Risk management, like quality management, does not operate well in a vacuum. Yet that seems to be the way many companies operate. They perceive risk management, like quality management, to be a necessary evil, at best. At worst, they believe risk management is the parent of bureaucratic inefficiency, taking everyone’s eyes off the prize. Or, it causes more problems than it solves.
I’ll give you an example: Sarbanes-Oxley is one of the least well received pieces of legislation. It instantly made a huge class of potential criminals out of well-run, ethically minded public businesses. Your company didn’t misbehave but suddenly it was on a long list of possible suspects. Ironically, the US government saw risk where there was none.
Even when the US Congress decided to allow for risk-based internal controls in SOX – ostensibly, to lighten the financial and other burdens of investigation (auditing) and reporting – they focused too much on high-risk situations, not giving much weight to the subjective nature of risk assessment (i.e., you say it’s risky, I say it’s not) or to a holistic approach to risk management.
Effective risk management cannot be legislated into existence any more than common sense can. For your organization to manage risk effectively, risk management must be an essential, integral part of your operations. It cannot be one person – the Risk Manager – running the entire show on an “as needed” (i.e., when we get around to it) basis. Risk management has to be systemic and ongoing. It has to permeate the entire organization.
Consider the following points:
- Your risk manager will function most effectively with the support of the entire organization. Top management must communicate the importance of managing risk throughout the organization.
- Everyone in the organization has a unique perspective on risk. Ensure that all employees have input to management, that employee input is not filtered by management biases or preferences, and that employees are encouraged to participate. Let them know their opinions are being heard and are valued.
- Allowing everyone to participate gives everyone ownership of risk management. Every employee has a stake in the outcome – no one is “along for the ride”. Let every employee play an active role in risk management.
- Top management must be inclusive where risk management is concerned. There are fewer than 24 hours in a workday, believe it or not, and even if there were 24 hours (or more), no one can do it all. Leverage the skills and knowledge of your employees
- Train everyone, to the extent possible, on the concepts of risk and risk management. Show them how to spot risks and deal appropriately with them. Make sure employees know what risks they face in their day-to-day operations and the impact they may have on the business.
- Be sure to measure and monitor risk management activities/efforts. Continually analyze and evaluate your risk controls.
- What worked a decade ago – or even last year – may not work today. Don’t think your risk controls are final and forever. Change is the one constant in business – better to change than be changed.
These are some of the keys to risk management in your organization. By no means is this an all-inclusive list or does it have enough detail. Exactly how your organization practices risk management is a product of your unique situation and needs.
If you remember one thing, it should be this: risk management doesn’t work well – if at all – in a vacuum. You need someone to lead your risk management efforts, sure, but everyone in the organization has a part to play. Make the most of all of your resources and you’ll be amply rewarded.