Key Business Governance Risk, Audit And Security Management Issues In Practice

September 7, 2022
Robert Peopall

Key Business Governance Risk, Audit And Security Management Issues In Practice

Business Governance Risk, Audit & Security Management


Don’t take decisions lightly

Many organisations fall into the trap of rushing decisions through governance boards due to falsely imposed deadlines. Smart organisations do not take decisions lightly or quickly. They make sure that they take the time needed to get it right first time rather than take a decision too quickly and get it wrong.

Governance Boards not established

Often over-arching organisational wide governance committees are not established as in the case of a lack of a single unified investment portfolio management committee for example. The organisation needs to ensure that the right organisation wide oversight committees are in place to ensure that the relevant controls are exercised and the organisation manages its activities in line with the expectations and best interest of the organisation as a whole.


Meetings Poorly Run

Often governance meetings are poorly run and managed with weak agenda’s, no actions being captured, poorly facilitated, with weak or no controls to ensure that the meeting delivers clear outcomes, ownership and agreed actions. Meeting minutes are poorly documented, and actions from previous meetings are not reviewed as the first agenda item for the subsequent meeting.

Smart organisations recognise that staff time is a valuable commodity and as a result it is important to ensure that it is not wasted. Having fast, effective and well-run governance meetings that make the best use of scarce resources and time is critical, a point that needs to be continually reinforced from the top down.


Governance Principles not defined or poorly communicated

Often the principles for the governance committee’s reason for being are poorly defined and are not clearly articulated to the teams and individuals impacted by the oversight committee’s purpose, objectives, role and responsibilities. Smart organisations invest the time in defining a set of operating principles, policies and guidelines to help enforce the governance approach within the organisation.


Governance Processes poorly defined or out of date

Often the governance process has not been defined and as a result communicating the way it will operate proves difficult and subject to confusion, misinterpretation and misunderstanding. Smart organisations invest the time necessary to develop processes to aid communication and understanding and to ensure they work and reduce the risk of failure.


Governance Standard Operating Procedures weak, not formalised, limited use

The standard operating procedures to underpin the governance process are often informal or are as equally poorly defined as the governance process contributing to the same failures i.e. confusion, misinterpretation and misunderstanding. Smart organisations recognise the importance of having well-defined and practically applied standard operating procedures to improve the effectiveness of the governance process. This also helps to accelerate the induction of new staff into the process.


Governance Controls weak, informal, overdependence on manual rather than automated controls

There are little or no controls in place to ensure that the governance process delivers successfully against the outcomes expected. Where controls do exist they are often informal or manual and therefore prone to error. Smart organisations ensure that there are formal controls in place and where possible automated controls are introduced to help drive efficiency and certainty into the processes and procedures concerned.


Governance KPI’s non-existent, not monitored, not fit for purpose

Often Key Performance Indicators (KPI’s) are not defined up front and monitoring mechanisms are either non-existent or poorly defined and poorly implemented. Smart organisations recognise that if you don’t take the time to define the KPI’s how can you monitor and track that the progress required is being made and the outcomes required will be delivered. This is a vital step often overlooked at the outset and often only addressed and implemented when it is too late in the day to turn the situation around.


Governance Monitoring mechanisms tend to be reactive rather than proactive

Many organisations today have limited monitoring mechanisms in place that tend to focus on identifying problems or trends after they have happened based on historical information. As a result, the organisation tends to manage in are active manner as the information is provided after an event, activity or problem has happened. Smart organisations are now starting to invest in end to end transparent monitoring mechanisms that are designed to provide input to help managers to manage in a pro-active rather than are active manner.


Prudence gone mad

Many companies fail to anticipate risks due to poor informal risk management approaches. Where risks are anticipated mitigation plans are often not developed and as a result the company tends to act in a reactive manner as risks materialise as issues. Risks are inherent in every activity undertaken, smart executives are cautious and prudent towards risks and invest in understanding and anticipating their occurrence with a robust mitigation plan.


Avoid Business Cases That Don’t Stack Up

Many companies fail to develop robust business cases to justify investment. They are often partially complete, littered with assumptions and with little or no risk analysis undertaken. Concentrate on the well-defined, developed and articulated business cases to justify your investment decisions. If the risks haven’t been documented it’s almost certain that the business case has not been considered carefully enough.


Tap into Lessons Learned to avoid future failures

Many companies have a lessons learned review embedded into their project management methodologies to evaluate what worked well and what didn’t. However, these reviews are often carried out quickly as an academic half-hearted exercise at the end of the programme or project before the team is dismantled and redeployed. Many organisations fall into the trap of repeating the same or similar mistakes due to a failure to take the lessons learned review seriously.

