taxonomy - Blog - Global Risk Community2024-03-29T07:28:17Zhttps://globalriskcommunity.com/profiles/blogs/feed/tag/taxonomy4 Ways to Prevent Business Surprises with Risk Identificationhttps://globalriskcommunity.com/profiles/blogs/4-ways-to-prevent-business-surprises-with-risk-identification2015-10-16T15:00:00.000Z2015-10-16T15:00:00.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p>Nobody likes surprises in business. Using a risk-based approach to identify your organization’s likely vulnerabilities is highly recommended and vital to short-term and long-term success. Expanding regulations make compliance increasingly complex and expensive, and <a href="http://www.logicmanager.com/erm-software/2015/09/17/weak-risk-management-leads-to-internal-controls-deficiencies/">increases in deficient internal audit controls</a> have heightened scrutiny of companies by the SEC, PCAOB, and investors.</p><p>Business surprises are preventable, but there are several common issues with <a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-identification/">risk identification</a> that can be impossible to overcome without an effective ERM framework and infrastructure solution in place, including:</p><ul><li><span><strong>“Silo’d” Information Gathering</strong>: </span>The inherently different approaches each business department, or silo, takes to <a href="http://www.logicmanager.com/erm-software/product/assess/">risk identification</a> and reporting is often the result of each department having its own autonomous risk process, which makes the prediction of surprises that cause loss events difficult. Differing reports of potential issues hinder efficient risk identification and, consequently, resource distribution. Many disasters waiting to happen can be prevented with straightforward solutions if only the connection between issues in different silos is uncovered.</li><li><span><strong>Lack of Involvement at the Front Lines</strong>: </span>Too often, organizations fail to take advantage of the experiences and knowledge of front-line employees, who are a crucial resource when it comes to risk; they are the first ones to notice issues, including faulty equipment, inefficient processes, customer complaints, and unresponsive vendors, that often cause surprises.</li></ul><p> </p><h3><span class="font-size-3"><strong>How Risk Identification Software Handles These Problems</strong></span></h3><p><a href="http://www.logicmanager.com/wp-content/uploads/2014/02/iStock_000026836862Small-500x375.jpg" target="_blank"><img src="http://www.logicmanager.com/wp-content/uploads/2014/02/iStock_000026836862Small-500x375.jpg?width=300" width="300" class="align-right" alt="iStock_000026836862Small-500x375.jpg?width=300" /></a>Software solutions for risk identification don’t simply formalize the framework and process of risk reporting (from the front lines all the way to senior management); they also link performance indicators to risks at the <span style="text-decoration:underline;"><a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-identification/">root-cause level</a></span>. This allows for a standardized process and avoids wasting resources and causing redundancy. It also simplifies the alignment of day-to-day activities with senior management directives, especially in times of change.</p><p>Additionally, <span style="text-decoration:underline;"><a href="http://www.logicmanager.com/grc-software/risk-management/">risk management software</a></span> like LogicManager allows for “risk ownership,” meaning each department is responsible for evaluating its area of control. Using root causes, different departments may find they share certain risks (such as <em>staff competencies</em>), but they will still be able to assess performance and create mitigation activities (such as <em>new training programs</em>) how they see fit.</p><p>Building a <span style="text-decoration:underline;"><a href="http://www.logicmanager.com/erm-software/product/risk-taxonomy/">risk taxonomy framework</a></span> that links a centralized library of risk information to control activities enables you to proactively address risks <em>before</em> they manifest as surprises, causing losses and business interruptions. Key advantages include enterprise-wide terminology, risk classification, and management of relationships between different types of data. These advantages make it easy to cascade information out to the front lines and aggregate answers back up to senior management.</p><p>A taxonomy framework enables you to accomplish four important tasks to prevent surprises:</p><ol><li>Create and link root-cause risks to <em>specific</em> organizational processes. Most, if not all, organizations have mitigation activities designed to reduce risk. The keystone holding the entire process together, however, is the ability to assign that activity to the risk that is actually causing the problem. No matter how efficient training procedures are made to be, for example, organizational productivity won’t increase if authority is delegated improperly.