Categorizing these events can be difficult. Most have vague definitions, one event often leads to another, and there can be multiple teams involved in each incident. However accurately tracking these events is necessary to manage liability, comply with regulations and drive improvements across the organization.

Defining Event Categories

Before we dive in, let’s look at some commonly used definitions for each category.

Incident – An event (typically negative) that occurs at a specific date and time. It often follows the pattern of someone did something on this date at this time at this place.

Complaint – A complaint is typically not defined by the event, but rather by the fact that someone has complained. It is the act itself that makes something a complaint rather than the subject of the complaint.

Risk – There has been a lot of work done by ISO 31000, COSO, RIMS, OCEG and others to define what a risk is, but in its simplest form a risk references an event and its potential impact on something important.

Applying a Category Type to an Event

Unfortunately, there isn’t a straightforward guide on how to apply a category type to an event. Risk and security events aren’t one size fits all and the way that they’re categorized can depend on a variety of things such as company size and industry, how serious the event is and especially the knowledge of the person recording the event.

To break this down, let’s look at few examples of events and think about how a business might categorize them.

Scenario 1: An employee behaves aggressively with a customer

• Is this an incident? Yes, if serious enough, unlikely if it’s a general pattern of poor behavior
• Is this a complaint? Yes, but only if it was complained about.
• Is this a risk? Potentially, but likely part of a bigger customer-reputation risk

Scenario 2: A customer receives repeated calls ostensibly from their financial institution

• Is this an incident? Yes, likely multiple incidents
• Is this a complaint? Yes, likely one complaint.
• Is this a risk? Yes, and could also result in other risks like theft, fraud or account takeover

Scenario 3: A financial transaction is sent to the wrong party

• Is this an incident? Yes, but most organizations would call it a loss event (yes, that’s yet another term that means almost the same thing)
• Is this a complaint? Possibly, though unlikely unless the intended recipient complains
• Is this a risk? Yes

Scenario 4: An employee’s computer is compromised

• Is this an incident? Yes
• Is this a complaint? Probably not, but an action as a result of the compromise could result in a complaint, and this may be the way the incident is discovered.
• Is this a risk? Yes

You can see from these examples that events are incidents, complaints and risks all at the same time. Each of these examples highlights the subjectivity of the decision by the person who is reporting the event.

On a recent call a customer who is responsible for Business Continuity, Risk, Security, Facilities, InfoSec and Vendor Risk expressed this idea in perhaps the most succinct way I’ve heard  to date:

“Incidents are Incidents. Most of the information you collect is the same”

Does Time Affect Event Type?

One thing that you may have noticed in both categories and the examples above is the concept of time.  Considers whether the event has already happened or if it might happen in the future.

Here’s how one of our event examples might play out over time:

Which of these is the incident? When does the complaint happen? Which ones are risks?

You can see in this scenario that as we progress through time, individual events compound to become bigger risks, but there isn’t a specific line as to when that happens.

Still, incidents and complaints are typically about something that has happened or is currently happening. Whereas risks are more focused on what might happen in the future and what the potential impact could be.

However, just because an incident happened in the past, what’s to say it won’t happen again? Wouldn’t the fact that it happened once increase the probability of it occurring again? In this context, what do you call it? A potential incident? A risk event? What if the incident almost happened but was narrowly avoided? Those are typically referred to as “near-misses” but do they get consistently logged?

Who Owns the Event?

One further complication is to define and understand which team or individual owns the event based on the category selected. If we reflect on each of our scenarios above, can we pinpoint whether they are security incidents? HR? Safety? Finance? Customer Service? Many incidents involve two or three teams in different ways. This added layer further complicates the reporting process. If an employee wants to report something, they not only have to identify the event type, but also have to think about who the event should be reported to.

Documenting and Recording Events

Ok, now that we’ve painted the picture, you can see that it’s complicated, and we haven’t even discussed the various technology involved.

Most organizations have multiple systems each with their own use. They might have an incident, case, risk and complaint system. They span different topics and teams and produce separate reports. They cover both what happened already and what may happen in the future.

Incidents and complaints are the data shows what actually happened. Risks  tell us what might happen.  If these systems are disjointed, it’s nearly impossible for teams to make data- driven decisions and risk assessments. It is similarly difficult to understand potential downstream risks when looking at a single incident. Without a single integrated Incident and Risk Management system there is very little visibility to see the whole picture.

Why Your Organization Needs a Process for Handling Security and Risk Events?

Don’t make employees or customers guess at what they are reporting. To ensure that people continue to submit their concerns, make it simple. Provide multiple intake channels to a single repository that connects incidents with risks across the enterprise. Once you have the information, routing the event to the right team can be easily done with an intelligent triage process. 

How can Resolver Help You with Incident and Complaint Management?

Resolver offers a simple but powerful system that allows organizations to capture incidents, complaints and risks all in one place. Once an event has been logged it is tagged and categorized using our AI-based Intelligent Triage process and routed to the right team. Since information is easily linked together Incident, Complaint and Risk Managers can see the whole picture and move rapidly to respond to and recover from the event preempting incremental loses. 

