Zero risk is not of this world, particularly in the world of IT. So risk management is a must, though also quite a challenge. The second webinar in the GRC: Be Connected! series – an initiative of the Cyber Security Coalition (CSC), ISACA Belgium and the Solvay Brussels School of Economics & Management – bears once again down on a very practical ‘point of view’ related to this hot topic.
GRC: Be Connected! about risk management
Peter Debasse, Group CISO KBC Group & chair of the CSC Governance Risk Compliance (GRC) focus group, kicked off the seminar with a broad overview of all aspects pertaining to risk management. Starting with ‘why risk management’, the reasons range from the growing attack danger to imperative regulations. He also identifies the numerous internal stakeholders in a company, including the active lines of defence (up to board level), with a need of monitoring at all levels. The scope of risk management must map the risk onto the control universe, structured by means of standards and frameworks down to hands on controls. The process starts from the context, through identification of risks, analysis and action, to monitoring. This also includes risk/maturity assessment (how to reach the target) and compliance checks (be prepared). Complex? Indeed, it is a collection of interconnected processes. Companies will strive to digitize risk management, starting from the initial phase of acquiring fundamental skills and tools, with qualitative outcome. Later, aspects can be automated, requiring additional automation skills, and keeping a grip on the quality of data from multiple sources. Ultimately, the digitalization of risk management can result in a real-time analysis of aggregated data, supported by data science skills with a predictive outcome. Clearly, people will appreciate a helping hand while going through all the phases, so Peter Debasse welcomes new members in the GRC focus group.
Dina Quraishi, Risk Management Leader, followed up on this overview by drilling down on specific building blocks of risk management. She illustrated the interconnectedness of all these blocks with the neat metaphor of the interplay of musicians and specialists in an orchestra. Getting the essentials right implies understanding the importance of the context of every company, and adapting risk management to the specific constraints of a specific company. Beware of tools if you don’t understand their output, and do communicate with other stakeholders. Interesting tip for risk managers: apply risk assessment to your own processes, to check whether a particular approach makes sense. Go for standards (don’t re-invent the wheel), but do adapt them to your company. Discuss risk appetite and risk tolerance (two different aspects!). Provide for continuous improvement, as situations will change.
Of crucial importance is the attention you pay to your team, whether this is small or large. Create a community within the company, and look for outside cooperation. Balance inside expertise with fresh views from newcomers.
The skillful Chief Risk Officer (CRO) combines professional expertise with communicative skills to other groups in the company, including executive and board level, and defends both instant and long term ROI of risk management. And the CRO knows how to time new measures and approaches.
Having acquired the necessary skills is fine, but proving you have the skills is better. Arnold Meyers, Information Risk Manager Argenta & Certification Director ISACA Belgium, pointed out the added value of certifications for teams because of more effectiveness through more structured expertise, and for individuals through better job retention and improved personal marketability. He provided information about two ISACA certifications: Certified in Risk and Information Systems Control (CRISC) and Certificate IT Risk Fundamentals. How to study for these certificates (e.g. ISACA Belgium boot camps), prepare for the exam, and apply for the certification. A final plus: you join a worldwide community of 158,000+ experts, of which 900+ are Belgian colleagues.