</li><li>Standardize each department’s approach to risk identification with regular risk assessments that utilize predetermined scales and criteria. This ability means every department bases its analysis on the same standard, preventing repetition and wasted resources.</li><li>Tie risk events back to root causes affecting multiple departments, which allows organizations to identify high priority areas. A root cause impacting the functionality of three departments should be neutralized before a root cause having a similar impact on only one department.</li><li>Develop mitigation activities that efficiently use limited resources, and monitor their effectiveness over time.</li></ol><p> </p><p><strong><em>Read more in our <span style="text-decoration:underline;"><a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-identification/">best practice article on root case risk identification</a></span> to learn more ways to help your organization affordably identify and minimize risk.</em></strong></p><p></p></div>How ERM Integration Creates Efficiencieshttps://globalriskcommunity.com/profiles/blogs/how-erm-integration-creates-efficiencies2014-04-30T19:00:00.000Z2014-04-30T19:00:00.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p><a href="{{#staticFileLink}}8028228089,original{{/staticFileLink}}"><img width="350" src="{{#staticFileLink}}8028228089,original{{/staticFileLink}}" class="align-right" alt="8028228089?profile=original" /></a>Lack of transparency makes risk, performance and compliance information hard to discover, collect and maintain. Within every organization, governance areas are conducting activities, each based on different assumptions with different standards, all of which contain a risk component.</p><p>While these are typically not thought of as risk activities, when the responsibilities of each governance area are compared to a risk based process – identifying & assessing, mitigating, and monitoring – you find that the activities within vendor management, business continuity, financial reporting compliance, etc. are actually exercises in risk management.</p><p>An example of risk intelligence that collected in these silos are the Business Impact Assessments (BIAs) and Vendor Assessments conducted by the <span style="text-decoration:underline;"><a href="http://www.logicmanager.com/grc-software/business-continuity-planning/" target="_blank">Business Continuity</a></span> and <span style="text-decoration:underline;"><a href="http://www.logicmanager.com/grc-software/vendor-management/" target="_blank">Vendor Management</a></span> departments within your organization.</p><p>These activities often necessitate overlap, especially when BCP/DR is tasked with identifying the key vendors that must be utilized in a disaster recovery scenario. Both groups might take on the exercise in identifying vendor relationships to core business processes, with a vastly different set of assumptions, without ever leveraging the expertise of the other business area.</p><p>When risk activities (like Business Impact Assessments and vendor due diligence) are carried out on the same standards and assumptions and thought of as a <span style="text-decoration:underline;"><a href="http://www.logicmanager.com/erm-software/product/risk-based-process/" target="_blank">common framework</a></span>, they can be compared and utilized cross-functionally. Business Continuity Managers and Vendor Management will have a common language to use when identifying critical vendors to the disaster recovery process. Since these activities are already taking place anyway, no new work is added, the standardization in language has allowed both groups to be more efficient and utilize the expertise and insight of the other business silo.</p><p>Few organizations operate in this manner because functions track their data in their own spreadsheets with standards they’ve developed for their specific business silo. Knowing which vendors are considered critical by business continuity makes vendor managers better at their job, and likewise in the opposite direction. It also decreases time spent on tactical activities, freeing these groups up to focus on the strategic elements of their profession that make them most effective.</p><p><strong>To learn more on how to develop an ERM framework, check out the complimentary webinar titled '<a href="http://www.logicmanager.com/watch-webinar-actionable-erm-framework">5 Key Principles for an Actionable ERM Framework.</a>'</strong></p></div>Taxonomy Aids Navigation of Turbulent Healthcare Environmenthttps://globalriskcommunity.com/profiles/blogs/taxonomy-aids-navigation-of-turbulent-healthcare-environment2013-10-02T13:00:00.000Z2013-10-02T13:00:00.