Few investment panels take the time to look back and understand why past mistakes were made. A common factor is the rate of change of personnel at the top of the organisation which results in knowledge of those past mistakes being lost. An effective lessons learned process can help guard against this risk but it needs to be conducted properly with the results shared and lessons learned implemented. The importance of conducting the review needs to be driven and reinforced from the top down.


Embed risk management as part of the enterprise culture

Many organisations fail to take risk management seriously. Staff should be encouraged at all levels to consider potential risks associated with new ideas, programmes, projects, tasks, initiatives, suppliers, customers and partners. The organisation needs to develop a risk culture and mentality where staff become used to thinking about the likelihood of risks occurring and the scale of their impact if they do occur as a standard part of their daily work routine.

Risks not understood, not documented and no mitigation plans in place

Frequently in practice risks are not understood, they have not been documented and they are not regularly reviewed with little or no mitigation planning taking place. The risk management practices of the organisation should be scrutinised by management, the risk management team, internal and external audit to identify improvement areas and risk exposures and gaps not covered in enough detail. Effective risk management approaches need to be implemented in response to the findings identified and actioned quickly.


Audit viewed as a necessary evil rather than a value add to improve controls and process effectiveness

The role of internal audit is often viewed with suspicion and scepticism by management teams across the organisation as they are often deemed as a threat to the autonomy of a function or team. This point of view is reinforced by traditional use of audit teams as they focus on tightening and improving governance and controls around the organisations processes. Smart organisations integrate and leverage their internal audit teams as part of an Enterprise wide process improvement initiative so that the internal audit team share their knowledge, experience and walkthrough techniques with the process improvement team to deliver a joint approach that not only tightens controls but drives process improvement and delivers value to the organisation.


Actions not clearly defined nor owned, issues not addressed promptly, handled informally

As with governance meetings, team, project and programme meetings should also ensure that the meetings are efficiently run with clear actions, ownership, outcomes and expectations agreed. The ownership around issues is often unclear or shared and as a result not actioned. Risks, Actions, Issues and Decision (RAID) all need to beowned with clear accountabilities and responsibilities assigned in order to drive completion of each item.


Poorly defined, Ad-Hoc or No Testing of BCP or DR Plans

Many organisations fail to take security management as seriously as they need to. Often business continuity plans and disaster recovery plans are poorly defined, are not comprehensive enough, do not take account of enough scenarios and worst still are never tested or practiced in order to determine if they are fit for purpose. The organisation finds out too late that their plans are not fit for purpose and are then dependent on last minute reactive management to escape the hole they have dug for themselves. Smart organisations invest in making sure that their plans are robust and practical by investing time and effort in both planning and more importantly testing and subsequently refining the plans for the weaknesses identified through testing.


Limited or No Service / Application /Infrastructure / Network Recovery Plans Defined

In addition to BCP’s and DR plans, organisations often fail to invest in defining recovery plans to address systems failures and the corresponding impact on organisation services internally and externally. Many organisations fall into the trap of not defining:

- service recovery plans

- application recovery plans

- infrastructure recovery plans

- network recovery plans

- Nor have they considered the recovery sequencing of all of the above layers taking into account their interdependencies.

This is a massive problem within many large organisations today who walk a tightrope balancing between investing in proactively investing in risk mitigation and recovery /contingency planning and incurring the cost of recovery when failure happens. However, it is not just the cost of recovery they need to concern themselves as the more educated customers of today’s digital age are far more prepared to just switch to a competitor than ever before. In addition regulatory bodies are applying more pressure and increased risk of significant fines for significant failures to protect, safeguard and deliver resilient services to customers underpinned by robust processes and systems.


Increasing threat of Cybercrime not being taken seriously, Too Little Too Late Response

The risk and threat from cybercrime is increasing significantly and organisations can no longer assume that they will not be targeted and therefore will not need to act. Organisations need to take this increasing threat seriously and respond by ensuring that they protect their staff, their facilities and their systems from the many threats that today’s globalised digital markets carry. Security management must be enforced from the top down and reflected in robust policies, principles, standards, processes, operating procedures and controls. Systems need to be resilient and robust. Monitoring mechanisms need to be deployed to quickly identify proactively emerging potential threats, so that they can be contained and dealt with quickly to avoid problems and/or reduce their impact on the organisation.

If any of these points sound familiar and resonate with you and you want to discuss how our ID8 diagnostics can help you to overcome your current issues and challenges then do contact us by email at or call us on +44 (0)203 908 4346.