Alexa Sutton, our People Ops Specialist, virtually connected with Matt Gawlik, a Product Manager based in Toronto, to learn about his journey at Resolver. 

Alexa: As a child, what did you want to be when you grew up?

Matt: I don’t think I understood exactly what I wanted to be as a kid, but I knew it was definitely something involving computers. Even as a kindergartener I was drawn to computers, and I’ve been very fortunate to have had a computer at home almost my entire life. At an early age I was taught how to boot up programs from floppy disks, so that I could switch games without calling for help. I was clearly gravitating towards a career in tech as a kid - I just didn’t understand what that actually meant until years later.

Alexa: What finally drew you to the Product field?

Matt: Throughout my initial career as a Developer, I loved taking on additional responsibilities that were outside of my regular day-to-day duties. I helped with things like project planning, writing customer documentation, and serving as the point person for technical support for the things I was working on. When one of my previous employers identified a need to expand their Product team, they felt I was an obvious choice to fill the role. It was an opportunity I couldn’t pass up, so I made the jump from Development to Product, and the rest is history!

Alexa: Why did you choose to join Resolver?

Matt: When I was looking for my next opportunity, culture and the general work environment were important considerations for me. I started reading up on Resolver after I saw a posting for a Product position, and I was impressed by what I found - especially from employee reviews. It seemed like a team that was proud of what they were producing, with a healthy work-life balance in mind. Resolver also represented an opportunity to move from embedded devices into the SaaS space, which I was really excited about!

Alexa: You started at Resolver almost 3 years ago as a Product Owner – how has your role evolved over time? Tell us about how you got promoted.

Matt: Resolver is great about letting us take on things that we’re interested in or passionate about, regardless of if it’s in our job description or not. From the get-go, I eagerly took on additional responsibilities around tooling and process, doing my best to fill in any gaps that I saw. I even had the opportunity to cover a paternity leave for a Scrum Master position. Being encouraged to grow and take on new things that interested me allowed me to show what I was capable of. That led to Resolver wanting to more formally entrust me with additional responsibility - and a promotion!

Alexa: What has surprised you the most about Resolver after your 3 years here?

Matt: The employee investment! Before I joined Resolver, I had never worked on a team that made a healthy work-life balance as much of a priority, or that provided as many opportunities for my own professional development. I even get gentle-yet-firm reminders from my boss to take time off if it’s been a while, or if things have been particularly busy. Resolver is also fantastic about growing and promoting their own - even if it’s across different departments. I’ve worked with multiple Resolverites over the years who have expressed an interest in Product and I’ve always been given the opportunity to show them the ropes, be it letting them shadow me as I go about my day or showing them what goes into something like feature development. It’s great to see people excited about the type of work that I do, and to know that Resolver will help us grow in whatever way we want!

Alexa: I hear that the relationship between Product and Engineering is awesome. Can you tell us a bit about what makes it special?

Matt: Those of us who work on the platform side of Product at Resolver are really “in the trenches” with the Engineering teams. Be it feature development, deploying a release, or dealing with a customer issue, we’re working with them every day - and as a result we really are considered part of their team. Collaboration is one of Resolver's values – this really shows up in the Product-Engineering relationship. We believe it’s important for Engineering to know that Product has their back, and we’ll go to bat for them if we need to. (Plus, it gets us included in the fun stuff like games and hackathons!)

Alexa: How does Product collaborate with other teams, like Professional Services and Sales?

Matt: Product is the bridge between the Engineering team and the rest of the organization. We work with teams like Services and Sales to better understand what our customers need, so that we can make sure we’re building the right things at the right time. Once we’re done building those things, Product then gets to show them off! We offer training to help teams understand the new ways that we can help existing customers, and the new problems that we could potentially solve for prospective ones. And throughout the process, Product is there to answer questions and provide support.

Alexa: You started the Movember team at Resolver – how has Resolver enabled you to run with this cause?

Matt: In 2018, I decided that I was going to shave my beard (for the first time in over a decade!) and raise some funds for Movember. Given that Resolver has a great culture surrounding volunteer participation, I figured it was worth a shot to see if anyone was interested in forming a company team. True to form, a number of people pledged to take part! We’re now in our third year of fielding a Movember team awash with both distinguished and embarrassing facial hair, and Resolverites across the company are once again stepping up to donate. It has been fantastic watching this turn into an annual tradition at Resolver, and I’m glad that I was given the freedom to just take an idea and run with it. (Even though it does mean braving the harsh Canadian November weather with a bare face…)

Alexa: Can you tell us about one of your proudest moments at Resolver?