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p><a href="http://logicmanager.com/wp-content/uploads/2013/10/Health-care.jpg" target="_blank"><img src="http://logicmanager.com/wp-content/uploads/2013/10/Health-care-300x199.jpg?width=300" width="300" class="align-right" alt="Health-care-300x199.jpg?width=300" /></a>With the <a href="http://www.hhs.gov/healthcare/rights/law/index.html">Affordable Care Act</a> (ACA) continuing its implementation this week with the start of the open enrollment period, there has never been a more critical time for Healthcare Institutions to have a firm handle on their risk environment and the implications of those risks.</p><p>Since its enactment in 2010, the ACA has fundamentally shifted how many hospitals must conduct day-to-day operations. For example, hospitals must now shift their patient records systems to electronic medical records, which introduce a host of IT and data security risks. The ACA also emphasizes Value-Based Purchasing, resulting in a new hospital payment system based not just on volume of service but on key metrics, such as the rates of <a href="https://www.aamc.org/advocacy/medicare/153882/selected_medicare_hospital_quality_provisions_under_the_aca.html">Hospital Acquired Conditions (HACs) and Readmission</a>.</p><p>To maximize efficiency, hospitals are introducing a host of new policies and procedures designed to ensure compliance and maximize quality of care. In this period of significant change and experimentation, hospitals face significant challenges to track the relationships between new programs, new mandates, and new risk, while also tracking the key healthcare metrics that indicate the effectiveness of each initiative.</p><p>One method of tackling this problem is with a formalized <a href="http://logicmanager.com/erm-software/product/risk-taxonomy/">Taxonomy</a>. In a healthcare organization’s taxonomy, both clinical and operational risk can be tied to the regulations they impact, whether that’s the evolving impact of the ACA or more mature regulations such as HIPAA and JCAHO.</p><p>When the time comes to address emerging risks with internal controls, a Taxonomy allows hospitals to identify systemic risks that can be addressed with enterprise wide policies rather than point solutions, allowing hospitals to operate with the efficiency that’s now even more critical to their business. Besides risks, key business metrics and risk indicators (KRIs) should be related to the organizational goals they support, allowing organizations to focus resources on the initiatives that provide the greatest potential for improvement in patient care or efficiency of operations.</p><p><a href="http://www.ashrm.org/">More and more hospitals</a> are turning to enterprise risk management to create the efficiencies needed in today’s healthcare environment. A mature enterprise risk management framework will not only reveal the dependencies that can streamline operations, but will provide your leadership with formalized reports that demonstrate the true value of your ERM program for both your organization and the patients it serves.</p><p><i>Interested in the key aspects of an ERM Framework that can help your hospital operate more efficiently? Download our eBook, </i><a href="http://info.logicmanager.com/download-ebook-5-key-principles-for-an-actionable-erm-framework"><i>“5 Key Principles for an Actionable ERM Framework.”</i></a></p></div>Assessing Risk: How Big Risk Data can Paralyze ERMhttps://globalriskcommunity.com/profiles/blogs/assessing-risk-how-big-risk-data-can-paralyze-erm2013-07-24T16:00:00.000Z2013-07-24T16:00:00.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p><a href="http://logicmanager.com/wp-content/uploads/2013/08/security_risk_management.jpg" target="_blank"><img src="http://logicmanager.com/wp-content/uploads/2013/08/security_risk_management.jpg" class="align-left" width="324" height="243" alt="security_risk_management.jpg" /></a>A study published last week sponsored by Tripwire and conducted by the <a href="http://www.ponemon.org/blog/the-state-of-risk-based-security-management">Ponemon Institute</a> found that while over 80% of security and risk professionals consider their organization's commitment to risk-based security management significant, less than 30% had a formal risk management strategy in place.</p><p>Why does such a large gap continue to exist, even as the <a href="http://www.rims.org/resources/erm/pages/RiskMaturityModel.aspx">evidence piles up</a> that organizations with a mature risk framework are better performing and more prepared for an uncertain future?</p><p>One hurdle that we see consistently challenge organizations with a growing ERM process can be best described as a paradox of big data. These organizations have recognized the need for a formal ERM process, have hired experienced professionals to lead the charge, and have collected data in risk assessments from across their organization. Now faced with tens or even hundreds of identified risks, the risk managers are in effect paralyzed by the abundance of options as they to aggregate risk assessments and report on findings.