Lean into risk: Break barriers to opportunity and growth
We often hear C-suite executives voice misconceptions about business risk in ways that concern us. “Our IT department has cybersecurity covered.” “We have insurance.” “If a key supplier bails, our supply chain team will re-source.” Sound familiar?
Many business leaders think of risk as something to be avoided at all costs, without consideration of opportunity. But business risk is inescapable. Successful organizations don’t innovate and grow without it. And yet leaders often let an outdated, siloed, regressive view drive their organization’s risk management activities.
We’d like to see that change, for business leaders to think about, and understand, risk in new ways — as a holistic and strategic consideration for every organization, from manufacturers and financial institutions to B2B, B2C, and not-for-profit enterprises.
In fact, for an organization to keep pace with evolving threats — economic volatility, cybersecurity events, supply chain disruption, to name only a few — it must redefine its relationship with risk and address risk in ways that align with core strategic goals. In other words, out with risk as reactive and in with risk as proactive, informed, innovative, and opportunistic.
So how can organizational leaders shift their perspective?
Understand your holistic risk environment
Taking a holistic view of risk means that your leadership team considers what could go wrong as the organization pursues its strategic goals. On a tactical level, it means engineering indicators and controls to prevent, identify, assess, and respond to those risks — efficiently and effectively.
Take cybersecurity, for example. Cybersecurity risk ownership is often delegated to the IT department, but every department should play a role in addressing cyber risk. Too often, business decisions are made prior to any downstream consideration of cyber risk, which forces organizations to retrofit existing technical controls to address new risk. This reactive, square-peg-round-hole approach often leads to flaws in procedure, gaps in training, or weaknesses in technical controls.
Cybersecurity must be addressed holistically to be effective — proactively identifying risks and gaps in controls and managing them — from multiple perspectives: not just IT’s perspective but compliance, legal, HR, and other areas of the business. It requires understanding the organization’s risk footprint, what controls are in place, and ultimately, homing in on the residual risks to build a risk management strategy around them.
Such a holistic view requires a cross-functional team, a team knowledgeable of the organization’s strategic plan as well as its operations. Team members must have the experience to identify meaningful risks to the organization at both the enterprise and process levels. The team must understand how those risks stack up relative to one another across the organization and how efforts to minimize and respond to them should be prioritized. The honest conversation and analysis baked into a cross-functional approach to risk is critical.
Arm your organization to take calculated risks with proactive risk planning
Understanding and addressing risk in a holistic way enables your organization to build a stronger, more resilient risk management infrastructure. From a well-established base, you then can take calculated risks in pursuit of new ventures and growth. That’s a good thing; a deliberate approach to managing threats makes organizations more agile — and well-prepared to execute strategies in alignment with their objectives. It’s taking a structured approach but not so structured that your organization becomes inflexible. It’s developing the capacity to be nimble and respond to the unexpected. That’s the beauty and the challenge — staying on top of current risks while acknowledging the business environment can change quickly.
But calculated risk requires measurable metrics. Successful organizations build key risk indicators (KRIs) into their pursuits. Similar to key performance indicators, KRIs identify deviations from expectation. Successful organizations also design protocols and controls to address those deviations as they pursue their strategy.
This requires a hard look at your internal control environment — strengthening internal controls and ensuring there’s alignment with relevant organizational risks. A structured approach includes clear communication around those protocols, controls, and expectations so when a risk is detected, individuals across the organization know what to do to minimize the potential downside impact.
Let’s again take cybersecurity to illustrate. Imagine a breach, one that’s quickly detected by your event monitoring procedures and system controls. What are your response protocols to isolate hacker activity; eradicate viruses, malware, or ransomware; recover lost data or downed systems; and resume operations nearly seamlessly? To be effective, those controls and protocols will include technical activities (led by IT), procedural activities (led by business units), and the actions of your people, who were prepared for the event through organization wide awareness and training.
Leverage risk planning beyond risk to drive improvement
It may sound counterintuitive, but the risk planning process can help organizations uncover opportunities for improvement. Consider your supply chain. The overarching goal of risk planning is business continuity, and this requires your business to stay abreast of your suppliers’, their suppliers’, and your service providers’ health. Actively monitoring the performance of your supply chain using KPIs and other visualization techniques will highlight supply chain risks. They also let you strengthen business performance by highlighting opportunities for process improvement — instilling a continuous improvement mindset. In other words, the same measurement enables you to proactively address risk, while improving performance. As another example, risk planning around inventory management and outbound logistics can help businesses optimize their inventory levels and distribution network. Same approach, multiple purposes, powerful impact.
Align risk and strategy for innovation, growth, and profitability
Managing risk is about business continuity, yes, and also about creating a foundation to spur growth, innovation, and profitability. And herein lies opportunity. A stable risk environment with good controls in place helps organizations better understand, and potentially even leverage, emerging threats.
Aligning risk, present and anticipated, with your strategic plan is crucial to ensure you lead the organization toward its goals in a way that minimizes threats and optimizes opportunities. As you’re planning, each pillar of your strategic plan should account for every risk you identify. If it doesn’t, it may not be a mission-critical risk, in which case you should question whether the activity really is moving the organization toward its identified aims.
Feeling comfortable with risk and taking an informed approach to managing it helps organizations fail fast and move on, key to an innovative mindset that prioritizes healthy risk in pursuit of strategic objectives. On the flip side, a purely defensive, protective, unyielding stance with respect to risk might seem “safe,” but it’s unproductive. It won’t drive growth.
Challenge yourself to redefine risk
Organizations should always be asking, What’s our opportunity? What’s our strategic goal? What’s the vision, and how do we get there? What are the hurdles and pitfalls, the detours we might need to make along the way? And, holistically, how do we proactively address those? Then be sure the answers are consistently communicated and executed — without deviation — throughout the rest of your organization.
Easy? Not necessarily. But the upside is clear: a chance to create a comprehensive risk plan that connects functional areas, enables continuous improvement, aligns with organizational strategy, and supports innovation, growth, and profitability. You can’t always avoid risk — so don’t. Lean into it, shift your perspective, and push your risk strategy beyond the conventional.