The point of enterprise risk management is to avoid and minimize disasters, not wait for them to happen. (Third in a series of 4 articles)
You may not have a bomb-disposal squad, but you may have people working with heavy equipment or electricity or other things that could cause severe injury or death if not handled properly. They'll have a very low tolerance for risk. In other parts of your organisation, there are likely people who feel they can't get anywhere without taking risks. It's crucial to have a risk management system that lets you set different risk parameters within each department.
Bomb-disposal teams don't need to be sold on the value of risk management. They know they need to carefully evaluate everything that could go wrong if they want to stay alive. They don't have to be told that the goal is to prevent a problem (i.e. an explosion) rather than wait for the problem to show up and then try to fix it.
If only that mindset could prevail in the accounting department, the marketing apartment and, most importantly, the CEO's office. For too many people, risk management means ticking off boxes on a form, sticking the form in a file cabinet, and then forgetting about it until a problem blows up in their faces (see Top 3 Lessons From IBM and Queensland Health's Billion Dollar Fiasco).
The risks can included a new competitor in the market, or a looming recession, or any number of unwanted changes. While those problems may not arrive with the immediacy of an exploding bomb, the effect can be just as devastating to a company (see Ford's Mediocre Risk Management Led to Australian Plant Closures. That's why risk assessment must be integrated into the business plan, like setting a budget. It must be proactive.
Identify and target risk
Risk management is all about anticipating things that might go wrong, and having a plan to address them. What is the likelihood that a new competitor will enter the market? What would be the most likely consequences if they decide to compete on price? On quality? On image? It really doesn't take much effort to come up with a list of "what if" risks.
Ah, but wait. Surely each department has its own set of risks? You can't impose a one-size-fits-all assessment program on everyone and expect to get any useful results. Risk-assessment must be customized if people are to take it seriously and it provide meaningful value to them. It also must go through continual review as the risks change.
Remember our bomb disposal team? They know that the risks can vary with the device to be defused, the temperature, the humidity, how tired they are, or a dozen other factors.
So, how is a big organisation supposed to get a handle on all the risks and all the possible variations?
First of all, risk management is not something that some executive "does" and imposes on the rest of the staff. Good risk assessment comes from conversations with the people who actually do the work. Talk to them about how they identify problems and would like to handle them. You'll find that they have thought about the topic quite a bit already and are glad to share their knowledge.
To make it easier to cope with many different parameters, we designed Fast Track to be easily customized. With Fast Track, you have a holistic software package -- one that speaks the same language across the operation. Within each department, different risk parameters can be set.
Measure and tweak
A good business plan has milestones. So should the risk management component. When your key performance indicators start to drift off target, your risk management plan will tell you how to get back on course. Properly used, the risk management plan becomes part of a continual feedback loop (also see Apple vs Enron: How Good Corporate Governance Adds Shareholder Value). You'll evaluate what parts of the plan worked and what didn't. You'll make adjustments to reduce future problems.
You'll find that different operations within your organisation have different tolerances for risk. You may not have a bomb-disposal squad, but you may have people who work with heavy equipment or electricity or other things that could cause severe injury or death if not handled properly. They'll have a very low tolerance for risk. You'll also run into more entrepreneurial parts of your organisation where people believe you can't get anywhere without taking risks.
You can't tell people what level of risk they should be comfortable with, but you can educate them on the effects of risk and how to control risks (see Study: Non-Compliance Problems Cost 3X More Than a Strong Compliance Program). Consider something as commonplace as an airline flight. It's ridiculously complex machine flying through the air at more than 800 km/hr. But we rarely give a second thought to climbing aboard. That's because every commercial pilot on every flight goes through a safety checklist before starting the engines. That's putting the lessons of past risk assessments into practice to prevent and mitigate problems today.
If your organisation were an airline, would you feel confident about taking a flight? Get to work on your own risk management plan now and you’ll have a record to brag about.
|10 Essentials Decision Guide
Helps you compare software suppliers.
See recorded demo or request a live one.
Technical specifications, pricing, and more.