Everyone approaches GRC differently because they’ve had a different upbringing. And then over time organizations and departments evolve organically, adopting distinct ways of working, and following different methodologies.
Take for example, when it comes to integrated risk management, IT risks are largely dealt with in the following four ways.
- Treat: implementing specific controls to mitigate the risk.
- Tolerate: accepting that you are exposed to certain risks based on your risk appetite.
- Transfer: choosing to outsource certain things or insure your organization against them.
- Terminate: avoiding risks or dropping them completely.
However, even something as common as these four T’s can be termed differently; mitigate, accept, outsource and avoid. Not only the words but the definition also varies within.
Do words matter?
Because everyone approaches GRC in different ways, it means that they also use different words to describe their risk management. However, because the principle meaning is the same, it doesn’t really matter.
Or does it?
The reality is that for integrated risk management the actual words you use can be the difference between success and failure. Using different words, even if they mean the same, can block your systems, methodologies, and people from working together because they’re not speaking a common language. Talking in different languages puts you at greater risk of miscommunication as people could be reporting different datasets for different controls.
80% of employees say miscommunication occurs frequently in their organization. Source: Fierce Conversations and Quantum Workplace
Technology is irrelevant
Every organization needs to implement a control framework to help mitigate the risks they’re exposed to. Most organizations turn to technology to assist them, but implementing a GRC system, either with or without a dedicated solution, isn’t going to be successful unless you’ve addressed the basics first.
For your risk management framework to integrate seamlessly across your organization, you need to start by mitigating the risk of miscommunication. It doesn’t mean your departments suddenly need to start adopting new working practices. It could be as simple as agreeing on common words or reporting data in the same way, so everyone is talking about risk in the same terms. For example, your business units could agree to score the severity of a risk’s impact on a scale of ‘1 to 5’ rather than ‘1 to 4’.
Once you’ve agreed a common vocabulary around risk and compliance, it means that when your functional business units score risks in their individual management systems, the data is being captured in the same way. Now, when risks are reported on, everyone has the same understanding of the information that’s being communicated, and that data can be easily compared and analyzed across the organization.
Keep it simple
In defining your organization’s common language, there’s no need to start writing a dictionary and defining every word. It doesn’t have to be a mammoth undertaking, but it does need to be done to establish a solid foundation on which to build your integrated risk management framework.
Start by looking at what you have now, and you’ll quickly start to see how certain words can be tweaked, or reporting methodologies adapted, to create a language everyone understands.
In SureCloud’s recent webinar, we shared an integrated risk management framework that easily adapts to your way of working, and helps you gain that common understanding of risk across your organization.