Matt: Hosting a panel on diversity, inclusion, and belonging in tech at Resolver. I had noticed a lack of conversation around being LGBTQ+ in the workplace outside of Pride Month, and eventually realized that I couldn’t just sit around and hope that someone else would do something about it. The Talent team at Resolver embraced my idea of hosting a panel event, helped me broaden the scope to include other communities, and lent their time and energy to make it happen! I had never hosted a panel event before and was grateful for the opportunity to do so - especially for what turned out to be such a great event filled with important conversations!

Alexa: What’s next for Product at Resolver? What are some exciting projects you can share?

Matt: Our team is growing! We just added two new Product Owners to help strengthen our integrations portfolio and explore new ways to leverage machine learning. We’re also continuing to evolve and mature our processes as we grow, so that we can be more efficient with how we go from ideas to solutions. Working with stakeholders from start to finish, bringing an agile process to everything we do… All great things on the journey to make the experience better for our customers!

Alexa: What’s the best thing about working at Resolver?

Matt: The people - it’s so cliché, but it’s true. I really enjoy working with this team. They’re proud of what we make, and they ensure we still make time for fun. The people are what make Resolver’s culture what it is. The Movember team, the panel event, hackathons… none of that would be possible without the people here embracing it. Being on a team that works hard is great, but being on a team that is great to work with is invaluable!

Thanks for sharing, Matt! If you liked getting the inside scoop on what it’s like to work at Resolver, be sure to come back next month for our next spotlight. 

As business processes continue to advance, your team is required to move beyond your traditional function to be more aligned to the rest of the organization. By providing real-time analysis of incidents, threats, and security events, your team is carving out an integral role in the business. In order to do that, your team must think ahead and push security processes beyond their previous limits. This means integrating with other business units, stakeholders and organizations to ensure total coverage.   

But how?  

Introducing Resolver’s Maturity Model for Corporate Security  

We’ve worked with hundreds of Corporate Security teams on implementing incident management, investigations and case management, security operations and security risk management processes. We used these learnings to create a model for maturing security programs – a clear, applicable and measurable model to help security teams of any size scale their programs and become effective business partners to the organization. 

Resolver’s Maturity Model for Corporate Security is a roadmap that provides Corporate Security teams a means to advance their organization’s security program by defining the key metrics and activities. By leveraging the Maturity Model, your team will have a clear path to optimize operations – transforming the role of the Security team and paving the way for you to become an effective business partner across the organization.  

Finding Your Place in the Maturity Model for Corporate Security 

The Maturity Model for Corporate Security is flexible and should be used as a guide and not a scoring mechanism. Each section acts as a steppingstone for the next, but rarely do organizations fit perfectly in a single stage. If there are activities that don’t apply to your organization, move forward.  

Resolver’s Maturity Model for Corporate Security is built as a best practice guideline and is divided into 5 stages:  

1. Track 
2. Enrich  
3. Optimize 
4. Anticipate 
5. Innovate  

While industries, business types and regions vary from company to company, we’ve found that the way that Security teams mature in their programs is very similar. The incident types, workflow statuses and organizational protocols may be different, but the intentions and goals are the same.  

We built this model to help guide you through your security journey. This eBook gives you tips and tactics to help you answer questions like: How should I enhance my existing process? How can I incorporate new ones? What type of activities are other organizations performing? What are the most mature security teams in the world doing?  

Ready to improve processes across your security functions?   

The reality is that things move so quickly and unfortunately, there is no crystal ball. A key part of this process is getting everyone on the same page, talking the same language, and using risk appetite statements. Risk statements that are clear, concise, and actionable is key to getting employees, customers, the Board of Directors, C-suite, investors and regulators aligned.

There are many misconceptions and challenges around the topic of risk appetites. A few of the most common ones that we’ve heard from customers include:

• Inconsistent definitions about their risk appetite
• Unclear governance structures around who is responsible and accountable across your organization from business units to the board level
• Lack of framework methodology to develop risk appetite
• Inability to communicate risk appetite throughout the organization
• Lack of monitoring mechanisms for risk appetite

To dive deeper and answer the most pressing questions around this topic, we hosted a session with RIMS, Leeanne Barnes, Director of Enterprise and Operational Risk at Ontario Teachers’ Pension Plan, and Devi Mohan Das, Senior Manager of Risk Consulting at KPMG Canada. In this session, we focused on strategies to help risk teams:

• Develop a framework for setting risk appetite
• Define the role that governance plays in establishing risk appetite
• Measure and monitor risk appetite
• Understand the benefits of assessing risk appetite

You asked, so we answered!

This engaging, in-depth session raised excellent questions about risk appetite statements and practical use cases that attendees could apply in their organizations. We asked our panelists to continue the conversation and answer some of the most common questions that we received.

Are Risk Appetite metrics the same as Key Risk Indicators?

