Leaner Risk Management
Lean, You Say?
Lean and Agile are both methodologies which implore individuals to think about whether or not the activity in question is moving the main product or service to fruition. With Lean specifically, activities are thought of as being either value-added (VA) activities, non-value-added (NVA) activities, or necessary, but non-value-added (NNVA) activities.
Imagine a large company that makes bicycles as an example. As a publicly-traded company that manufactures bikes and bike accessories, it has an obligation to perform Sarbanes Oxley (SOX) compliance audits. Let’s also assume there are times when too many bike parts are produced; resulting in excess inventory. You could surmise that producing bikes is this company’s value-add activity, while the SOX audits are necessary-non-value-add activities. Finally, the accidental creation of surplus inventory is a non-value-add activity. In Lean parlance, this is simply referred to as waste.
I’ve witnessed many formats and configurations for risk management; too many of which are bloated and bureaucratic programs that employ auditors who honestly mean well, but in truth are naive to the imperfections of the the real world that lurk just beyond their pretty spreadsheets and checklists. In my opinion, employing a bunch of busy auditors isn’t the path to risk reduction. It’s waste.
The rest of this article explains the methods I employ to cut the fat out of risk management. That is, eliminating waste and focusing on value.
The Value of Risk Management
Many assert that governance, risk management, and compliance (GRC) fall under the necessary-non-value-add (NNVA) bucket. At times that may be true. I believe that risk management-- when done with the right focus-- can actually drive value by eliminating waste. Put simply:
Risk management reduces waste such as downtime, lawsuits, or the loss of intellectual property.
Additionally, I can tell you what is not valuable in the realm of risk management: tons of analytical artifacts and calculations that nobody can make sense of. Value is measured in terms of impact, not effort. Therefore if you’re not reducing risks, you’re wasting your time.
Grow Your Scope Iteratively
Building an enterprise risk management program is akin to building any other type structure. As a novice builder, you wouldn’t start out constructing something as complex as the Empire State Building, right? You would instead hone in your carpentry skills by building something like a bike shed first, then progressing to a small home, and so on. The idea is that your risk management program should be iteratively improved over time. Perhaps start small by practicing risk management within your department. This is a great way to practice your methodology on a smaller scale within the forgiving boundaries of your own team, such as IT or Finance.
Yet your ticket to the big leagues, such as a seat at an executive-level committee, is to broaden risk management scope to encompass the entire organization. This requires having deep insight into the inner-workings of the business, as well obtaining cooperation from your business counterparts.
If you plan on assessing risk within other business units, you’re obviously going to need to know a bit about how those business units work. Understanding how a business ticks is going to take some time, and I highly recommend leveraging enterprise architecture practices to expedite the the discovery and documentation process.
Here is what you don’t want to be: the one-dimensional, security-centric auditor who cluelessly fumbles around wasting your business counterparts’ time with irrelevant activities. Not only is the very definition of “waste” from a Lean perspective, but you’ll personally lose credibility; thus killing any prospect of your risk management program’s advancement.
Problem Solvers, Incorporated
Traditional risk management is terribly one-sided, and at times, adversarial. We’ve all seen the auditor who shows up with notepad, and asks a business owner to explain his or her processes in excruciating detail. And what do these business leaders get in return for their significant time investment? A checklist of everything that’s wrong with them! It’s no wonder the blinds shut and lights go dark when the risk manager comes knocking at the front door.
So how do you as a risk manager provide value while still learning about a business unit? By catering to the “what’s in it for me” mentality of your business counterparts.
In other words, by helping business leaders solve problems. Often times, a “business problem” is also a risk. Examples include an aging eCommerce platform, a lacking talent retainment plan, or inadequate funding for innovative research and development. By helping your business counterpart resolve a challenge, you’ll be viewed as a problem solver; a title that lends immense street credibility and a virtual guarantee of future cooperation.
Call it consulting, cheerleading, or both. But the goal is to identify business problems that are truly risks, gain consensus with your business counterpart on how to resolve the problem, then sell the heck out of the solution to executives in order to obtain the resources necessary to improve the situation.
Tools of the Trade
Contrary to what software companies would have you believe, you don't need a hundred thousand dollar risk management application to manage risks; especially when first starting out. While you may eventually need an enterprise-class tool, start off with the basics. That is, your simplified risk calculations and a basic repository to store risk details. You’ll also need a venue for socializing risks with stakeholders and suggesting ways to manage those risks in a methodical way.
Risk Scoring Calculations
At times, you'll need to calculate risk yourself. This is where standard methods like DREAD and STRIDE come in handy. Other times, risk scores may be provided to you by a third party who used a complex or proprietary formula. Examples there include the Common Vulnerability Scoring System (CVSS) or an insurance broker who rates your cyber security risk surface as “moderate” based on a dozen or more weighted metrics.
I'll cut to the chase here: get your feet wet with basic arithmetic before jumping into calculus. Even if you adore the complex minutiae or risk metrics, your business counterparts certainly will not. They want simplicity, such as the labels “high, medium, low” or “red, yellow, green.” If you have to get quantitative, use simple formulas such as probability-times-impact. Otherwise, map complex scoring systems (such as CVSS) to the aforementioned high/medium/low categories.
The Risk Register
I've used many different tools over the years, but the one I tend to go back to is the basic spreadsheet; primarily because I can customize it and secondarily because it’s cheap. And through the magic of Google Sheets, there's one version that's always up-to-date which can be securely shared with those that need to be in the know. Here's a sample:
This is one of my more simplistic templates, used in organizations just starting their GRC practice. As you can see, I have only two risk calculations: probability-times-impact for “business risks” and Common Vulnerability Scoring System (CVSS) scores for more technical vulnerabilities found by automated vulnerability scanning tools such as Nessus, Qualys, and so forth.
When it comes to risk the management process, I profess the mnemonic of “using your E.A.R.S.” That is, Enumerate, Analyze, Review, Solution. Enumeration is essentially discovering and documenting risks. Analyzing is where the usual risk calculations and risk management strategies (mitigation, avoidance, etc) come into play. You must then review assumptions and risk management strategies with stakeholders, and finally, assist in plotting out solutions to the problem.
The solution component is foreign to many risk managers who tend leave the party after the review phase. Highlighting risks without presenting solutions also leaves risk owners in a precarious state. After all, they may have had plausible deniability before you brought these risks to light, now they’ve got a fire to put out. Don’t be the divulge-and-dash type risk manager! Solutions not only win hearts and minds, they actually reduce risk. It’s the entire reason you’re doing all this in the first place.
Moreover, executives (who have the resources you need) absolutely hate problems without solutions. It not only makes you look incompetent, but it forces execs into solutioning mode. I’m not sure about you, but I’m not one for being micro-managed. Present your problem, and bring several alternative solutions to the table each and every time.
If something is good, people naturally want more of it. Therefore, as you (and possibly your team) establish a track record of risk management success, you’ll gain the trust of the business, which can easily pave the way for expansion of your program. That said, never lose sight of one key principle: you’re in this role to reduce risk. That’s done by solving problems; not filling out paperwork. It may feel awkward solutioning with the business, but that’s what being a partner of the business is all about.