When we speak to organizations about risk, the response is predictable: vigorous head-nodding and comments from company leaders who acknowledge the need to better manage their organizations' risk going forward. “We know,” they say, “we're on it.”
It's quiet for a while — three months, six months, maybe even a year — but then, we receive the panicked phone call. Catastrophe has struck. Perhaps a major operational or governance issue was caught by an important customer or an auditor, maybe there was an unwitting violation of a debt covenant with a lender or investor, or maybe there was an embarrassing data breach.
The actual event is irrelevant; the point is that a real threat has occurred that could cause (or may have already caused) a decline in profits, value, or reputation — all because the organization didn't fully understand its risks and, as a result, lacked the appropriate controls and mitigating strategies.
We see the critical opportunities to better meet your strategic objectives, drive growth, improve reputation management and confidence in decision-making — and face fewer surprises.
We spend our careers helping organizations proactively mitigate risk and respond with safeguards when something goes awry. We see firsthand where and how organizations make themselves vulnerable. And, we see the opportunities, critical opportunities to better meet your strategic objectives, enable and drive growth, improve reputation management and confidence in decision-making — and face fewer surprises.
Is your organization making itself vulnerable? Ask yourself these five questions.
1. Do you treat risk reactively rather than proactively?
"What are the odds?" "It probably won't happen to us." Sound familiar? Too often, management teams are overconfident in their knowledge of what's going on in the organization or over-rely annual financial audit results, and they don't realistically assess the chance a risk event will occur.
Rather than invest resources now, companies roll the dice. And, they may be fine — temporarily. But, eventually something will happen, and the first question stakeholders, and often regulators, ask is, "Where was management?" In these situations, it's not uncommon to see major turmoil and repeated turnover in top positions in a short period of time. Not only does it create problems for the organization and its stakeholders; it impacts many individuals personally, too.
2. Are risk awareness and risk management aligned with your organizational strategy?
The strategic planning process is myopic at many organizations — top-down, numbers-driven, and lacking an appropriate level of risk awareness. (Hint: If leadership isn't continuously asking, "What are types of things that can get in the way of the organization meeting its targets?" the answer is likely no.)
Unfortunately, we observe a real lack of understanding about potential exposures. When organizations do think about risk, they tend to focus on creating what they believe is a once-and-done plan and toss it over the fence to the rest of the organization, or they may over-rely on insurance coverages to cover loss.
But, department heads aren’t likely thinking a whole lot about risk. For example, your manufacturing and distribution team might be planning to expand into China, assuming (falsely) that since you plan to sell the same products using the same strategies that worked at home, it should happen like clockwork. But, the capital investment is different, as are safety requirements, regulations, and labor laws. Organizations face many risks they don't take adequate time to consider when creating what, in hindsight, often looks like a utopic international strategy.
3. Does your organization treat risk management as a discrete event rather than continuous process?
As we talk to executives and managers, we often hear comments like, "We talked about risk management, so we're good," as if it's a box to check. Or, "We had a risk assessment done last year — it's in that binder on the shelf."
Clearly, for these organizations, risk management isn't interwoven in how leadership thinks. Such comments also reflect a lack of understanding about the different types of risk — compliance, strategic, operational, preventable, treatable, inherent — and that's naming only a few. Therefore, these organizations don't — can't — have effective, ongoing risk monitoring. They tend to focus more on the now rather than the future. "Nothing happened, so we're okay," rather than, "The winds of change are in the air — which they always are — and what does that mean going forward?"
4. Does your organization focus more on internal rather than external risks?
With so much uncertainty in the world — unstable governments, volatility in markets, a lot of arguing and murkiness about the direction of regulations and compliance — it's easy to focus on things you can control. But if, for example, you're a manufacturer with a global reach, and you were doing business in the Ukraine three years ago, not keeping close tabs on the political climate, the Russian takeover of the Crimean Peninsula may have put your operations at risk.
