Conversations in Risk-Based Security

The ‘Culture’ of Risk Integration; When Integration Eats GRC for Lunch

Posted by Lynx Technology Partners on Feb 18, 2020 9:20:36 AM

Culture is a funny thing.  We all know we need it…we need more of it…we need it at the center of decision-making…we discuss it in meetings…we’ve even created executive positions for it…BUT can we define it?  Culture is fairly intangible – sorta the, “I know it when I see it” thing.

And we all know – that’s not enough.

“Culture” done right, supports an inclusive environment; an environment in which everyone ‘belongs’.  A healthy company culture supports its people – their interests and needs.  A healthy company culture engages employees as ‘family’, understanding that people are unique, and are, in fact, potentially seeking that ‘belonging’.  A healthy company culture drops barriers, opening up the dialogue.  A healthy culture seeks to not only support and include; it seeks to listen – open to ALL inputs and ideas.

Enter:  Integrated Risk Management.
Unless you’ve been under your SOC rock for months, you know that there are efforts in the business world to move away from, ‘risk silos’.  In the face of growing risks – coming at us faster than we could have imagined only months ago – there is a movement and a PUSH to, INTEGRATE.  Knock down silos of cybersecurity, risk management, business continuity, governance, crisis communications, et al. 

The movement to INTEGRATED RISK MANAGEMENT (IRM), which has been underway for a few years, began in view of cost considerations, yes, but it seeks to – perhaps for the first time – ENGAGE ALL ELEMENTS and COMPONENTS related to risk at any one company, and once and for all, support a COMPREHENSIVE view, allowing for subsequent decision-making and actions to HOLISTICALLY address and SOLVE THE PROBLEMS.

IRM, as Gartner defines it, has to be supported by a risk-aware culture and enabling technologies.  An APPROACH TO RISK MANAGEMENT taken through the Lens of ‘Culture’ offers a movement and decision-making track that, rather than impose a solution, seeks to raise everyone’s ‘game’ within the organization; challenging participants to:  THINK BIG, THINK BOLD, THINK…’US’!  People (culture), process and technology are all key to improving decision-making and performance through an integrated view of risk.

Creating and Deploying the CULTURE OF INTEGRATED RISK MANAGEMENT is indeed potentially daunting.  A movement involving this type of cultural shift requires everyone involved to, THINK: US.  Everyone must ask:  How do WE solve these problems?  Together. 

And it’s the old:  “It starts at the top!”  So listen-up LEADERSHIP – we need you to LEAD on this!  And from the viewpoint of the critical bottom line, well frankly, there’s really just no other way to ‘get there’.  Without an INTEGRATED RISK MANAGEMENT approach, designed and deployed by a company’s leadership, leaning on a CULTURE OF INCLUSION, this won’t work.  And your bottom line will suffer.

The Good News:  In addition to leadership leading, there are TOOLS to help you get there!

Integrated risk management solutions, IT vendor risk management tools, IT risk management and business continuity management program solutions are currently available.  These tools work to help organizations manage the many components of risk on a single platform.  These solutions and tools work with on-premises and SaaS deployment options, and include industry-standard processes and best practices.

TOOLS provide a PLATFORM for an INCLUSIVE CULTURE.  By providing advanced risk management maturity, informed decision-making and enhanced business performance, the tools from a number of suppliers and providers help you ‘get there’.  Imagine collecting data on cyber security risk in your organization and being able to translate it effectively to your nontechnical colleagues.  OR, having the data to help you communicate effectively with leadership while ensuring you stay safe in a constantly changing cyber security landscape.  IRM removes the friction between IT and Security, making life easier for security operations and IT because it provides an integrated view of all assets.  BUT…the TOOLS are just that, and only that.  It requires PEOPLE to design a culture that seeks to ENGAGE everyone in the solution-driven process. 

INTEGRATED RISK MANAGEMENT done ‘right’ can be a convener!  By design, Risk Integration…integrates, includes, ‘completes’.  Previous ‘divisions’ become ‘partners’ in SOLVING these critical threats we now face, daily.

We can all take a lesson from INTEGRATED Risk Management done right.

Let’s create: A Culture of INTEGRATED Risk MANAGEMENT – personally, using the industry tools that are available, and with leadership who champions it.

Topics: Risk Integration, Integrated Risk Management