Leeanne Barnes: We think about Key Risk Indicators (KRIs) as metrics to monitor specific risks and tolerances.  At Ontario Teachers’ Pension Plan, each KRI rolls up to support the broader risk appetite of the organization. A Risk Appetite Metric is usually much higher level, similar to monitoring an enterprise limit, as an example.  The way that we have developed the taxonomy at Ontario Teachers’ Pension Plan is that KRIs are mid-level metrics to monitor various aspects of an enterprise risk. We establish tolerances (i.e. green, amber, red) to determine what is acceptable versus what is above tolerance for that specific metric.  We try to leverage existing data to build these KRIs. 

What role does policy development play in embedding risk appetite?

Leeanne Barnes: Great question, it is a big role.  Policies ultimately reflect the amount of risk an organization is willing to accept, and adherence to the policies embed risk appetite in the organization.  For example, if an organization has a very low risk appetite for the health and safety of their people, then their training policies, operational practices, and reporting would reflect that. Policies ultimately reflect the culture and the risk appetite of the organization.  If those things are not aligned, then there will be a lot of work to do. 

What is the importance of developing the annual risk context prior to developing the risk appetite statements? 

Leeanne Barnes: Assuming risk context is similar to a business environment assessment, it is a super important component to both your risk and strategy discussions.  An organization needs to understand the context in which they are operating, and be able to answer the question “do we need to take more or less risk in certain cases to achieve our objectives and strategy?” Understanding the internal and external landscape is key. 

Do you include both threats and opportunities under the concept of risk?

Leeanne Barnes: Absolutely. Risk is not only about managing the downside, but also understanding and making decisions regarding the upside.  A good example of this is disruptive technology. There may be risks based on an organization’s current platform, or there could be a competitive advantage as the organization undergoes modernization and harnesses that momentum to lead change and shake up the industry.

How do you relate risk appetite to risk acceptance (need for a risk acceptance framework)?

Leeanne Barnes:  At Ontario Teachers’ Pension Plan we leverage the well-defined management governance structure to support risk acceptance.  With defined roles and accountabilities as well as decision authorities, it is clear how risk is accepted or not.  We do not have a separate framework; it is embedded into everything we do and at various levels.  We also have escalation built into the governance framework in case we need more voices at the table. 

Devi Mohan Das: Risk appetite and risk acceptance mechanisms should ideally be featured as key components of the organization’s overall ERM framework. Once the organization has identified and set their risk tolerance across their risk index, they can go on to consider their risk acceptance.

Can you give some tactical examples of how you’d integrate risk into the strategy and decision-making process?

Leeanne Barnes: This is a great question, and one that we have spent a lot of time on over the past couple of years.  First, be sure that you know the timing of the various discussions and make sure that the risk work is done in advance of the strategy work. This way, risk becomes an input into the overall strategy. Through Enterprise Risk Management we focus on the most important risks to achieving strategy, and work with the organization to determine priorities and potential shifts that we need to make. This allows us to validate the business environment which is a key input into strategy discussions. I would also suggest building strong relationships between the two teams.   

Do you have any guidance on industry standard for certain KRIs/tolerances to set when the board needs guidance on what is appropriate for the business? For example: what percent of capital might be a reasonable amount to put at risk for a 1 in 250-year insurance event? What are appropriate qualitative measures to be concerned about in terms of our operational risk?

Leeanne Barnes: Unfortunately, there isn’t a clear-cut answer to this. We leverage thought leaders to help in certain cases. It’s also helpful to gain insight from peers if the information is available or if you’re able to pull together a peer group. We recommend that you have a well understood Probability and Impact assessment scale, i.e. what are the risk categories and potential impacts the organization is most worried about?  Understanding that can help to reinforce the risks that are most important to the organization and help to determine the Key Risk Indicators (KRIs) or metrics that you can leverage (internal and external data) to start monitoring the risk.  KRIs are always evolving, so it will take time and you should expect to make adjustments along the way.

Devi Mohan Das: I definitely agree with Leanne. There is no one-size-fits-all solution on setting tolerances. It is very centric to the organization, strategic objectives, risk landscape, risk culture and risk maturity of the organization.

How do you incentivize a board of directors to invest sufficient funds to manage risk, e.g., cyber? How do you get the board to engage to build a risk appetite statement and let the organization know where the risk tolerances are?

Devi Mohan Das: The 2008 global crisis provided several examples of how boards failed to set and oversee their company’s risk appetite and tolerance. Since then, we have seen regulators emphasizing their expectation of the boards to oversee the risks, which helps to ensure alignment with management on the amount of risk that organizations are willing to take and/or accept for specific risk types over a given time. In addition to regulatory compliance, boards can also gain early warning of the risks that the organization faces on its journey ahead. 

We are early in our ERM journey as an organization. Leeanne, how and when did you blend the Risk Appetite work into your wider EMR program?

Leeanne Barnes: I believe that the Board needs to be part of the risk management journey.  It is helpful to share external learnings and incidents with Senior Management and the Board that can be found in media or in an incident database. These learnings can be used to figure out if your organization could also be exposed (or not) to such an event, and what the organization’s position is.  I think the evolution of risk management is definitely about making sure the right information is getting to the right people, in a meaningful way, to help them make informed decisions.  Using cyber as an example, there are a lot of people who might not be tech savvy, so bringing in external advisors or conducting internal assessments of the risks and potential exposures and clearly articulate the impacts is very helpful and eye opening. I find engaging in meaningful and easily understandable discussions goes a long way.

