Governance: This is probably the easiest to define. Basically it’s making sure that people follow the policies and procedures that are outlined for task X.
Depending on the maturity of the organization this can be as primitive as some excel spreadsheets that people email back and forth to a custom designed enterprise workflow tool with conditional assignment and routing based on attributes associated with the task/policy (Moving organizations away from Excel and in to the workflow tool is one of my main jobs). The Risk and Compliance components should always be controlled by Governance, but it will depend on organizational maturity how effective it is in practice.The capacity to know Risk is very broad, and honestly, if you ask 10 people to define what risks are important to an organization you’ll get 15 different answers. The goal is to be able to actually perform Enterprise Risk Management, but very few organizations actually do in a holistic manner. I think I’ve seen 2. There are a lot of different categories of risk, each one will have different policies and procedures, and each will contribute to Enterprise Risk in a different way.
A couple examples I can think of off the top of my head are third party risk, regulatory risk, as well as risk introduced via operations, for example Security Incidents.Businesses need to define their risk tolerance profile and aligned contingency plans. The strategy starts with what level of risk the business can afford vs cost of measures needed to mitigate the risk and resilience. The correct approach to risk is essential to ethical governance and aligning with the principles set out in the King IV Report in any business vertical, especially IT.