</p><p>Collecting as much risk intelligence as possible seems like a worthy best practice, but big data is only as useful as the tools in place to use it to its full advantage.</p><p>The solution to this problem is an objective Enterprise Risk Management framework that doesn't rely only on intuition, but instead balances the assessments against the organization's unique business structure. With this type of structure, or <a href="http://www.logicmanager.com/erm-software/product/risk-taxonomy/">risk taxonomy</a>, in place, an identified risk can be assessed by the effected party and categorically ranked. An effective taxonomy will provide organizations with the flexibility to prioritize risks not only by department, but also by geographic regions, strategic initiatives, or adherence to frameworks like COSO, COBIT, and RIMS.</p><p>This kind of flexibility allows organizations to easily analyze a large amount of enterprise risk information, but it can be difficult to achieve without a formal risk management process and may not be obvious to organization facing a multitude of risks.</p><p>If your organization is faced with a challenge in reporting on risk assessment data, we invite you to watch our <a href="http://www.logicmanager.com/streamline-governance-activities-erm-video">Streamlining Governance Video</a>.</p></div>ERM: 5 Steps to Successhttps://globalriskcommunity.com/profiles/blogs/erm-5-steps-to-success2013-05-20T16:30:00.000Z2013-05-20T16:30:00.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p style="font-size:14px;color:#303437;font-family:Arial, Helvetica, sans-serif;line-height:normal;background-color:#ffffff;"><a href="http://logicmanager.com/wp-content/uploads/2013/05/resources-300x263.png" target="_blank"><img src="http://logicmanager.com/wp-content/uploads/2013/05/resources-300x263.png?width=300" width="300" class="align-right" alt="resources-300x263.png?width=300" /></a>Most agree that working from the top down, meaning to first identify corporate objectives, then focus on the details of how to achieve them is what most managers wish they could be doing more of. However, the reality is most managers are so busy with day-to-day activities that little time is left over to work on the big picture. Everyone agrees the role of ERM is for risk management to be involved in the “key business decisions,” however, some misinterpret this as interviewing only the senior executives in “big picture” assessments. In reality, aligning day-to-day activities of all managers to the strategic objectives set senior leadership, and then aggregating and analyzing this information is the winning approach.</p><p style="font-size:14px;color:#303437;font-family:Arial, Helvetica, sans-serif;line-height:normal;background-color:#ffffff;">So how is this accomplished?</p><p style="font-size:14px;color:#303437;font-family:Arial, Helvetica, sans-serif;line-height:normal;background-color:#ffffff;">Here are the 5 steps to quickly and practically embed risk management enterprise-wide.</p><ol style="margin:0px 0px 6px 25px;padding:0px;color:#303437;font-family:Arial, Helvetica, sans-serif;font-size:12px;line-height:normal;background-color:#ffffff;"><li style="padding-bottom:4px;font-size:14px;"><strong>Begin with a "quick win": </strong><span style="font-size:1em;">Day-to-</span><span style="font-size:1em;">day activities are managed by business process owners throughout the organization. Winning the hearts and minds of these managers is all about helping them get current and in control of what’s in their “inbox”. Being in control of their current work will free up needed time and energy to understand and contribute to the “big picture.” Start with a business function that your direct boss is already responsible for, such as vendor management, information security, fraud, internal audit, regulatory compliance or business continuity. Your boss is highly motivated to get things done and has the resources, expertise and authority to help you make a “quick win” with this business area in less than 90 days. Quick wins build confidence, skills and attract other managers to seek you out and invite you into their world.