Regarding aligning Risk Appetite with Enterprise Risk Management, this should be done early on, at least at a high level. For us, it started with really understanding the risk categories, and risk impacts, both financial and non-financial.  Defining your Probability and Impact scale and figuring out which boundaries are “green”, “amber”, and “red” can help articulate risk appetite through discussions with the senior leaders / executive team.  It can also highlight where there may be some differences of opinion.

How do you start developing the risk culture in a company that associates ‘risk’ only with safety and insurance?  How do you change the mindset of the people that you need to have a true ‘culture’?

Leeanne Barnes: Culture is a very broad concept.  I would suggest starting with some smaller ambitions through objectives that the organization agrees to on how you want to shift the “risk culture” of the organization. For instance, is it education that is needed?  Every year, I pick two or three ambitions to focus on.  Also, integrating risk into every discussion or decision can be super helpful. Making sure risk has a seat at the table is important.

What approaches would you recommend for identifying actionable KRIs? 

Devi Mohan Das: KRIs are indicators or metrics that are used to measure risks that the business is exposed to. 

While identifying KRIs, organizations must: 

• Consider risk drivers/root causes, correlations, probability and severity of risks
• Relate KRIs to business objectives and operations as far as possible (i.e. link back KRIs to KPIs) 
• Identify fewer and high quality indicators

How can you leverage existing KPIs to develop KRIs; avoiding duplication? 

Devi Mohan Das: KRIs and KPIs are closely related in an ideal state. The KRIs should be traced to a KPI, and this would be linked to the organization’s strategic goal and objectives. This way organizations can maintain its focus on the “Top” risks. 

How often should tolerance limits & indicators be reviewed/updated? 

Leeanne Barnes: We like to review our KRIs and tolerances regularly, at least annually, but as we learn and adjust. 

Devi Mohan Das: Risk appetite should be reviewed annually, at the very least to ensure that the organization’s strategic objectives and business plans are consistent with the risk appetite. 

Alexa Sutton, our People Ops Specialist,  virtually connected with Mala Niane, an Accountant based in Toronto, to learn about her journey at Resolver. 

Alexa: As a child, what did you want to be when you grew up?

Mala: Everything! I was interested in history, gastronomy, finance – I just wanted to do everything!

Alexa: What finally drew you to the Finance field?

Mala: Honestly, I got tired of getting conned out of my money by my older siblings as a child! In Senegal, my siblings and I were given money for every holiday. My older siblings would trick me into giving them one of my more valuable paper bills for two of their less valuable coins. I was getting two for the price of one – this made sense in my little kid brain! Once I figured out what was happening, I vowed to get this “money thing” down… and I did!

Alexa: You’ve been in Canada for about 10 years now, what made you choose Canada?

Mala: I actually spent some time first learning English in the United States after leaving Senegal. I decided I didn’t want to stay in the US permanently, but I knew I wanted to move somewhere where I could continue practicing my English skills, since I had already taken the time to learn. I Googled Canada and thought it looked so nice and I loved that it was bilingual since French is my native language. After being accepted to a university in Toronto, the rest was history!

My only concern about moving here was the winter weather, but I thought to myself “could it really be that cold?” I quickly found out it really is that cold!

Alexa: Why did you choose to join Resolver?

Mala: I was really interested in the backgrounds of Resolver’s Finance team. I noticed most of them had public accounting experience and there was a high concentration of CPAs. I didn’t have any public accounting experience, so I figured I would have a lot to learn from the team! Resolver seemed like the best place to be for my growth.

Alexa: What makes Resolver’s Finance team unique?

Mala: The environment is so different! In my previous companies, the Finance team was very siloed. At Resolver, I have more visibility into other matters outside my day-to-day and they’re all very supportive in my learning. We also have a lot of fun together! The Finance team in Toronto is famous for our chocolate stash and we also team up with our other Shared Services friends (Talent, Legal, and IT) to host food competitions!

I reopened a cooking channel in Slack, now it’s used by Resolverites to share recipes! I like cooking things that I’ve never made before. I really enjoy the challenge of not knowing how to make something and having to figure it out for myself. Once I’ve successfully made something, it’s on to the next recipe!

Alexa: You joined Resolver about a year ago – how has your role changed over time?

Mala: The Finance team uses a lot of different systems and I had an idea that I would be involved in some aspects of systems integration, but I didn’t think it would be to this extent. It’s been a pretty cool experience because they tell us about all the different accounting systems in school, but the specifics of these systems remain a bit of a mystery until you get the opportunity to work with them directly. Systems integration was previously out of my comfort zone so I’m grateful to be able to gain experience with it at Resolver.

