Enterprise risk management is a scalable, holistic approach to improved decision-making that consolidates and organizes risk information from across an organization. No longer limited to a risk manager’s monthly report, ERM is becoming a fundamental part of business success. By embracing ERM and creating a risk management culture, organizations can drive business performance, innovation and growth, while protecting company reputation and shareholder value. For many businesses, demonstrating that they have a clear, auditable risk management process has become a critical factor in winning new business.
Unfortunately, too many business leaders still perceive risk management as a complex undertaking. In reality, there are six simple steps to follow for effective risk management, regardless of the industry, vertical, size or scope of the project or company.
1. Identify your risks: Ask employees from across the business to identify the risks they are facing. It is critical to identify all risks, including risks that are low probability but high impact, which may have been ignored in the past. While each employee may only be aware of those risks involving his or her projects, getting everyone into the same room quickly yields a more comprehensive list.
2. Analyze your risks: Once the risks have been identified, you can evaluate them. How likely is it that the event will occur? Who and what will be affected? What are the business ramifications? Most risks have more than just a financial impact, so all business implications should be considered, including the effect on schedules, budgets, customer loyalty and brand perception. This analysis should help reveal how seemingly separate risks relate to one another, and some of the connections may be surprising. For example, several different project teams may be relying on the same supplier or the same piece of equipment but with different schedule and budget requirements, and taken together that might magnify a problem. At the end of this process, you should have a comprehensive list or database of risks that can be organized by probability and degree of impact.
3. Control your risks: Once your risks have been analyzed, you can determine the best course of action for managing each of them. This involves considering the business impact versus the likelihood of an occurrence and the cost of controlling or mitigating the risk. Where corrective action makes sense, options to review include possible steps for risk reduction, risk transfer and insurance. By the end of this process, you should have a clear picture of all relevant risks, how they interrelate to one another and how they will be managed moving forward.
4. Monitor your risks: Monitoring is all about accountability. An individual or team should be assigned to monitor each risk and given responsibility for executing the mitigation plan created during the Control step. Accountability is a critical part of an effective ERM program. The organization is only protected and value is only captured if the plan-of-attack developed in step three is effectively implemented, monitored and kept up to date.
5. Improve your risk management: By reviewing what was learned during the first four steps, a company has the chance to streamline and enhance its ERM process and risk culture. Are the right people involved? What new risks have been identified? How can the business improve the way it manages existing risks? Organizations should reward not penalize those who share risk information. The sooner a risk is identified, the easier and less costly it usually is to prevent it from happening or reduce its impact.
6. Report on your progress: Systematic reporting allows you to share your progress and results with executive management and external stakeholders. A best practice is to build reporting into your organization’s management meeting cycle, so that the right information is available in the right format at the right time. Creating a reporting system also ensures that ad hoc questions from senior management can be answered with confidence at any time.
Risk management is most effective when it becomes an accepted part of company’s culture and employees are given a stake in the outcome through their key performance indicators. Important contractors and suppliers should also be involved in the process and should implement the same risk management process themselves. Effective risk management is a win-win scenario, and all parties — management, employees, stakeholders, partners and customers — will benefit from improved business performance and stronger, more effective relationships.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access