</span></li><li style="padding-bottom:4px;font-size:14px;"><strong>Streamline current daily activities: </strong><span style="font-size:1em;">An organizational system is needed to reach managers and help them connect to the big picture. A successful system will</span> <span style="font-size:1em;">immediately streamline their daily tasks so nothing falls through the cracks. This organizational system is called “<a href="http://www.logicmanager.com/erm-software/product/">ERM Software</a>.” Often, I have been asked for real world examples of this technology successfully adopted. Believe it or not, one of the best examples of a risk-based approach is Facebook or LinkedIn. Consider the task of documenting and connecting every person </span><span style="font-size:1em;">on Facebook, “the big picture,” from the top down in spreadsheets. This approach would be impossible! That is why Facebook instead focuses on the immediate problem of providing an organizational structure that allows users to share their information easily and quickly. Most importantly, the structure automates what each user is attempting to achieve, building a “big picture” network of contacts they can call upon when they need them. ERM Software is real and operates with the same technology and approach, but unlike a "social network", ERM Software builds a “corporate network” of information, updates, and connections fully controlled by your organization. ERM Software grows in value exponentially, like Facebook does, with minimal oversight and expense. This same organizational structure enables you to aggregate and analyze this information to deliver the “big picture” to the board and senior leadership.</span></li><li style="padding-bottom:4px;font-size:14px;"><strong>Make relationships visible: </strong><span style="font-size:1em;">Separation of duties originally focused employees in departments that were structured to manage only one subject, like vendor management or IT security; however, corporate silos have been crumbling, leaving such employees unprepared to meet these new challenges or uncover the inter-dependencies between their efforts. A risk taxonomy within ERM Software provides a structure to collect the information already in use by your organization. Additionally, like the role of Facebook or LinkedIn, ERM Software does all the heavy lifting: finding who is connected to who, maintaining these relationships on your behalf, and automatically notifying you of changes you should know about. No more “missing the memo” or “gaps” in your control environment. At the click of a button ERM Software uses these relationships to connect a manager’s activities to the leadership team’s strategic objectives. Just like Facebook, these relationships communicate information both vertically and horizontally, resulting in the alignment of activities without any additional work from participants. </span></li><li style="padding-bottom:4px;font-size:14px;"><strong>Use <a href="http://www.logicmanager.com/erm-software/product/assess/">risk assessment tools</a> to prioritize tasks: </strong>Stress comes from inappropriately managed commitments. A risk assessment asks the question, ”What is the business impact and should I really make this commitment?” A risk assessment not only helps each manager prioritize tasks, but also covers their backs with sound reasoning using an enterprise-wide evaluation criteria. ERM Software enables managers to make the business case for allocating resources to their most critical tasks, making work faster and easier to accomplish. A risk assessment score is attributed based on relationships in step 3 to all connected policies, contracts, and controls, automatically prioritizing work and making clear what should be done the next today.</li><li style="padding-bottom:4px;font-size:14px;"><strong>Establish the ERM Process:</strong> <span style="font-size:1em;">I have discovered that one of the major reasons managers are skeptical about ERM is that they have tried to do all five steps of risk management at the same time and by themselves. ERM Software, like Facebook and LinkedIn, creates step-by-step wizards that organize your thoughts into a system that you can trust and rely upon. ERM Software reminds you when to identify, assess, evaluate, mitigate, or monitor risk and it connects you to those that can help you complete tasks in half the time. Creating an enterprise wide network of assets, processes, and risk at one point seemed impossible, but by empowering users and equipping management with the appropriate structure, it can be accomplished in as little as 90 days.</span></li></ol><p style="font-size:14px;color:#303437;font-family:Arial, Helvetica, sans-serif;line-height:normal;background-color:#ffffff;"><strong>So what is holding you back from getting started?</strong><br /> Don’t buy any ERM Software at all, just pay-as-you-go with a full spectrum ERM SaaS Cloud service. LogicManager can have you up and running in 5 business days without any upfront hardware or software investments, and no IT work, and no long term commitments—just all the built in content you need, all connected. Hard to believe? <strong><a style="color:#5f8bb3;" title="Click here to watch" href="http://www.logicmanager.com/linking-risks-to-strategic-decisions">Click here to watch</a></strong> a 4 minute video of how to get your first quick win using your data.