Alexa: What’s next for you, both personally and professionally?

Mala: Professionally, I want to gain more understanding about how everything at Resolver works and relates to Finance. Moving forward, I want to learn more about the business and how Finance supports it directly. Personally, I want to travel back to Senegal more often to visit my family. Life always seems to get in the way, but now that I’m more settled in my life and career, I definitely want to take advantage of Resolver’s open leave policy to spend some more time in Senegal with family.

Alexa: What’s the best thing about Resolver?

Mala: I’m so comfortable at Resolver. The culture here really allows me to come to work as I am and be comfortable without having to spend energy on presenting a separate version. 

Thanks for sharing, Mala! If you liked getting the inside scoop on what it’s like to work at Resolver, be sure to come back next month for our next spotlight. 

In a workshop that we hosted with RIMS, we looked at the impact of emerging risks and how risk teams are at the forefront to help prepare their organizations to be more resilient in the future.

We started the session by asking the audience what they had experienced to be the biggest impact to their organization due to COVID-19.

49% of respondents said that mobilizing a remote workforce was the biggest challenge, while 15% selected financial liquidity (based on 192 responses). While not surprising that mobilizing a remote workforce was the biggest challenge teams experienced at the onset of the pandemic, many organizations claimed that although they had some plans in place, it happened so quickly that ensuring that all aspects of their business could continue to function was a hurdle.

• Implementing and monitoring leading indicators of emerging risk
• Performing real-time risk assessments
• Developing mitigation tactics based on historical data

Defining and Identifying Emerging Risks

What is an emerging risk?

According to ISO, “New, previously unknown or not considered, “emerging” risks can pose the greatest challenges to resilience, safety and operational and business continuity. These “new and/or increasing” risks can be related to different areas of activities, such as new processes, new technologies, new types of workplace, or social or organizational change.”

How is an emerging risk identified?

An emerging risk always starts in a cloud of fog, you can’t see it and don’t really know what it is. But over time, as you start to see the risk emerge, your team is signaled that something might be happening that could impact your organization and alerts you to start paying attention and conduct more research. The next phase is acknowledgement and acceptance of the risk. This happens when you’re able to access more data points to help you determine what the impact of the risk really is to your organization. It’s only after the acknowledgement and acceptance of that risk, that you’ll begin to see the risk management approach appearing (i.e. the management strategy or options that are in place to actually deal with the risk).

Visualizing Emerging Risks

Managing Emerging Risks with Scenario Impact and Action Mapping

Generally, risks are measured by impact and likelihood. But likelihood is difficult to measure and can be subjective. It can also prolong the discussion of the prioritization of risks. A more effective method is to compare the potential impact of a risk against how much action you want to take to mitigate it through scenario impact and action mapping.

Measuring the impact of a risk goes beyond just the moment in question. For example, COVID-19 has had a very serious impact on the health of communities, but its impact can also be felt on the economy. Beyond that, there is also a reputational impact that organizations will face post-crisis. How did they handle it? Did they live up to their values? etc.

You can measure all the different risks that you might face against the action side. If there is nothing to be done to deal with the risk, it can sit below the dotted line. But if there are actions that can be taken that will have a drastic impact on the organization, those risks should sit in the top right corner.

This exercise while simple, is effective in prioritizing activities for risk teams. It can be done using post-it notes, a whiteboard or through software.

Here’s an example of what this looks like using Resolver’s software:

Once you’ve determined your current situation, you’ll want to look to the future to map out potential scenarios so that your team can be as well-equipped as possible.

Use your current situation as your base case. By mapping out future scenarios in this way, you can very quickly prioritize where actions will need to be taken and when. This task only takes a few minutes and can be done by different teams. It’s a simple yet effective way to ensure you have a full picture of what could possibly come.

Triggering Response Plans

Once you have that mapped out, you can determine the management options or controls that work best for those scenarios. For example, let’s say that you have an employee abroad during the onset of the COVID-19 travel restrictions. In the earlier exercise, you would have already mapped out all of the potential risks in either bringing them back to headquarters or having them shelter in place.

Your management options in this example are the controls that you set in place to offset the risks that you’ve identified. If the employee is in a country where access to healthcare is an issue and they are unable to return home, a management option here could be to move them to a hotel that is closer to a healthcare facility while still observing travel restriction mandates.

Apply each option to your scenarios and see how they change the risks. As you work through all of these, one of the management strategies will be the most effective for the majority of the scenarios. You will very quickly reach a course of action that can then be instigated and/or investigated in more depth. This is an exercise that if you keep super simple and data-free can be completed quickly and will allow you to keep up to date on the situation in real-time.

What the top priority will be for your risk team over the next 6-12 months?

Organizational resilience requires an early identification and analysis of issues, as well as a rapid response to adjust to any emerging risks. Risk teams can use this opportunity to consider new delivery models for mobilizing and sustaining their ERM program, performing scenario analyses for emerging risks, and establishing response and recovery plans.

