Manage Tomorrow's Surprises Today

Steven Minsky

Risk Taxonomy Step 3: Managing Cross-Silo Dependencies

user-pic
Vote 0 Votes

A risk taxonomy, the brains of an enterprise risk management software platform, creates a common language to make working across operational silos possible. It also creates the basis for a risk management discipline, so rather than reacting to seemingly "one off situations" the entire organization can standardize and prioritize how assessment, mitigation and monitoring are applied in a common comparable way to build risk management competency across the enterprise.

See our other blogs Identify Core Business Processes and Link Resources to Business Processes that explain steps 1 and 2 of building your risk taxonomy.

1) Standardize assessment criteria and weightings for Risk Assessment Templates

Common standards and assumptions makes information collected across the organization objective, quantifiable and comparable, enabling better analysis, issue resolution and issue escalation when necessary.

2) Rationalize and consolidate risk assessments and data fields

Different areas across the organization are collecting the same information for resources, they just don't know it. For example, Accounts payable, contract management, vendor managementbusiness continuity, and IT all collect overlapping information about your vendors. By understanding what information is being collected by these areas for each resource, you can easily rationalize and consolidate assessments and data fields. You can gather information across silos and identify areas where controls and tests can be consolidated.

3) Make resource allocation available in a central place as a library

Using information from one common place makes it possible to dramatically reduce rework, especially collecting and managing information, for both you and the process owners you work with.

4) Formalize risk identification of resource dependencies to each other

The library also helps you know who else is connected to the same information. The key is to figure out how all of these resources are related to each other and what combination of these resources are most important to critical areas of your business.

By connecting activities, or controls, to the vendors and other resources that activity relies upon at the business process level, the process owner and the activity owner can now be notified when resources change, both directly and indirectly, related to their areas of concern. This is a major contributor to business performance management and the value add of enterprise risk management.

Typically people in organizations only know one degree of separation in relationships. A risk taxonomy enables you to recognize all the relationships and notify appropriate related parties on changes, both direct and indirectly related to their area, so no one misses the "memo." Direct relationships are always known, it is the indirect relationships that are more problematic and hard to control.

Look at BP for example, the vendors were not in connection with each other or the processes owners involved. People were missing key pieces of the "memo" reporting that there were issues, so no one could put the puzzle together. In days were outsourcing of vendors and activities is becoming so extensive and complex, how do you maintain the connections between the risks encountered by your vendors and your business risk and control owners throughout the organization?

Why did the CEO of BP get fired? Lack of establishing effective monitoring of risk!

By building a risk taxonomy to define resources and their relationships, along with implementing common standards and assumptions across your organization, everything becomes comparable and objective -- everything is on the same scale. You can analyze, report, and make decisions taking into consideration every relationship related to the resource or process across the organization. This is how risk tolerance is aggregated and matched to the organization's risk appetite!

Watch our 5 minute video: Strategic ERM to learn how you can link your risks, processes, and resources in your risk taxonomy to your organization's strategic goals and key concerns to grow more strategic over time.

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven Minsky is the CEO and Founder of LogicManager. the recognized leader of enterprise risk management solutions and is also the developer of the RIMS Risk Maturity Model for Enterprise Risk Management™. LogicManager provides a common, intuitive software-as-a-service platform of scientifically validated enterprise risk management decision and diagnostic tools for more effective corporate governance, risk and compliance.

Recently Commented On

Monthly Archives

Blogs

ADVERTISEMENT