2.2 Risk Governance vs. Risk Management

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

6 hours 30 minutes
Video Transcription
with risk, governance and risk management. We have to understand the difference between the two. So governance versus management's gonna be the topic of this nets next set of ah, of instruction. So when we talk about governance, first of all,
we have to look to the very top of the organization all the way up at the top.
And that's where we have our board of directors. We have steering committees. We have seen your management. We could have a risk management board. You know, usually when you hear the term board when you hear steering committee senior management were all talking about the entities that are responsible for the governance of the organization.
So when we talk about governance, ultimately, these air the individuals at the top of the company whose job it is to determine the focus of the organization, the priorities of the organization, the business goals
and ultimately setting the tone for the company as a whole, determining what company culture will be.
What's our long term vision? All of that goes to our senior official senior officers board of directors. That's the top of the risk echelon, if you will.
So when we're talking about what these individuals and ah groups do for us. They're generally four main objectives from risk governance. Okay, so the first establish and maintain a common risk view.
That's essential because what that's gonna guarantee for us is within the organization, we have an understanding of the risk appetite of the organization, the risk structure. When we talk about the risk context, we're talking about the context in which the organization operates.
So if we're in the military and have very high value assets, as opposed to working in a grocery store as opposed to being in the healthcare industry,
those were different contexts for risk. So we've gotta understand that within our organization, we should be on the same page, and it's up the senior management to make sure that risk is
standardized throughout our organization. We're gonna pick a framework most likely to base our risk. Management strategies on that framework should be consistent throughout the organization.
Now just that, taking our view on risk and incorporating it throughout the entire enterprise. That's the second step and what we're looking to do. There is toe work, risk management in tow, everything that we do,
you know, information security, which is my realm
is really just risk management, right? You know, anything that I ever do in the world of security starts with,
What are we protecting?
What's it worth?
What are the things that get Harmon? What are the vulnerabilities that would allow that harm? How can we fix it in a way that's cost effective, right? That's risk management, that security management so incorporating those concepts of risk management into the enterprise.
And we'll get from that big, risk aware business decisions.
Let's stop making business decisions on things like, Well, if it ain't broke, don't fix it or will. We haven't seen that materialize yet. Well, what we're saying with that mindset is let's wait till we have a really big breach. Then we'll fix it.
You know, just like, um, you know, an intersection. Busy intersection. We're not gonna put a stop sign there until there's been a crash. Now we're gonna put a stop, son, that's not using risk management to make our decisions. We've gotta start evaluating current threats, current vulnerabilities
and appropriate solutions,
risk wear business decisions. Same idea all rolled up together and then ensuring that risk management controls are implemented and operating correctly oversight,
making sure that the decisions that were made
we've acted upon them because they've been funded and supported and making sure that they're effective now. It doesn't mean that I'm out there, you know, with my tire gauge, making sure our delivery vehicles have enough air in their tires. But what that means is I need management
to verify with me that the practices are in place
and then audit checks to determine that the process is air being followed and that information is reported to me. So as a senior manager, I'm overseeing the operations. Testing and ensuring corrections were made. That's on senior management.
So the questions I want to know with governance overall, but also with risk governance
are we doing the right things. So we need to be compliant with hip or we want to increase our profit margin, or we're gonna undertake a project to improve our goodwill in the community. Whatever we're doing,
are we doing the right things? And that comes from governance. Governance determines what the focus, what the direction of the organization is. So government sets out and says
this is what we feel is right This is how we're gonna move forward.
So we're gonna do the right things. Are we doing them the right way?
There are many ways to get from path, you know, a dizzy.
Some are short and direct and efficient and effective,
and some are a little bit more convoluted. There are some things that some solutions that cost a lot more than others. So are we doing things right? And are we doing them well,
all right, we're doing our best. Are we delivering value,
right? Because ultimately governance is about delivering value. So are we doing? Are we managing our risk in such a way that does bring value?
And then are we getting the benefits? Are we seeing those cost savings? Are they being utilized? How's that coming into play
now? When we look at management, these management is conducted by functional leaders. You're functional managers like your department heads, for instance. So where's government says what we want to do and what our vision is? Management has to figure out how so risk governance might say, You know what? We're
risk neutral.
We're an organization that will take on some risks in relation to improving customer reputation. We won't. We're not very tolerant for risks that are driven by a need to be an industry leader. We're content where we are,
you know, that's for management.
I'm sorry. That's for governance. But management says okay, I hear your risk view, and I have to figure out how to take that view in that concept and those ideas and implement them
and make him work. So if you're very risk
averse, well, then I better figure out a system and mechanisms in place to really minimize thehe mount of risk that were exposed to
right You're gonna set unacceptable risk is very, very small. As a manager risk manager, I gotta figure out how to make that happen. So governance is what management is, how
Up Next