Or, if you're a healthcare provider or a business partner of a healthcare organization, underestimating cyberattacks could put the entire business at risk, not just organizational data as commonly perceived by many executives. These attacks are very real, increasing the risk of ransomware; PHI (protected health information) and PII (personally identifiable information) data leakage; privacy and security breaches; and business disruption. It’s important to be looking at your external risk environment, including your business partners, just as carefully as your internal environment to accurately assess and mitigate those risks and minimize their impact.
5. Who owns risk management?
Without clear ownership and accountability for risk management, everyone in the organization assumes someone else is taking care of it. Culturally, it must be embedded across department managers and division vice presidents; it should have distinct practices and processes within the organization and an individual such as an ERM (enterprise risk management) specialist or group to infuse meaning and keep it front and center of the organization. What you don't want is, "Oh, that belongs to internal audit" or "That's risk management's area."
That said, having someone own risk management and making sure that someone is the right person are two distinct needs. Your risk management specialist must understand organizational risks, have the right technical and communications skills and, most importantly, have the capabilities and organizational authority to reconcile risk management processes with overall strategy.
The flip side of risk is opportunity
The most foundational aspect of managing risk across any enterprise is having a common platform and language — in other words, a risk management culture.
Through strategic planning, through management, through your internal audit and controls functions, through your risk specialist, risk management should infiltrate everything you do, every decision you make. Considering signing a new customer? Will that customer be good for your organization? Will it be profitable, good for your reputation, and good for your staff?Each organization should have a series of questions to ask at any and every decision point to assess risk and stay ahead of it.
A risk management culture presents your organization with opportunities to:
Improve, rather than restrict, performance
We tend to think of risk as limiting and constraining. "Don't do that – it's too risky." But, organizations can't grow without change — entering new markets, acquiring customers, developing new product lines — and opportunities do carry risk. The key is to accurately assess the risks — not overvalue them — and put plans and controls in place to mitigate them. In this way, you can leverage the opportunities that align with your strategy securely and confidently.
Missing opportunities because you're hyper-focused on risk can be just as stifling to growth as jumping in without considering the implications.
Create a clear sight line to your strategic goals
A risk management culture enables an organization to be more nimble, adaptable, and change-ready. No matter what decision you're making, whether related to IT or HR or operations, you must reconcile it with your overall strategy by looking at it through the lens of risk — what are the potential exposures, what are the indicators, what are the controls? This keeps you aligned with your ultimate goal and helps minimize unforeseen hurdles.
Thinking about risk management in this way inherently gives you a sight line down the road, with obstacles in clearer view and early warnings you can use to make course corrections. This is critical since, as good as current results may be, a major sea change usually disrupts the economy every few years. Being change-ready improves your resilience.
Readily communicate when risk events do occur
A deeper understanding of external risks lets you develop appropriate communications plans for when events negatively affect perception of your organization. Having policies, standards, practices, and strategies ready presents you with the opportunity to shape public perception and gain the confidence of your stakeholders, which ultimately contributes to growth.
Have ownership and accountability
If your organization has siloes, talking, let alone working, across functions is difficult. But, everyone in an organization needs to own risk management. In fact, involving staff enterprise-wide in risk management efforts is one way to break down those siloes. Who drives the process? Senior leadership, managers, and an insourced or outsourced risk manager who has the latitude to work across the organization.
The time to act is now
We're all busy, caught up in our day-to-day work to satisfy customers and get the product out the door, which too often means taking a reactive rather than proactive approach to risk. But thinking about risk now can keep your organization from being the subject of negative press, avoid fines, penalties, and lawsuits, and missing strategic targets.
…strengthen your risk management culture now, while it still seems like a luxury.
As we tell our clients often, strengthen your risk management culture now, while it still seems like a luxury. Let it fuel growth, keep your reputation untarnished, and support your decision-making. Let it keep you from looking back one day and saying, "If only we had...."