Yo Delmar
Follow Yo on Twitter @yoDelmar.

Yo Delmar has over 30 years in the technology industry, as it has evolved from punch cards through distributed computing to today's fluid and elastic infrastructures. She loves technology and has focused her attention on risk management over the last 8 years.

Yo enjoys understanding emerging markets and urgent customer needs, and helping to rationalize and create that class of solutions that add strategic value while delivering dramatic cost savings.

Yo's current expertise is in go to market strategies and programs for governance, risk and compliance (GRC) solutions. She has led start-ups and business units within system integration and outsourcing companies, and has many years consulting experience, in initiatives ranging from technology acquisitions through enterprise-wide architecture strategies.

Yo lives in Great Falls, VA with her family.
Recent Posts
Recent Topics
Risk Framework: Managing Content – What’s The Best Practice Governance Process
Written on February 8, 2012 by in Compliance, Governance, Risk

The last two posts have dealt with Risk Ontology, why we need one and what it contains; and Risk Framework – what it contains, and five key steps to get started. This post is about how to manage that information once it is defined.

What’s the best practice process and governance for managing a Risk Framework?

Managing updates to the Risk Framework can be a bear if you don’t have good governance around that information once it is defined.

Basically, we have three phases to the process, outlined below. Many GRC Technology platforms (shameless plug, yes, RSA Archer does this) support this type of process, but word of caution: you still need to define the Risk Framework that makes sense for your organization, and work through the step by process for each stakeholder community, and of course, train people on it, and implement the governance process to support it.

  1. Risk Framework – That’s what we talked about last post – With the Stakeholder Community, define the risk hierarchy of classes and types, identify risks through residual rating, and associate metrics to risks.
  2. Risk Remediation – For all risks with an inherent risk that is above the threshold, go through a remediation cycle. Some of these activities will be part of a regular risk assessment – but need not be.
  3. Content Review – Use the Stakeholder Community as a Review Board for Risk Content. New risks will emerge through audits and assessments, so make sure you have a regular review and governance process in place to accept new risks into the framework, and prune risks that are no longer relevant for your organization.

If you follow this type of best-practice process, you will go a long way to implementing a GRC ontology that gives your organization the visibility and control of risks that really matter.


Read the full blog post at: Yo Delmar, GRC and Beyond

 

Post a Comment

Your Name
Your Email Address
Your Comment