Managing strategic and operational risk

Learn how to manage strategic and operational risk using different Diligent One apps, what relationships exist between the apps, and how the apps support the three lines of defense.

Strategy app

Strategy is intended for enterprise risk management (ERM), which provide organizations with the insight necessary to balance risks and opportunities in order to improve business performance and more economically achieve their strategic objectives.

Example strategic risks

  • Data-breach of sensitive information
  • Top talent loss
  • Occurrence of catastrophic events

Projects

Projects (which includes the Projects and Frameworks apps, among others) is intended for operational risk management (ORM), which provide organizations with the necessary assurance that the controls in place are designed and operating effectively, and that risk is being appropriately mitigated.

Example operational risks

  • No technology is in place to detect and protect the network from unauthorized vulnerability assessment tools.
  • Employee responsibilities in responding to problems are not clear or documented.
  • Facilities storing sensitive data or company information are not adequately secured.

Connections

Objectives, also known as control objectives, sections, or cycles in the Projects app, are linked to strategic risks in the Strategy app.

The diagrams below illustrate this connection, and show what information is aggregated back to the strategic risk.

  • If you link a project objective to a strategic risk, you are aggregating information from an individual project.
  • If you link a framework objective to a strategic risk, you are typically aggregating information from multiple projects.

Strategic risk linked to project objective

Strategic risk linked to framework objective

Workflow

The diagram below illustrates the workflow that can take place between risk management teams working in Strategy and assurance teams working in Projects and Frameworks.

Risk management teams can assess inherent risk using a common set of assessment criteria, work together with assurance teams to define and implement treatments to reduce risk, and assess residual risk. Testing results can be rolled up from Projects and Frameworks to the strategic risk assessment in Strategy for reporting purposes, providing the ability to view a dashboard of risk and project outcomes at the strategic level.

Basic example

Defining risk treatments

Scenario

You have identified the following strategic risk in your organization:

Failure of key third-party vendors Third parties provide key components of our financial business infrastructure which include technology, products, and services. Any change in these third parties or any failure to handle current or higher levels of activity could adversely affect our ability to deliver products and services to clients and disrupt our business.

You also have a series of control objectives that will be used to mitigate this risk:

  • Selection & Acquisition
  • Risk, Compliance, & Viability Management
  • Performance Monitoring
  • Relationship Management
  • Transition & Renewal
  • Successful on-boarding of new customers
  • Identify

Process

You add the strategic risk in Strategy and create the control objectives in Projects. Then, using Strategy, you link the control objectives to the strategic risk.

Result

A relationship is defined between the strategic risk and the associated control objectives, allowing you to track assurance and testing results, and assess residual risk:

Other components and relationships

The diagram below illustrates the relationships between different components in Strategy, Results, Projects, Frameworks, and Compliance Maps. Each set of components aligns with the functions of a particular team or line of defense.

Identifying strategic risk and defining risk appetite (Board / Audit)

Using Strategy, the Board first sets up a risk profile and identifies strategic risks. The Board can use Strategy to define the organizational risk appetite and align it with the strategy of their ERM program.

Tip

If the organization uses Results, metrics (KPIs or KRIs) can be linked to strategic risks to help inform inherent risk assessments.

Defining risk treatments and testing controls (Internal Audit)

Once the organization's strategic risks and objectives have been determined, Internal Audit can use Projects and Frameworks to develop programs and implement measures to mitigate risk.

Internal Audit defines treatments, tests the design (via walkthroughs) and operating effectiveness (via tests) of controls in place, and notes any issues, where applicable. As controls pass, assurance scores in Projects, Frameworks, and Strategy increase. If any one walkthrough or testing round for a control fails, the control is marked as "failed" and it is subtracted from the overall assurance score.

A framework can be set up to serve as the central repository to manage common controls across multiple projects, and these controls can be imported into the relevant projects to test individually. You can also make changes in one of these projects and sync the changes back to the framework.

Assuring requirements are being met (Compliance Team)

To showcase the organization's adherence to specifications relevant to the business, the Compliance team can create a Compliance Map to map framework controls to requirements.

Once framework controls are mapped to requirements, testing results and issues across multiple projects associated with the framework are aggregated to the Compliance Map so that the Compliance team can:

  • identify gaps
  • prioritize issues
  • track compliance progress

As controls pass, assurance for compliance increases. If any one walkthrough or testing round for a control fails, the control is marked as "failed" and is subtracted from the assurance score.

Advanced example

Managing security risk

The following diagram illustrates:

  • a strategic risk defined in Strategy (Data-breach of sensitive information)
  • the linkage of the metric to the strategic risk (% of unpatched servers per quarter)
  • the linkage of the strategic risk to the control objective in Projects (Security)
  • the framework (Security Controls Framework) that is used as a central repository to manage common controls between three projects (Infrastructure Audit, User Access Audit, Database Management Audit).
  • the mapping between the framework control (Use security measures and related management procedures to protect information over all methods of connectivity) and a specific requirement in the Compliance Map (Manage Security).

How it works

Internal Audit tests controls and notes issues, where applicable.

  • When the Board / Audit views the strategic risk in Strategy, they will see a dashboard of risk and project outcomes, including aggregated testing results and issues sourced from the associated control objectives.
  • Testing results and issues have been aggregated to the Compliance Map, allowing Compliance Managers to attest to customers and other interested third parties that a strong control environment exists.