Big, important projects tend to start with a big, important question: Where do we start?
Assuming you’re on the path to GRC maturity after reading the first installment of our ultimate, five-part guide—we’ve got the answer.
We’ve boiled the question of where to start down to these five planning tactics any enterprise-level GRC implementation team can take today to mitigate risk in their organization.
1. Find your risk threshold
Risk management—like checking your bank balance or opening up test results—is a lot more daunting when you don’t know exactly what you’re dealing with. That’s why the first step in risk mitigation is all about setting a baseline: Find the data that tells you exactly what level of risk you’re dealing with.
From there your team can decide how much risk is too much. What level of risk is your organization willing to take on? What can your organization feasibly handle?
Making this decision will give you a solid foundation from which to develop a strategy.
2. Understand your risks
Next, you’ll want to take all the risks that are unacceptable to your business and organize them by statement and framework.
- The statement asks what could happen, how it could happen, and why your organization should care.
- The framework outlines broad risk categories that contain similar risk statements.
Think of this as putting together a virtual risk “filing cabinet.” Be sure to develop a policy for how your team will “file” risks as they arise in the future.
3. Develop a risk action plan
Now you want to make sure your team is clear on procedures regarding risk assessment and response. The risk organization from step two won’t do much good if no one knows how to handle the actual risks.
Per the framework you just created, develop a system to gauge the severity of the risk and the likelihood of it happening. This will help you prioritize remediation if multiple risks require attention.
Develop—and commit to maintaining—accessible information on how to deal with risks that you know are common in your industry and organization.
In addition, develop a chain of command through which risk recognition and resolution should pass.
4. Lock it up tight
You have a plan for recognizing, prioritizing, and handling GRC security and compliance risks and infractions. Now add a layer of controls—specific implementations of a policy statement—to safeguard against future risks. Monitor these regularly to make sure they are actually detecting and/or preventing risks.
5. Tally up
Finally, make sure you’re capturing all the data you can.
Just as it was important to be aware of your risk data before you started this housekeeping project, you’ll want to know how your changes have helped your organization and what you can still improve on moving forward.
If you’re not sure how you’re going to find the time or expertise to complete this risk mitigation project, ServiceNow’s Risk Management module—which the team here at Cask (Hi!) specializes in implementing and maintaining—provides a centralized place to identify, assess, respond to, and continually monitor risks that negatively impact business operations.
In short, ServiceNow can do everything we just talked about with a bit less effort and a bit more sleep on your part.
Interested in learning more about risk management and how it relates to a healthy GRC ecosystem for your organization? Stay tuned for the rest of our five-part journey or get in touch with our team at Cask to get on the path to GRC maturity today.
