5 ways to create a collaborative risk management program

Advice for breaking down the security and risk silos in your organization for a more collaborative enterprise risk management approach

How do you handle understanding the enterprise risks in a corporation where all of the risk management functions are dispersed in differential line management -- General Counsel, Finance, Technology, Facilities? How do you define the participating functions? Yes, the ideal situation is having these groups housed under a Chief Risk Officer or Head of Operational Risk, but in the absence of organization structural shifts, here are some tips for you.

Be a Leader in bilateral conversations of risk partners

The most successful global security teams that I have been a part of were always leaders in collaboration and outreach to risk partners to pave the way for information sharing. Yes, there was the risk of the information flow being one way, and this is usually the case at the beginning, but as the interaction continues over time, the information flow gradually becomes two ways. For example, you may start with a monthly global meeting with Facilities, Business Continuity and quarterly meeting with Information Security and Compliance.

[68 great ideas for running a security program]

Conduct joint awareness programs

As part of your "doing-more-with-less" strategy, look for opportunities to work together on joint-awareness programs. For example, most employees at a company don't separate physical security from information security; security is security. Therefore, jointly working on a security awareness program often times leads to greater points of collaboration. Start with the new hire orientation. Also, participating in a wider program for annual compliance training is an easy win.

Capitalize on the success of low-hanging fruit

Reach out to the heads of risk management functions to ascertain interest in participating in an informal working group to share information and priorities on a quarterly basis. Gain buy-in from one other risk partner and approach the other heads of the risk management organization as one voice. Establish ground rules of participation around confidentiality. Survey the heads of the functions on the gaps or threats they are most concerned with. Taking a lead in this space will solidify you a leader and influencer in the group. Over time, the group will be persuaded of the benefits of formalizing it around an enterprise risk management program.

Establish a joint threat heat map

Start with your head of information security team to discuss the creation of a joint threat heat map and its benefits for submission to the board of directors. The threat environment is only getting more complex -- data loss, workplace violence, APT, natural disasters, data breach, civil unrest, supply chain, terrorism, facility impact etc. Plotting them on a likelihood and impact matrix enables you to show the prioritization of threats. Once it exists, it is an easy way to bring in other risk partners to add their view of integrated threats because the interaction is focused on a work product.

Benchmark with peer companies to collect best practices

Understanding what your counterparts are doing is an influencer and can be a compelling piece of information to garner support for cross functional collaboration in an enterprise risk program not only from participants but also senior sponsors.

[5 secrets to building a great security team]

Once support for the cross-functional group is built, then gather the participants to create a purpose, charter, scope and rules of engagement and objectives. That way, it is completely transparent why the group exists and what it is set out to do. These foundation documents should be available in an electronic format to every participant.

Greater collaboration has been an uphill battle in an industry with a historical reputation of being the group of "no." More global security leaders initiating increased partnerships will help erode this old belief while serving our internal customers more effectively.

Natalie Runyon is the Director of Security of the Americas at Thomson Reuters, a security leadership expert and a women's leadership strategist based in New York City.

Join the CSO newsletter!

Error: Please check your email address.

Tags risk managementbusiness management

More about APTCounselLeaderReuters AustraliaTechnologyThomson

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Natalie Runyon

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place