The current times are challenging for many organizations in terms of adjusting their frame of mind to working in a hybrid manner (i.e., from home and in the office), keeping abreast of new guidelines from local regulatory and government authorities and managing operational risk.
Although operational risk is most tied to banking due to the visible financial loss that occurs, it is versatile and can affect all functions across an organization. Operational risk has been growing in importance in the last few years, especially due to the pandemic, and now organizations are being forced to put aside all non-urgent projects and focus on this type of risk.
Any lapse in implementing controls on systems, processes or, most importantly, the people working from home can cost an organization a fortune or cause irreparable damage to their reputation. With so many global changes that have affected and will continue to affect organizations, there is going to be a shift in risk culture, too. Organizations all over the world need to prepare themselves to embrace this change smoothly and adjust to the evolving landscape of risk culture and awareness.
There are practical solutions for the management of people, process and technology that organizations can implement to be risk-ready for the future and instil awareness and a risk mindset throughout the organization. The following three factors are the most critical aspects for any organization aiming to have a resilient risk culture:
- People—People are at the core of any organization because they drive the processes, make decisions, write policies and make use of available systems to complete their work. Determining a proper strategy and building a roadmap for it are important to adapt to a hybrid working environment.
- Processes—Many legacy processes have demanded exceptions because of the pandemic and will need to be revisited in the future in terms of their efficiency, applicability, scope, robustness and risk mitigation. It is important that all these changes are passed through a second line of defense so that all risk related to the process and the changes proposed in it are taken care of at all levels.
- Technology—Going forward, it is critical that the access that is provided for critical applications to be operated remotely, remote infrastructure management, endpoint security, secure network architecture, secure remote working environment and security of data is monitored at all times.
Risk culture is a set of values, behaviors, ethics and principles followed and adopted by the people of an organization. There are many inherent challenges in managing risk culture as it is mostly intangible and, therefore, if there is dysfunction in the culture, the root cause is not always known. There also may be multiple subcultures in an organization that may be difficult to tie to an owner. Hence, risk culture must be evaluated and improved over time as it evolves along with the organization. It should also be linked to the organization’s overall risk governance process.
With the cultural shift in the manner of working and a changing landscape in terms of growth and value creation, rising expectations of customers and other stakeholders, the increase in digitization, rising information security threats, the new norm of remote working, and the growing importance of data and emerging risk, it will be crucial for organizations to focus on risk culture as soon as possible.
Editor’s note: For further insights on this topic, read Sumedha Adavade’s recent Journal article, “Sea Change in Risk Culture: Addressing WFH Risk Through the Lens of Banking,” ISACA Journal, volume 3, 2021.
Don't forget—Members can earn free CPE from ISACA Journal quizzes!
