Why communication is key for effective risk management
Effective risk management is grounded on a range of success factors and the right interplay between them. Owen Strijland and Kate Robinson from Protiviti and Michel Kok from HollandSpoor outline why communication belongs right up the list of key success factors, and share a number of communication best practices across the risk lifecycle.
In our analysis of the risk management lifecycle we distinguish five key phases: interpreting organisational strategy, considering risk appetite, identifying key risks, designing and implementing controls to mitigate risk, monitoring risk and inevitably managing incidents. In our view, effective internal and external communication plays an essential role at each stage of the risk lifecycle:
Stage one: interpreting organisational strategy
First it is important to understand what your strategy means. It should be broken down into a set of defined and measurable objectives, which guide day-to-day business. Here, communication has two main purposes:
- Engaging with stakeholders about your organisational strategy helps bring the outside world into strategic discussions. Ask yourself: how do we want (internal and external) stakeholders to perceive the organisation in general? What do they find important and why?
- Translating organisational strategy into defined objectives is in itself an act of communication. In order to arrive at a set of business objectives, it is necessary to engage with a range of internal and external stakeholders to determine what is achievable and to make an assessment of the alternative strategies which may be taken to achieve those objectives.
Through the lens of GDPR, organisations must commit themselves to upholding high standards of data stewardship and transparency. The organisation must work with internal and external stakeholders to understand the best way to achieve these objectives. Understanding the best way to achieve these objectives, is only possible when internal and external stakeholders are involved in the conversation
According to the ‘Big data and trust consumer survey’ by Boston Consulting Group, organisations regularly fail to align their privacy initiatives with the expectations of their consumers. The results of their survey indicated that organisations:
- did not communicate how they use their data in a way that they felt receptive to (e.g. using overly legal or technical language in privacy statements);
- fail to use data in new ways that consumers were actually open to (a missed opportunity for innovation); and
- fail to give consumers the power to choose how their data is used.
With this in mind, it is clear that there must be a feedback loop between organisational strategy and key stakeholders to ensure that the strategy is properly defined, the impact on the company’s data stewardship is clear and to ensure that goodwill is earned. Note that BCG’s survey shows that consumers are willing to share their data with organisations that they trust.
Stage two: identify key risks and consider risk appetite
The next element of the risk management lifecycle is to identify key risks to achieving organisational strategy & objectives and define the appropriate risk appetite. Every organisation should conduct risk alignment workshops at least annually to identify emerging risks and assess the exposure to known risks.
Risk alignment workshops should be conducted with internal stakeholders across the business (e.g. client facing/sales functions, legal, finance, operations, technology) and if applicable external stakeholders. The primary objective of these workshops is clear, however there is an important secondary objective: to create and encourage cross functional dialogue aimed at better understanding the organisation and it’s threats, whilst also enhancing cooperation across the organisation.
It follows that organisations who are largely dependent on the data they acquire should have repetitive dialogue with their stakeholders to understand the appropriate risk appetite the organisation should maintain.
Stage three: design and implement controls to mitigate risk
Risks identified in the previous stage are the building blocks for your risk control framework. We believe that communication is an essential measure for any effective control framework. Below we discuss communication as control, communication in control design and communication as a mechanism for enhancing control effectiveness.
Communication as a control
Proactive communication on topics which are important to your stakeholders is a mechanism for influencing the perception of how the organisation is performing. You should communicate what you are doing to prevent risks (cause) and what you do to limit the impact (effects) when an incident (event) occurs.
Within the context of GDPR compliance, the regulation requires ongoing communication with your stakeholders (regulators, customers, employees, job applicants and others). You are obligated to communicate with stakeholders at the point of initial engagement, throughout the engagement lifecycle and in the instance of a data breach or security incident.
These moments of communication are mandatory, however the form and frequency with which you communicate can differentiate you from your competitors. Therefore we urge you to communicate in a clear way about the measures you take to reduce the likelihood of a security incident and how stakeholders can be informed about the management of their data.
Now, a security incident at some time is inevitable; the amount of criminal, accidental and political efforts to get to valuable data make this not a question of ‘if’, but ‘when’. Therefore, we suggest that you lay out an approach describing the steps that you will take to remediate and communicate a security incident and share this with your stakeholders.
Don’t forget to add the steps you expect from your stakeholders. Your stakeholders are wise enough to know that a 100% guarantee is not attainable and we propose that honesty and communication are more effective methods for building and maintaining their trust.
Communication in control design
Creating an effective control framework requires engagement across the business because controls cannot be considered in isolation. For controls to effectively mitigate risk, they must address risk in end-to-end processes. Many organisations rely upon dated or inadequate controls (they are there, so why not?), controls provided by their regulator or controls which are market ‘best practice’.
