Cody Scott, Senior Analyst, ForresterFebruary 20, 20255 Min ReadParadee Kietsirikul via Alamy StockYour organizations single biggest risk is an ineffective risk management program. Organizations tend to focus on compliance objectives while inadvertently undervaluing or deprioritizing risks that could have significant impacts for many reasons. Compliance goals are prescriptive, with concrete actions to accomplish, making compliance a generally straightforward activity. Risk, on the other hand, is dynamic and complex.During the early 2000s, some of the largest financial scandals (Enron, WorldCom, Tyco) rocked the business world to its core, unleashing a new regulatory wave of corporate governance and internal controls requirements. In its wake, the three lines of defense (3LOD) were born. And when the Institute of Internal Auditors picked it up 10 years later, the industry branded and prescribed 3LOD as the cure to poor risk management. Yet, like prescription drugs, regulatory support doesnt guarantee effectiveness.Enter a More Modern Risk Approach: Continuous Risk ManagementHeres where we need the right prescription for managing risk. Continuous risk management is a modern approach to ensure that organizations not only take on the right risks in support of their strategic direction but also follow a holistic process to bring risk-based planning and mitigation oversight into the value chain -- a significant gap in the 3LOD approach and in most risk programs today. Continuous risk management unites the businesss strategic and operational sides under a common goal -- a pursuit of value -- and formalizes a process, key decision points, and opportunities to change course as project conditions and risk tolerances change over time.Related:Continuous risk management as a model has two main components:The first loop (identify, plan, analyze, and design) emphasizes strategic planning and the role of leaders in defining the pursuit of value to which risk and compliance projects will be aligned, ensuring that the pursuit is successful.The second loop (implement, respond, measure, and monitor) highlights the implementation work that control owners and operations teams perform to keep the pursuit of value on track and optimize mitigation strategies as new risks unfold. Importantly, the model features key inflection points as teams cycle through both loops that allow them to reevaluate decisions and escalate issues accordingly.Keys To Getting Continuous Risk Management RightFor organizations to get to continuous risk management, they must do these four things:1. Use the 3LOD model the right way to define roles and ensure segregation of duties. Contrary to popular belief, 3LOD is not a regulatory requirement. If your organization has adopted 3LOD for segregation of duties, you dont need to abandon it. Instead, use 3LOD for its intended purpose: to appropriately define roles and responsibilities. Use the model in combination with the 3LOD to answer the following: What work do we need to do? How should we do it? Who should be involved in the process?Related:2. Use the continuous risk model to identify gaps in your existing program and create a roadmap to improve the supporting processes, skills, and technology needed. Fortunately, you dont need to start from scratch to get to continuous risk management, as many pieces are likely already in place. For example, an organizations project management office might operate separately from its enterprise risk and compliance program, indicating a process and communication gap across multiple phases. A security program might operate an extensive tech stack but hasnt integrated the outputs to automatically measure and monitor the effectiveness of controls. Align the continuous risk management phases to your program, document how your current processes support these phases today, and prioritize pain points or disconnects that inhibit any phase.Related:3. Focus on the pursuit of value. A value is any goal, objective, regulatory requirement, or business outcome that the organization decides to pursue, such as acquiring a new company, entering a new market, or targeting a new customer segment. Value can be operational, like updating an internal process, changing critical suppliers, or maturing existing operational requirements. Value can also come from a technology initiative, such as launching a new application or service or modernizing legacy technology systems. Anchor risk management alongside and throughout the pursuit of value to establish the appropriate context, evaluate trade-offs, and support decision-making that accelerates, rather than impedes, growth, innovation, and resilience.4. Use the inflection points in the model as opportunities to accelerate governance reviews and approvals. When organizations plan a mitigation project, they might use an assessment to secure budget approval, but at this point, leaders and mitigation owners disconnect, assuming that theyll be informed if the effort is derailed. This reinforces a sunk cost scenario where controls are implemented with little regard to changing strategic or tactical situations until the end of the effort. Use the first infection point to decide which risks will be accepted or transferred -- and which will be controlled and mitigated throughout the lifecycle. Use the change management inflection point for ongoing feedback or to course-correct. Combined, the initial risk decision and ongoing change management ensure tight collaboration between stakeholders, provide assurance that the organization is managing risk acceptably, and confirm that mitigation and compliance activities fully align with the pursuit of value.Continuous risk management is conceptually simple yet requires organizations to interrogate their existing risk practices. This means thinking about which practices work well, which ones are lacking, which ones create unnecessary friction, and how technology can shift risk management to the left to accelerate business outcomes. Leave the side effects of poor risk management in the past and transform your program with a proactive solution.About the AuthorCody ScottSenior Analyst, ForresterCody is a senior analyst at Forrester covering cyber risk management with a focus on cyber risk quantification (CRQ), enterprise risk management (ERM), and governance, risk, and compliance (GRC). Prior to Forrester, Cody served as the first chief cybersecurity risk officer of the National Aeronautics and Space Administration (NASA). He holds a BA in international affairs from the George Washington University and is also a certified expert risk management framework professional.See more from Cody ScottNever Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.SIGN-UPYou May Also LikeWebinarsMore WebinarsReportsMore Reports