Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.


Status message

This is subscriber-only content, you are viewing with temporary unrestricted access. For full access, being your free, no obligation 5-day trial.

Ten simple ways to manage risk … or not

Richard M. Steinberg | January 23, 2017

Much is written about risk, with directives to senior executives on how to manage it effectively and to boards on how to provide meaningful oversight. But what we read is comprised not only of the good, but also the bad and the ugly, causing intelligent executives and directors to struggle to recognize what really makes sense.

In an attempt to bring some light to the topic, outlined here are the ugliest of the ugly ways for companies to manage risk. It’s a “top ten” list, ala the no-longer-late night TV host David Letterman, which hopefully will provide insight into exactly what not to do!

10. Be sure to call your process “ERM.” “Enterprise risk management” is the catchword of the day, and executives can and do say that their risk management activities represent an ERM process. While “ERM” defines a risk management process that conforms to specified criteria, there seems to be no downside in telling people and the world that your company indeed has ERM—whether it does or does not! Saying you have ERM will certainly impress your stakeholders. Okay, you might not be gaining the benefits of a true ERM process, but you can go on the basis that few will know the difference, and if they do they won’t really care.

9. Design your process based on reporting to your board of directors. Since the board of directors needs important information on risk management, any process should be geared first and foremost to reporting to the board. It doesn’t matter how that information is garnered, or whether it’s complete—just focus on getting the board a list of the top-ten risks, and move on to more important things. This way the board won’t need to waste its time considering either the effectiveness of the risk management process, or how management knows what risks are present or might be emerging.

8. Make good use of spreadsheets. Feel at ease with your organization using Excel spreadsheets to inventory, communicate, and manage your company’s risks. They’re easy to use, and managers and staff are familiar with them. There’s no need to use any of the vast array of technology products on the market that facilitate not only inventorying risks, but also identifying actions to mitigate or otherwise manage risks, assign accountability and related timing requirements, and to communicate across business units and upstream to help ensure the company is dealing effectively with individual risks and those that might affect other units, divisions, or functions. The spreadsheet approach is especially useful for larger, multinational organizations. By keeping it simple you’ll avoid a need for investment and training in using any of these products, and will keep line of sight solely within individual units.

7. It’s best to use a risk checklist. Because you need to be concerned only with what has already happened, you can use any of a number of commercially available checklists of past risks events. There’s no need to begin with your business objectives and identify what might adversely affect their achievement. Using a checklist is quick and easy, and you won’t need to waste time thinking a whole lo, and can check the box and report that everything is under control.

Hopefully, your management and board are sufficiently enlightened where you indeed know what goes into making a risk management process work well. I hope the above outline has not been terribly off-putting, but rather provides an opportunity to home in on what you might want to consider in making your risk management process—which hopefully is an enterprise risk management process—truly effective.

6. Consider only what might go wrong. We know that risk is about bad things happening, and that should be the sole focus of risk management. Time is valuable, and there’s no sense wasting it on things like potential events that would create opportunities for the company. Look for the bad stuff, and then go about managing and overseeing current business activities.

5. Presume management and the board are on the same page. With ongoing interactions between management and directors about company strategy, operations and other activities, you can presume you all are in sync about how much and what kinds of risk to take. We all know that risk appetite always is well understood and agreed to by the CEO and executive team and the board, so there’s no need to spend any time discussing it.

4. Don’t worry about what has never happened. If an event has never affected your company, then why worry about it? Even if such events have damaged competitors or others, it surely can’t happen to your company, because you’re better than they are. Think of risk management as dealing with things that have already occurred and might reoccur within your own organization, which makes life easier than trying to worry about other companies’ misfortunes, and certainly much easier than having to think outside the box about what new events might come out of the blue. There’s no need to consider disruptive technologies or other “game changers” that could cause your products/services to become obsolete or that offer significant opportunities.

3. Don’t waste time with risk in strategy development. Strategic planning of course is about identifying how you want to accomplish your broad business objectives and what you need to do right to get there. So why waste time with a negative mindset of what could go wrong? Risks are for the timid and worried; your managers are “can do” people and it’s right to maintain a completely positive attitude that things will go exactly as planned.

2. Don’t worry about internal communications. Senior management should feel comfortable automatically presuming that managers throughout the organization know well what is expected of them regarding identifying, analyzing, managing and reporting risks, and that they’re doing just that on an ongoing basis. There’s no need for ongoing communications from top management and related follow-up as part of the normal management process. As such, top management and the board shouldn’t feel a need to ensure communications channels are operating, where managers throughout are making business decisions with good knowledge of the related risks, and are discussing planned risk-based actions upstream, with senior managers ensuring that they’re comfortable with their direct reports’ decision making.

[Drum roll] And now, for the number one way to manage risk:

1. Place direct responsibility for risk management in the hands of the CRO. It’s always best to place responsibility for any initiative or process in the hands of one executive, and for risk management that’s the chief risk officer. Although the CEO and his or her direct reports and line managers throughout the organization are best positioned to deal with identifying and managing risks and opportunities in their spheres of responsibility, they have too many more important things on their plates. And even though it’s not possible for one staff executive—the CRO—to gain sufficient line of sight into what risks and opportunities exist throughout the business, it’s always best to manage risk from the CRO’s central, lofty location. Seeing that the risk management process is well designed, providing necessary support to line managers, ensuring communication processes are working well, and monitoring the process is not enough for a CRO—no, it’s important that the CRO also somehow has responsibility for effective risk identification and decision making throughout the company.

Conclusion. If you’re adhering to one or more of these “principles,” you might want to give a bit more thought to how your organization is managing risk. Hopefully, your management and board are sufficiently enlightened where you indeed know what goes into making a risk management process work well. I hope the above outline has not been terribly off-putting, but rather provides an opportunity to home in on what you might want to consider in making your risk management process—which hopefully is an enterprise risk management process—truly effective.