Last post, we went into what a Risk Ontology is, why we need one and what it contains. In this post, we look at Five Easy (some may say not so easy…) steps to get started. Remember that core to GRC is adopting a coordinated, coherent approach to risk management across the organization, built on a common risk ontology. And, at the core of a risk ontology, is a risk framework.

Quick review: Risk Frameworks provide risk management programs with better:

• Coordination - Provide a basis for coordinating risk across  many activities in the organization

• Consistency - Since all activities across the organization involve risk, a Risk Framework can be consistently applied to an entire organization, at its many functions, projects and activities

• Visibility – While no single definition of risk exists, adoption of consistent concepts within a comprehensive framework can help the organization improve visibility into the true risk profile

• Governance – Risk Frameworks can help the organization establish governance and manage risk more effectively, efficiently and coherently both internally and externally with 3rd parties

• Flexibility – A Risk Framework, probably designed, can support variations of approaches, definition of threats and risk criteria across internal organization functions, partners and customers

• GRC Technology Platform Value – Risk Frameworks are essential for driving value out of GRC technology platforms and enabling tools; they are only as good as the underlying frameworks, processes and procedures that define their use.

What’s in a Risk Framework?

Here is main things you want to get defined in a risk framework – this is a subset of the GRC Ontology; the core or ‘engine’ of risk management.

1)       Risk hierarchy; which includes Class and Type
2)       Mitigating Controls (and procedures)
3)       Risk Scores, and
4)       Metrics

Risks Scores (inherent and residual) will come as a by-product of assessments and can change.  

Read the full blog post at: Yo Delmar, GRC and Beyond

Subscribe to RSS