At the end of each calendar year, I look back at how the year went, mainly in my personal life. For example, I reflect on what happened in my family - who graduated, got engaged or married or had kids, who accepted new jobs or moved. I also look at how things went with my career, if my health has improved and how my relationship with my wife got better. These are some of the most important aspects of my life and that’s why I reflect on them. Not that I don’t think about them more often, because I do, but the end of the year is a good time to look back.
I was also reflecting recently on the areas I oversee here at RSA - which are Business Resiliency and Audit for Archer. These two areas are not that similar, but I have noted a common theme in that these two fields continue to turn their sights to risk management, moving more and more from being primarily compliance-driven disciplines. Specifically, they are looking at what the impacts of risk are to the businesses they support - their organizational goals, revenue and growth projections, customer impacts and strategic objectives, to name a few. I have also noticed that IT organizations, specifically trying to manage the far-reaching effects of cyber threats, are translating IT risk into business impact so executives and business decision makers can better understand the implications and make better decisions.
That’s the pattern I’ve noticed this year - moving to business risk. It’s the right trend and a good sign. Some things are helping this along. For example, frameworks like the ‘three lines of defense’ are being more widely recognized and adopted and are driving better alignment across groups that deal with risk. It also helps that industry analysts are touting the benefits of aligning the three lines within the enterprise risk or operational risk management (ERM/ORM) umbrella, and that many solution providers and partners are following suit. This has been RSA Archer’s mantra for many years so it’s good to see it catching on.
What happens next? We need to take action and I recommend these areas to consider.
One Step at a Time. My personal reflections sometimes (maybe not often enough) result in changes in my life but often fall off because they’re based on “changing the world” goals. I recommend aiming for incremental change. Do a little better each day. How do we know if we’re improving our business risk management? We monitor and report and analyze key risk metrics. We also need to focus on simplicity. Not many of us are risk experts, but we all have a role in owning risk, so we need a concise set of indicators (think of your car’s dashboard) we can use to make course corrections. Recognize small victories and build on them.
First Things First. We need to focus on the most important risks. Like my personal reflections about my family, career and life illustrate, they’re the absolutely most important aspects of my life. Business risk management should follow suit. Complex businesses throw so many risks at us that we can’t focus on everything and do it well. So, prioritize and focus on the most important risks.
Today and Tomorrow. I look back to see how the year went but I also reflect every day on how I can improve some aspect of my life. Business risk management should also include analysis, reflection and action based on long and short term views. Risks take different shape and affect our businesses differently over the short and long term. This goes for negative and positive risks. We can learn much by looking at both viewpoints and taking action based on what we learn.
Something I’ve learned doing this year after year is to stay as positive as you can and keep working at it. Have a great end of 2016 and may your 2017 be even better! Contact me at patrick.potter@rsa.com or @pnpotter1017.
