Incentivize the CEO. The solution starts at the top. The board of directors has to make risk management a top priority and they need to authorize the necessary funding. It helps for boards to tie CEO compensation to regulatory compliance. The board should also require that the CEO develop specific strategic plans and they should demand timely progress reports.
Let the CEO take the lead. Once CEO compensation gets tied to regulatory compliance, everything changes. The CEO then has a clear directive to drive that mandate down the chain of command, and tie raises and promotions of other employees to risk management. The CEO needs to develop that strategic plan and make sure it gets implemented and followed.
Create a common data source. Communication has to flow among the key players. Risk management teams, auditors, lawyers and the IT teams that are charged with implementing risk management need to be on the same page, using the same data sources. Ultimately, it’s up to the CISO/CSO to develop accurate and comprehensive reports that highlight the organizational risk against the current regulatory landscape to ensure that the true cost of both remediation and fines are assessed by executive management.
Prioritize investment based on risk. There are specific steps that companies can take to improve their risk management posture, starting with the most obvious, acknowledging that the company has a problem and then identifying specific gaps or shortcomings. A comprehensive risk assessment entails identifying strategic and tactical risks, then measuring the operational impact and business impact of organizational inefficiency. Companies need to prioritize investments based on addressing the most serious risks.
Take advantage of new technology tools. Up until most recently, there simply haven’t been technology tools with the ability to drill down and analyze risk management systems across business units. However, there are new software tools on the market that use machine learning and artificial intelligence to quickly and efficiently uncover problems and offer actionable intelligence so that policies can be enforced across the organization.