would look at in my layman's terms how you have to transition from GRC to IRL. Back to Gina.
Gina Mahin: Well thank you. And that actually brings us to the keys to integrate a risk management success. So, the first thing that you have to have in place is the strategy and this is essentially the enablement and implementation of a framework. This includes performance improvements through effective governance and risk ownership. This is a harmonized framework not that you are taking controls from an accrediting authority, you are able to right size it for your business, and you are able to align your risk tolerance with your goals, and we also have identified who owns the risk.
The next key to to success is the ability to assess risk. It's not just performing assessments that you would normally think about in GRC like control assessments. This is the identification, evaluation, and prioritization of risks. And I think that James you had mentioned this as part of your talk. This is where you may even identify new risks that you are not aware of as you start this process. And with your strategy and you're thinking about how are you going to innovate to obtain more market share and leverage new technology or outsource to those vendors to increase your performance. Being aware of those risks and being able to prioritize them, and accept them, and own them is very important and integral in integrated risk management.
The third is response and this is the identification and the implementation of the mechanisms to mitigate risks. We need to agree where we're going to invest and what are effective solutions to put in place to mitigate that risk. And James just if you could shed some light on any experience that you can come up with as far as different methods and how you would evaluate them for responding to risk.
James Wilkinson: Well, thank you Gina for that. I think there's so much to this conversation here and I think it depends on the organization and the space or the vertical that they're in. They will also need to look at is it domestic or international? And so, from an international space sometimes you have different regulations and regulatory governing bodies that you need to account for when you're trying to implement risk across a enterprise which sometimes some organizations may not have to do that but it's realized. And so, you have to be able to do that.
So, when we look at not limiting IRM to a compliance activity that's always a challenge because now you have to, you as that person in that risk role, have to be able to connect the dots to each of the lines of business in the organization, understand their priorities, their commitments to the business and their strategies, and figure out where you can help fill some of these gaps and connect risks. Because you as a professional, information cyber security professional, you're looking at risk through a different lens then a person in program management looks at risk. Is that fair? So, when you're doing that you actually have to be that person not integrating just the actual compliance aspect, you actually have to look at integrating risks with the business objectives. I'll pause there for a second and see if you'd like to comment on that one.
Gina Mahin: That is fantastic and it brings us back to communication in reporting which is provisioning the most appropriate means to track and inform stakeholders of the risk response. So, it's putting together the right response but also how do we communicate its effectiveness? And monitoring is a methodical approach to doing just that and to actually let us know of the performance measurements how our policies are being adhered to, the decisions and effectiveness of our risk mitigating activities. And last but not least in order to really have a true integrated risk management solution you need to have a technology that provides you with that single pane of glass that incorporates a view for the chief risk officer, the board, the CSO, to be able to have a harmonized view in all of those major areas that used to be disparate in one view to be able to take action in measure.
James Wilkinson: That's absolutely correct Gina so thank you very much for that and I think I've gotten a lot out of this conversation with you and you've helped educate me as well.
Gina Mahin: Well thank you very much. It has been my honor and pleasure to present with you James.
James Wilkinson: Well, I look forward to doing this again sometime. So again, thank you very much for having me and for those organizations who are looking to integrate risk management into their current processes or frameworks it's very key and important to look at your organization as a whole and to begin taking them in small chunks to figure out how you can realize the maximum gain from a business objective or a mission objective depending on the industry sector or vertical you are in. With that, thank you for your time Gina.
Gina Mahin: Thank you. And Doug come back to us.
Doug: It is time to wrap up. Once again, I would just like to thank Gina and James and thank our audience for attending today's event Integrated Risk Management Equals Enterprise Level Strategic Decision Making. We hope you found this topic valuable. On behalf of Lynx technology partners and our presenters thank you for joining us and have a great rest of your day.