</p></div>5 Ways to put Risk Appetite into actionhttps://globalriskcommunity.com/profiles/blogs/5-ways-to-put-risk-appetite2011-04-12T05:00:00.000Z2011-04-12T05:00:00.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p>An organization-wide <a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-appetite-risk-tolerance-residual-risk/" title="risk appetite">risk appetite</a> can be a powerful statement that gives your risk or compliance program direction. However, like any policy, risk appetite without accompanying action is nothing more than an idea.</p><p>So how do you give your risk appetite teeth? How do you make it an actionable guide for your organization?</p><p>Here are five recommendations to put your risk appetite into practice.</p><p><span><strong>1. Translate <a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-appetite-risk-tolerance-residual-risk/" title="risk appetite">risk appetite</a> to the process level.</strong></span></p><p>Every day your front-line managers are making operational decisions about risk, far from your risk appetite policies. This is where income is generated, where employees interact with customers, and where emerging liabilities are first visible.</p><p>To successfully implement your risk appetite you need to identify and set risk tolerances at this level of operations; at the front-line process level. This will allow you to connect front-line decisions with your overall risk appetite and determine which processes are out of range.</p><p><span><strong>2. Set and measure <a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-appetite-risk-tolerance-residual-risk/" title="risk tolerances">risk tolerances</a> around <a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-identification/" title="root causes analysis">root causes analysis</a>.</strong></span></p><p>Setting risk tolerances around front-line processes isn't enough to truly put your risk appetite into action. You also need to be monitoring root causes of risk at this level.</p><p>For example, say your risk appetite sets a low tolerance for customer dissatisfaction and as a goal you aim to increase customer satisfaction. You could set goals for a particular customer satisfaction survey. However, this metric doesn't offer any actionable solution to improve customer service.</p><p>Instead, go to the root causes of customer dissatisfaction with metrics such as call wait time, email response time, or case volume. Unlike the results of a survey, these metrics are actionable if they are found to be outside of their defined tolerance.</p><p><span><strong>3. <a href="http://www.logicmanager.com/erm-software/product/monitor/" title="Risk metrics">Risk metrics</a> need to be forward looking.<br /></strong></span></p><p>Another problem with our customer service survey comes from the time to it takes to compile responses and analyze aggregated results just to be able to make a decision. With a survey you'll always be acting on customer impressions from last month as an effect of last year's policies.</p><p>Instead, your metrics need to be looking to the future. Back to our customer service department, case volume, for example, is available as cases are created and will allow you to detect emerging trends long before they have significantly affected your organization.</p><p><span><strong>4. <a href="http://www.logicmanager.com/erm-software/product/risk-taxonomy/" title="Standardize">Standardize</a> your risk metrics enterprise-wide.</strong></span></p><p>Underlying risk metrics need to be comparable over time, across levels, and across silos for a risk tolerance to be meaningful.</p><p>Using our customer service metrics again, re-opened cases might a good root-cause metric, but it's not comparable over time or across products as the number of total customers will vary. Instead measuring the percent of re-opened cases may be a more meaningful metric as it's value is independent of customer volume and is thus comparable both over-time and across silos.</p><p><span><strong>5. Align your risk tolerances with your <a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/performance-management-with-erm/" title="strategic goals">strategic goals</a> and business model.</strong></span></p><p>Risk tolerances will naturally develop from your overall risk appetite, but they also need to be in line with your organization's goals. Your organization might define a very low tolerance for customer dissatisfaction, but if you're attracting lots of high cost customers, then this policy isn't in line with a discount business model.</p><p>When risk tolerances are aligned with both overall risk appetite and strategic goals, they will both improve risk mitigation effectiveness and contribute to achieving your strategic goals.</p><p>To see the power of these recommendations in action, see our video "<a href="http://www.logicmanager.com/streamline-governance-activities-erm-video" target="_blank">Streamlining Governance with ERM</a>".</p></div>