The Risk Intelligent EnterpriseTM
Fundamental steps to help your company take on risk intelligently and effectively
Intelligent risk management practices must be tailored to specific circumstances and needs. Whether your company has an established mature risk management program or you are in the initial stages, some of the steps included here may apply to your situation; others may have been addressed long ago. But all are key to creating the Risk Intelligent EnterpriseTM.
1. Establish an overall framework, policy and process for assessing and managing risk.
Does your company have an overall risk framework that addresses the risks the company is exposed to, how it views those risks, and how it manages them? Does your company have a risk policy? If not, establishing a risk policy is the first step.
|In the fully developed Risk Intelligent Enterprise TM, risk management is viewed not as a project but part of the culture, the way of doing business. Risk Intelligence is all about enterprise management.|
But policies alone won’t create a Risk Intelligent EnterpriseTM. You also need to have a process for assessing and managing risk. Directors should challenge management to demonstrate a systematic and disciplined process for risk identification, assessment and prioritization; risk response; and risk monitoring and reporting. Executives should provide regular updates to the board and audit committee to demonstrate that their risk processes perform as expected and that reports on risk are reliable.
2. Identify key risks and vulnerabilities and the plans to address them. Assess value and determine where risks could impact value.
Engage in scenario planning: What are the alternative futures? What could cause you to fail? What are the mission-critical risks that could have the highest adverse impact on company value and strategic objectives? Where are you most vulnerable? What are the early warning signals, and how will you recognize them? A key characteristic of effective Risk Intelligence is the ability to separate irrelevant from relevant information.
An important consideration in this area is the problem of multiple risks in combination. Consider how risks may interact, keeping in mind that risks don’t respect organizational boundaries. What are you doing to address those risks? And how do you know it’s working?
3. Establish your risk appetite. Determine how much risk you have taken on. Decide whether you can take on more or should take on less.
How much risk is your company willing to accept? What is your capacity to bear risk? How much of your capital or existing assets are you willing to put at risk at any one time? How much risk are you willing to take to achieve future growth? How resilient are you in the face of an extreme event?
The key question that is often overlooked: Are you intelligently taking enough risk? The implications of practising risk avoidance without pursuing rewarded risk-taking may include missed business opportunities, decreased competitiveness and, ultimately, the demise of the business. Businesses must take risks to be competitive.
4. Decide who has responsibility and authority to take risk on behalf of the company.
Surprisingly, a number of companies fall short in this area; the roles and responsibilities around risk are often unclear and misunderstood. How will responses be integrated and coordinated across the entire enterprise? Specificity is a necessity: What powers are reserved for the board? Who can commit the company? When can authority be delegated? What are the escalation procedures for “red flag” risks? Who, if anyone, has the ability to “bet the farm”?
5. Determine your capability to manage risk on an integrated and sustainable basis.
The Risk Intelligent Enterprise TM cannot be achieved overnight. In most cases, organizations will move through distinct stages of development. The lowest state of risk management capability is characterized by an ad hoc (if not chaotic) approach that depends highly on individual responses and often “heroic” efforts in the absence of more systematic approaches. Once specializations have emerged, subsequent stages will involve moving risk management out of “silos” and toward a fully integrated and coordinated response.
The highest state of capability will build risk considerations into corporate strategy and the decision-making process, with a proper emphasis on risk-taking for future growth and reward, as well as the protection of existing assets. In the fully developed Risk Intelligent Enterprise TM, risk management is viewed not as a project but part of the culture, the way of doing business. Risk Intelligence is all about enterprise management.