Risk management at the enterprise level is influenced by different pressures. Some are external – such as compliance or regulations – others internal as a result of unfortunate events that may occur within a company. More often than not, you will find that enterprise risk management in an organisation is a separate function operating autonomously or used as a reactive mechanism to fix issues as they arise within a company.
Recently, however, the case for a proactive stance towards risk management is taking more prominence as CEOs and leaders are uncovering the improved business decisions that can be reaped from developing the right risk mindset. Integral to a company’s strategy should be a reimagined risk management: to change this practice from eliminating or minimising risk to a modus operandi where risk management is used to create value, which in turn can lead to increased competitive advantage.
“So far so good”, you may say, “but how can this transition be made?”
1. Start risk management at the top. Risk management needs to be a high-priority topic on the CEO’s or Leader’s agenda. Business leaders must be ready, receptive, and encourage discussions on obstacles and risks that may impact the company’s business plans. Risk management left up to lower level executives could lead to issues being swept under the carpet, or the impulse to shoot the bearer or bad news whenever issues are raised.
2. Incorporate risk management in the company’s business strategy. For risk management to be most effective, it needs to be aligned with the company’s business strategy. The objective underpinning this is to ensure that the company works at identifying all relevant risks that could impact their overall business strategy. This will allow for the two areas to work hand-in-hand, hence allowing for value creation within the company.
3. Integrate risk management across all operations. Risk management must permeate into all the company’s routine management processes, including planning, operations, controlling, and reporting. This collaboration across management from different departments will ensure buy-in at all levels, as opposed to imposing orders top-down without having department managers aware of why certain decisions are being taken.
4. Turn risk management into a culture. Given the importance of integrating risk management into all facets of a company’s operations and activities, the next objective is then to establish a risk-aware culture, where risks are proactively addressed as opposed of having a reactive approach. This changes the end goal from “avoiding risk” to “optimising the risk-return”.
5. Simplify risk management methods. Risk Management methods should be appropriate to the complexity of the company, the industry in which it operates, legal requirements and obligations, data available, and the business model. Rather than focusing on developing absolute precise metrics, companies should aim for a good general understanding of the probabilities and potential impact of various trends. Then prepare mentally to take preventive and/or corrective action.
6. Allow free flow of information. For risk management to be effective, risk-relevant data must be readily available to risk managers and leaders as necessary. Decisions need to be taken based on solid data, and more often than not, the most important data is difficult to access or buried in some remote part of the company, unavailable when needed. Having access to such data will not only allow for more accurate analysis of risks, but also allows for timely escalation of issues, as well as the proper prioritisation of problems for actions to be taken.
7. Accept the ‘uncertainty’ element of risk management. Risk management deals with uncertain futures. Focusing on having exact metrics and forecasts means missing the woods for the trees. Companies need to foster an environment of open discussions where all types of risks can be discussed, analysed and understood. This approach towards risk management cultivates an increased awareness towards risk.
Metrics, systems, and processes are important for risk management and, for some companies, it might indeed be essential to have a formal risk-management function. Having said that, instilling the right risk management mindset and culture is essential to ensure that risk management is rooted in a company’s core day-to-day business and is tailored to the the company’s business requirements.