Many times I am told that enterprise risk management is only for large organisations with experts who can do the assessments or that for the banking or other regulated industries. This article will attempt to show the need for risk management within the arena of Corporate Governance. It is unfortunate to hear that business leaders don’t see the value in implementing risk management practices within their organisation. This could be due to lack of understanding of the processes or the value for implementation of risk strategies. LinkedIn Article
Leading organisations around the world have entire teams dedicated to risk management and business continuity which is not always possible for some organisations. Within the Corporate Governance framework the need to have risk management is clear as the implementation of risk management supports the sustainability of the business and reduces the risk to reputation, revenue, interruptions, loss, information security breaches, human behaviour breaches and market or competitive risks.
Risk management tools and methodologies can be applied to every aspect of your business without the need to make them complicated “rocket science”. Even NASA risk management methodologies are usable by the ordinary man.
Risk management techniques and methodology support the business in many ways including the evaluation of hazards and risks to the business, control measures currently operating within the business and possible mitigation actions required to ensure the reduction of losses.
One of the largest risk in the business is the risk of reputational damage. It can take years to build a good reputation in a market and one single incident to tarnish that reputation for many years to come. Reputation damage can come from association with another organisation in your value chain that you were not aware of their unethical behaviour.
Another overlooked risk is the business interruption where an incident results your business being unable to meet your commitments. These can include a fire in the warehouse or factory, a delayed or confiscated shipment, loss of information technology capabilities, loss of a key individual e.g. owner, loss of a large customer, economic downturn, pandemic or any other major incident which causes your business to grind to a halt or slow down to an unsustainable level.
The list of risks to a business can be exhaustive and in many cases this is what puts non-risk people off implementing risk management methodologies. Within the responsibilities of Corporate Governance it is a requirement to assess the risks associated with your business and to implement controls to ensure the risks are managed within the levels of risk you will accept for example if you have 90% of your business with one key customer who is a government entity then what is the risk of the government deciding to put the requirement out to tender and award the contract to the lowest bidder who may not be you. What are the controls involved? What mitigation actions do we want to implement?
The role and responsibility of the risk team includes;
- Creating a risk register where all the risks associated with the operations of the organisation are captured in a single place.
- Conduct risk assessments to identify the severity of the risks, assess the controls currently in place within the organisation and to identify the residual risk remaining provided the controls are functional. This will assist the management to understand and prioritise controls or accept the risk as part of the business strategy.
- Once all the risks have been identified and assessed the management may decide to reduce certain risks by implementing additional controls and mitigation actions which will assist the organisation to manage the risks. Additionally the management should prepare contingency plans and action plans for if and when things occur to reduce the impact on the business e.g. business continuity plans where the emergency response actions are outlined in advance from a place of calm rather than in the heat of an emergency.
- Risk controls and contingencies need to be tested and measured e.g. vulnerability testing of your information technology system to ensure no unauthorised access can be gained.
- Advise the management and operational functions on the risks and controls to ensure all the employees are aware of the risks and actively work to control them. Human behaviour in many businesses is categorised as the highest risk.
Although risk management is a skill it is also common sense and most people can and do practice risk management techniques on a daily basis.
As an ethical and responsible management team you are responsible to identify the risks associated with the business and to put controls in place to ensure the business and all the stakeholders interests are understood and managed. Find Out More