The final question we asked our audience was what the top priority will be for their risk team over the next 6-12 months. Of 165 responses, unsurprisingly 42% responded that their focus will be setting up a framework for future emerging risks.

Real-time risk management and continuous assessments are a great way to kick start this initiative. By ensuring that you have the most up-to-date information, you’re able to implement impactful and effective controls as necessary. Interested in learning more about leveraging technology to manage emerging risks? Connect with our team today or take a guided walkthrough of our risk management software.

1. Process Documentation and Refinement

Think about how critical processes and workflows are documented. Are they up to date? How accessible are they to the rest of your team or key stakeholders?

Many companies, including Resolver, use company wikis to help make updating process documents easier. Wikis can be kept open for anyone to update or at least visible to the rest of the organization so that employees can point out discrepancies or errors. Due to the flexible nature of wikis, it is also helpful to be able to track all the changes that are being made in case an improper change has been made.

Documented process greatly helps with onboarding and improves the clarity between teams thereby improving collaboration. In the time of a crisis, having a clear place to go to see what should happen is a lifesaver. Things you may want to include:

• Process flows
• Role and job descriptions
• System manuals
• Standard Operating Procedures

2. Data Audit and Clean Up

There are a lot of causes for poor data quality including lack of front-line training, inconsistent naming conventions, overly complex or unintuitive systems, and lack of time or oversight. No matter how you get there, everyone can benefit from better quality data.

Think about whether or not there are ways to streamline the number of system fields and incident categories your system has. If you don’t need to capture all this information and the data doesn’t help your team make better decisions, then think about removing some of these fields. We’ve found that the more information you ask for from the person responsible for inputting the data, the less diligently it will be recorded. If you can’t answer the question “what do we use this data for?”, then you should think about simplifying.

3. Analytics & Reporting

Most in-application reporting is great for day-to-day work, but even some of the best security solutions are not designed for extensive data exploration. Spreadsheets and pivot tables are helpful, but it’s almost always best to use a purpose-built BI (business intelligence) solution to help you understand all your data.

Some data points that security teams should be examining include see how incident volumes vary by region, location, or even time of day. See if you can find correlations between location and incident types and then find think about ways to mitigate the issue. If you track any activities, see if there is a correlation between activity and incident levels. If you do site audits, is there a correlation between audit scores and incident numbers? What about by reporter? Is there a difference between the number of incidents reported by people that should have roughly the same numbers? Particularly, if you notice that there is a big difference in the mundane incident types, like slip and falls, that may highlight a data entry gap.

Miriam: We have our Culture Critter quiz based on our values, what’s your Resolver Culture Critter? 

Julie: I am an Ambitious Alpaca! 

Miriam: I am sure being ambitious has contributed to your success as a sales professional. What is a piece of advice you would give to someone looking to start a career in Sales? 

Julie: Sales is a high risk, high reward environment. Having a sense of empathy is helpful, being able to put yourself in your customer’s shoes. It’s a very consultative environment, and you do need to have a thick skin sometimes. I hold onto my wins as long as I can, and I hold onto my losses until I have learned from them. 

I also think it’s important to be open to things that aren’t necessarily on your plan. I worked for myself for about 7-8 years doing freelance marketing and public relations and then I went into sales. It was something I never thought I would do!  We talk about a lattice career path at Resolver, and it’s so true–careers don’t necessarily have to follow a traditional ladder.  

Miriam: So, what does a typical day look for you? 

 Julie: I usually start my day by reading the news as there is a certain amount of research that is involved in prospecting for new customers. It’s important to understand what’s happening with the different companies that I may be reaching out to in the future. After I’ve finished my research, I move on to a variety of tasks! I build and participate in presentations for pricing and demos. When I am prospecting for potential customers, I send out a lot of emails. I reach out to sales leads, and I may sit in on professional service calls. I often facilitate discovery calls to determine if a potential customer is a good match for such.

Miriam: Wow, it sounds like you get a lot of variety in your day! What’s the best thing about your job? 

Julie: There are lots of things I love about the work I do. I get to engage with a great group of people – I get to work with amazing customers and potential customers. Problems or objections may come up as we are going through the sales cycle but being able to collaborate with fellow Resolverites and solve problems is rewarding. Each day often looks different, and there are always challenges and opportunities to learn!

Miriam: What’s the best thing about Resolver? 

Julie: I would say the people. I have worked in a few different companies and environments. Resolver is an extra-ordinary company. We have a great leadership team, and great people work here. There is a strong drive always to be improving. The resources that are available to us are incredible; we get great support from the marketing team. As a remote employee, I love being able to feel connected despite the distance. 

Miriam: Staying connected is very important – what other tips do you have to share that might be helpful to people that are new to working from home?

