STEP 1 in any risk management process must be an assessment of the risk factors the organization faces and its present position relative to those risks. What factors must organizations like ours manage against? At this point in time how much risk is each factor creating for us? Do we have adequate management measures in place to manage the inherent risk? And what is the trend? Is our situation improving or getting worse?
For many organizations, especially in regulation-heavy industries, the number of risk factors to consider can run into the hundreds, often with different parts of the organization best qualified to assess each risk. The typical solution, emailing spreadsheets around the organization, is inherently cumbersome and error-prone.
Use Risk Manager to:
- Identify the risks your organization must consider.
- Track your risks in a database with fine-grained control over access.
- Document your assessment of the inherent risk, the strength of your management of the risk and trend for both.
- If you must respond to a standards-base set of risks like SOC2 or banking requirements, explicitly score yourself against these frameworks.
- Map your policies against control activities to be sure you have appropriate policies in place that address each risk.
- Track your risk profile over time.
In many cases regulators or standards bodies have already codified the risks that must be addressed.
- For example, the Statement of Operations and Controls (SOC2) framework created by the American Institute of Certified Public Accountants (AICPA) is widely used by service organizations to provide information their users need to assess the risks associated with an outsourced service.
- The ISO 9000 family of quality management systems (QMS) standards is designed to help organizations ensure that they meet the needs of customers and other stakeholders while meeting statutory and regulatory requirements related to a product or service.
- For healthcare providers, HIPAA provides an implicit risk assessment framework that organizations must comply with or risk significant penalties.
- Financial services regulators have identified a comprehensive list of risks banks and credit unions must address.