Where does the change in risk management come from?
“For many organizations, especially within the government, risk management starts with compliance. In other words: ensuring adherence to regulations like ISO27001, BIO 2.0, and the AVG. A compliance-based approach of risk primarily focuses on avoiding fines, sanctions, or reputational damage. The key question is often: do we meet the legal requirements, yes or no? The focus rarely extends beyond that. However, a shift is now taking place. Many organizations are no longer just looking at the rules but are also assessing their largest risks and threats. This change is partly driven by changing regulations that require more risk management and governance. For example, under NIS2 executives can be held personally responsible for poor risk management. Additionally, Europe set requires for sustainability through the Corporate Sustainability Reporting Directive (CSRD), and thus requires organizations to conduct their own risk analyses: what is your impact on the outside world, both positively and negatively? With increasing accountability placed on executives, there is a growing need to map out risks comprehensively.”
What movement do you see in risk management?
“The current trend shows a shift in priority from mere compliance to two key questions: Are we meeting regulations (externally focused) and what goals do we want to achieve (internally focused)? How do certain risks relate to our objectives? The most critical risks that could potentially hinder goal achievement take priority. Even if that means following the rules less strictly. Risks are not always negative. Some risks can actually be seen as opportunities. Opportunities that can help an organization reach its goals. This strategic advantage of a risk-based approach is lost when the focus is solely on compliance.”
How do you achieve a complete overview of all risks?
“A risk-based approach requires an integrated view of all risks within an organization. More and more executives are seeking this comprehensive insight due to their growing governance responsibilities. However, bringing together risks from across an entire organization is not always easy. In some cases, different departments or divisions have their own risk managers, each producing separate reports. That makes it difficult to create a centralized and uniform insight of all existing risks, how they are managed, how risk control is assessed, and how risk reporting is conducted. A GRC application like Key Control Dashboard helps to solve this problem by providing that crucial integrated insight. Key Control Dashboard helps organizations to identify, assess, and prioritize risks, conduct impact analyses, and measure the effectiveness of risk controls. Additionally, its dynamic dashboards allow both risk managers and executives to monitor risks in real time.”
How does this work in practice?
“Take for example the bitscore of an IT-system. Depending on the score, an organization has to meet a set of standards. Key Control Dashboard automates these standards. If a higher score is detected, a risk analysis starts to determine whether the risks fall within or outside the acceptable threshold. If they exceed the threshold, measures are taken to mitigate, reduce, or transfer the risk. Key Control Dashboard then reanalyses whether the risk is accurately managed and handled correctly, both in terms of external norms and internal objectives.”
What is successful risk management in 2025?
“A compliance-based approach is useful for meeting legal obligations, but that is actually the bare minimum. A risk-based approach is more effective because it allows organizations to allocate resources efficiently and targets risks directly. More and more of our clients are making the cultural shift by integrating risk, compliance, and governance with leveraging Key Control Dashboard. This enables them to manage risks effectively, reduce costs, and focus more on their strategy and achieving their objectives. The key to success lies in the synergy between a strong risk approach, compliance, and governance.”