However, one size does not fit all and designing an effective control framework requires understanding the underlying purpose of each control. Is a control designed to affect the cause (mainly preventative), the effect (often a corrective control) or does it simply monitor the event (detective control). In a competitive market it is necessary to spend wisely, this means designing controls which are streamlined, precise and time efficient, and at this day and age preferably automated, both in execution as well as in testing its effectiveness.
Consider implementing Privacy Impact Assessment triggers in business change processes. This is an essential step to ensure that any business and IT changes are appropriately assessed for Privacy by Design / Default, reflected in the Record of Processing Activities and assessed for privacy risks.
Many organisations struggle to embed privacy triggers because they are to be implemented in often disparate processes, varied across functional areas or locations and lacking consistency. Gathering a complete picture of business change mechanisms and designing controls that properly mitigate these processes requires extensive communication and coordination to ensure that events do not ‘slip through the cracks’ whilst also not creating burdensome control processes.
Communication as a mechanism for enhancing control effectiveness
Communication plays a key role in maintaining and enhancing the effectiveness of the risk control framework:
What is the control and how does the control work: In other words, individuals need to be sufficiently educated on the control framework and how it operates. Those persons who are responsible for executing controls need to be trained on exactly how they should execute the control.
Why is the control important: Anyone who has worked in the 2nd or 3rd line will be familiar with this situation. A control has failed and the person responsible for executing the control asserts that it doesn’t matter because this control is not important anyway. Whether your control framework fails because it was designed poorly or because control owners failed to understand their role in the risk management process does not matter.
When individuals within the first line fail to understand the importance of their role in regards to risk management and compliance, then they are unable to reinforce the organisations strategic and communication objectives. In contrast, they may undermine the hard work of the organisation by making statements which contradict the organisation’s objective.
Take for example the scenario where an existing customer contacts your customer service line to enquire about the use of their data or request access to their data. When customer service representatives are not adequately trained, they may fail to answer these questions in an adequate way or they may fail to even recognise that this is a GDPR request. Failure to adequately communicate your control framework and create awareness of individual responsibilities within the framework undermines its effectiveness.
Stage four: monitor risk events
This stage includes the monitoring and analysis of risk events, in other words potential incidents. In general, these efforts go unseen by your stakeholders, they only become aware of this work in the instance that an incident actually occurs. But, you should communicate all of the hard work you do to detect and analyse risk events.
This reinforces the messaging that you have created a robust risk management approach, one which has effectively prevented a high volume of risk events from escalating into incidents. In your communication you might indicate that in 2020 you detected 1,000 risk events. However, because of your risk and control framework, only 5% of risk events resulted in an incident and of those incidents, none posed a serious risk to the organisation or its stakeholders. Isn’t this an impactful message to communicate?
In the context of GDPR compliance, consider communication on suspected data breaches. The regulation enforces mandatory reporting to the Supervisory Authority and to individuals in certain circumstances. However, all organisations still need to identify and assess suspected data breaches, these may relate to employee error, malicious attacks or information security design flaws.
Why not communicate to your stakeholders about the number of suspected data breaches your organisation suffered and how your control framework prevented those risk events from escalating into an actual data breach. This creates another opportunity to demonstrate the measure that your organisation takes to protect their data, thereby building trust and goodwill.
Stage five: incident management
As stated above, incidents will happen. You should communicate what has happened, how you are going to deal with it and what you expect from your stakeholders. If you have adhered to our proposed approach, you should already have templated documents and clear communications protocols which are aligned to your strategy of building & maintaining trust.
Consider alternative ways to communicate to stakeholders (via segmentation), you may issue elaborative legal analysis for your regulators and short videos supported by detailed content (in simple language) for your other stakeholders. How you handle this situation is yet another indicator to your stakeholders about how you value their trust and how you will take the measures necessary to protect their interests.
For illustration purposes we refer again to the example of a personal data breach because we feel that this is almost inevitable. In this scenario, you have communicated all of the efforts your organisation has gone to, to prevent a data breach occurring, you have communicated how you would handle a data breach and you have communicated what you would expect from your stakeholders.
Now is the moment to put this into action, you should communicate: the nature and scope of the data breach, the steps you are/have taken to fully assess the exposure and to stop or limit the data breach, how you will support impacted stakeholders and what they should do to limit the impact for themselves and the longer term steps you will take to prevent a breach like this occurring in the future.
To conclude
Communicating in an open and transparent manner throughout the risk management lifecycle is important to maintain and (re)build trust. Integrating a clear communication strategy within the risk management lifecycle 1) makes your risk controls more effective, 2) builds trust at any stage, not just when there is a crisis, 3) helps you to distinguish yourself from your competitors and last but not least, when it comes to data, 4) will have a positive impact on your revenue.