STC SYCAMORE CONSULTING

Effectiveness in risk management starts with an adequate people structure

Claudia Craia

Hi, we’re STC!

A team of risk management and corporate governance professionals working in a partnership structure to provide top-tier expertise to a wide range of organizations. We offer our skills and talent to support your strategy.

In theory, as an Enterprise Risk Management facilitator, I have to ensure that the Board and Executive Teams have adequate information about risks across the business.

In theory. In practice, I do a lot more. For example, I even project manage initiatives that implement a regulatory change. I push improvements in controls. I organise (and many times deliver) training for (traditional) risk managers.

Why? Because I will probably go once to the Board with a risk pack saying we had a serious incident, but not the second time (they might fire me 🀣). I will take an action to solve the issue causing the incident.

One of my responsibilities, as I see my role, is to push, influence and support to have an adequate people structure.

I have an example.

While working with a Chief Information Officer, I realised at some point that I had not only daily meetings with him, but sometimes meetings even more than once a day. My 1-2-1 meetings are not more than 30 minutes, but still, as I joked with him, I was seeing him more than his own IT Directors on three continents.

Our agenda was something like this (real example):
➑ Monday – Digital Operational Resilience Strategy
➑ Tuesday – ICT Operational Risk control environment – AM, Information Security risk assessment – PM
➑ Wednesday – Technology strategic risk (the risk that the current technology will not support the strategic direction)
➑ Thursday – Data integrity risk ownership
➑ Friday – Change Management Delivery Framework

On the Tuesday I talk above, we had this mail exchange. It was after our first meeting, the control environment one, but before the Information Security risk assessment. I was worried he will not show up:
Me: β€œI really need a CISO to work with on this. There are too many things in your hands. Instead of an asset you become a stopper for me. Not you, you, your hectic schedule.”
CIO: β€œI really need a CISO for many things but yes this is one of them! We are still catching up later aren’t we?”

Now, don’t try this at home. I do not recommend it, unless you are in my situation. I have already delivered many things for him, he knows I try to support and not to be a pain for him.

The idea, however, is valid. Even if you have a fantastic CIO (like him) or a fantastic ERM expert (like me πŸ˜Š ), the risk might actually be generated by the structure. I am not an HR person, I do not have any HR responsibilities, but HR staff are my best friends. They will help me, and I will help them help me, to have an appropriate structure.

I strongly believe this, effectiveness in risk management starts with an adequate people structure.

Posted initially on LinkedIn: Claudia Craia

Claudia Craia avatar
Claudia Craia
Claudia is a seasoned risk management professional with expertise in Enterprise Risk Management. She collaborates closely with Executive Teams to identify and mitigate strategic risks, ensuring the achievement of their corporate objectives. STC Sycamore Consulting – Enterprise Risk Management Mentor

Featured Post

Categories