Julia: Here are my top tips on successfully working remotely:

1. Have a set space, no matter how small – I have a great desk in my place. It helps keep me focused and more importantly, it keeps my work and my home life separate.
2. Stay connected – It’s important to connect with your co-workers and have that “watercooler” engagement to talk about things outside of work.
3. Take breaks– Get out and be social, if possible, meet someone for lunch. I try to work out in the middle of the day to make sure I step away and take a break. It’s easier to just keep working while at home, but you need to take those breaks!
4. Set boundaries– This is very important if you live with people. They may be home while you are still working and that can be challenging if you haven’t set the parameters. 
5. Set an end time– It’s easy to keep on working even when you are finished for the day. Be willing to step away from the desk while still ensuring you’re able to answer urgent emails and messages as needed.

Miriam: We are going to shift things a little bit as we prepare to finish this spotlight. What do you like to do when you’re not at your home office? 

Julie: I am a social butterfly! That may be my real culture critter!! When I am not working, I am out with friends or I have friends over. I love being active and workout a lot. I have a monthly cocktail club where I cook dinner as well. I like puzzles, I am big into film, I have been to a bunch of festivals – TIFF and Sundance are on my bucket list. Of course, the way I socialize has temporarily changed now that we are practicing social distancing to reduce the impact of COVID-19, but I am glad that we have great technology to keep us connected to friends and loved ones.

Miriam: What’s next for you at Resolver? 

Julie: Every year, my goal is always to be the top salesperson at Resolver! I love my coworkers – and while where are all competitive, we are all very respectful of each other, and we work collaboratively. As we continue to grow, things are often changing, and there is never a dull moment!

Thanks for sharing with us, Julie! If you liked getting the inside scoop on what it’s like to work at Resolver, be sure to come back next month for our next spotlight.

For risk teams, this could require significant changes in how they approach their risk process, where in-person activities, like a risk workshop, are off the table.

If there is a silver lining, it’s that this shift aligns with recent industry trends. The more mature the risk process, the better equipped your team will be to go remote. When teams return to their physical work locations, implementing the below suggestions will help to make risk process more agile and robust.

1. Teach Risk Rather Than Do Risk

As risk professionals, you are highly dependent on the first line of defense – the business users. They have the information you need to do your job, but they do not offer this information voluntarily or communicate it an impactful way. Historically, the easiest solution to collect risk data was to sit down with individuals one at a time, asking them a series of questions to gain an understanding their business level risks. This process was not terribly efficient but, it allowed the risk team to gather the necessary information from each business unit and served as a good teaching platform.

While this could still be done via video or teleconferencing, the loss in efficiency caused by remote meetings can be used as an opportunity to drive a cultural shift to teaching rather than doing. A documented process can help facilitate this transition. By documenting the process, business units will be enabled to learn what they are required to communicate to promote a risk culture, rather than relying solely on the risk team to sit down with them individually every quarter to gather the required information. The industry has been driving towards facilitation for a long time and now it is time to go even further. There are many tools online to help deliver both real time and pre-recorded training. Or, better yet facilitate your training directly into the application where the team is doing the actual assessments.

2. Implement Self Assessments

Now that the team has a better understanding of their risks, it is time to enable them to conduct their own assessments.

The key to self-assessments is to make the process and the technology required to complete it as easy as possible. Business users are typically only interacting with the risk system periodically (once a year or once a quarter). If people are not working with something every day, they tend to forget what they are supposed to do. Use the Amazon rule. When you go to Amazon to buy a book you don’t need training to do it. Self-assessments should be the same. Spending the time upfront to make inputs intuitive may take longer to administer, but the effort will definitely pay off long-term.

A great benefit of leveraging self-assessments, if you have not already, is that by spreading this work around and allowing to business to take ownership of the risks throughout the organization. As a risk function, you will have more time to analyze the output and improve the risk culture throughout the organization, rather than collecting data. As your program matures, you maybe agile enough to shift to continuous assessments. With this approach, rather than collecting data to accommodate your reporting cycles, Risk Owners can update their risk evaluations as risk changes in your business.

3. Be Collaborative

Even with self-assessments running, you need information available at your fingertips to answer questions from the board, executives, or the other second and third line functions. If you are able to respond in real time while a user is working on an assessment, you will both be more effective.

Email is not the most effective for this but can still gather the information you need. A more efficient option is a real-time notification platform such as Slack or MS Teams. If you have a system in place, we recommend creating a channel for people to connect directly with the Risk team, you are always able to collect information more efficient when you can pose questions to a group of people, rather than relying on an individual contributor.

If you are using risk management software, there may be an option to use the in-application commenting feature to interact in real-time on the assessment itself. Resolver customers leverage this feature so that all interactions are documented and can be referenced.

Regardless of your method, the more responsive you can be, the more value you provide to the organization. As a function, risk has struggled to get engagement from the organization. Efforts like this can help to change that.

With all of the above in place, you will have more time to analyze. Too often risk teams spend 80% of their time chasing data and less than 20% on figuring out what the data means to the organization. Ideally with the above strategies in place, you can get that to more like 50/50, building a risk aware culture along the way.