Is one of the most important and pervasive concepts that can be applied at all levels of management?
Risk management is the process of identifying, assessing and controlling threats to an organization's capital and earnings. These risks stem from a variety of sources including financial uncertainties, legal liabilities, technology issues, strategic management errors, accidents and natural disasters. Show
A successful risk management program helps an organization consider the full range of risks it faces. Risk management also examines the relationship between risks and the cascading impact they could have on an organization's strategic goals. This holistic approach to managing risk is sometimes described as enterprise risk management because of its emphasis on anticipating and understanding risk across an organization. In addition to a focus on internal and external threats, enterprise risk management (ERM) emphasizes the importance of managing positive risk. Positive risks are opportunities that could increase business value or, conversely, damage an organization if not taken. Indeed, the aim of any risk management program is not to eliminate all risk but to preserve and add to enterprise value by making smart risk decisions. "We don't manage risks so we can have no risk. We manage risks so we know which risks are worth taking, which ones will get us to our goal, which ones have enough of a payout to even take them," said Forrester Research senior analyst Alla Valente, a specialist in governance, risk and compliance. Thus, a risk management program should be intertwined with organizational strategy. To link them, risk management leaders must first define the organization's risk appetite -- i.e., the amount of risk it is willing to accept to realize its objectives. The formidable task is to then determine "which risks fit within the organization's risk appetite and which require additional controls and actions before they are acceptable," explained Notre Dame University Senior Director of IT Mike Chapple in his article on risk appetite vs. risk tolerance. Some risks will be accepted with no further action necessary. Others will be mitigated, shared with or transferred to another party, or avoided altogether. Every organization faces the risk of unexpected, harmful events that can cost it money or cause it to close. Risks untaken can also spell trouble, as the companies disrupted by born-digital powerhouses, such as Amazon and Netflix, will attest. This guide to risk management provides a comprehensive overview of the key concepts, requirements, tools, trends and debates driving this dynamic field. Throughout, hyperlinks connect to other TechTarget articles that deliver in-depth information on the topics covered here, so readers should be sure to click on them to learn more. Risk appetite and risk tolerance are important risk terms that are related but not the same.Why is risk management important?Risk management has perhaps never been more important than it is now. The risks modern organizations face have grown more complex, fueled by the rapid pace of globalization. New risks are constantly emerging, often related to and generated by the now-pervasive use of digital technology. Climate change has been dubbed a "threat multiplier" by risk experts. A recent external risk that manifested itself as a supply chain issue at many companies -- the coronavirus pandemic -- quickly evolved into an existential threat, affecting the health and safety of their employees, the means of doing business, the ability to interact with customers and corporate reputations. Businesses made rapid adjustments to the threats posed by the pandemic. But, going forward they are grappling with novel risks, including how or whether to bring employees back to the office and what should be done to make their supply chains less vulnerable to crises. As the world continues to reckon with COVID-19, companies and their boards of directors are taking a fresh look at their risk management programs. They are reassessing their risk exposure and examining risk processes. They are reconsidering who should be involved in risk management. Companies that currently take a reactive approach to risk management -- guarding against past risks and changing practices after a new risk causes harm -- are considering the competitive advantages of a more proactive approach. There is heightened interest in supporting sustainability, resiliency and enterprise agility. Companies are also exploring how artificial intelligence technologies and sophisticated governance, risk and compliance (GRC) platforms can improve risk management. Financial vs. nonfinancial industries. In discussions of risk management, many experts note that at companies that are heavily regulated and whose business is risk, managing risk is a formal function. Banks and insurance companies, for example, have long had large risk departments typically headed by a chief risk officer (CRO), a title still relatively uncommon outside of the financial industry. Moreover, the risks that financial services companies face tend to be rooted in numbers and therefore can be quantified and effectively analyzed using known technology and mature methods. Risk scenarios in finance companies can be modeled with some precision. For other industries, risk tends to be more qualitative and therefore harder to manage, increasing the need for a deliberate, thorough and consistent approach to risk management, said Gartner analyst Matt Shinkman, who leads the firm's enterprise risk management and audit practices. "Enterprise risk management programs aim to help these companies be as smart as they can be about managing risk." Traditional risk management vs. enterprise risk managementTraditional risk management tends to get a bad rap these days compared to enterprise risk management. Both approaches aim to mitigate risks that could harm organizations. Both buy insurance to protect against a range of risks -- from losses due to fire and theft to cyber liability. Both adhere to guidance provided by the major standards bodies. But traditional risk management, experts argue, lacks the mindset and mechanisms required to understand risk as an integral part of enterprise strategy and performance. For many companies, "risk is a dirty four-letter word -- and that's unfortunate," said Forrester's Valente. "In ERM, risk is looked at as a strategic enabler versus the cost of doing business." "Siloed" vs. holistic is one of the big distinctions between the two approaches, according to Gartner's Shinkman. In traditional risk management programs, for example, risk has typically been the job of the business leaders in charge of the units where the risk resides. For example, the CIO or CTO is responsible for IT risk, the CFO is responsible for financial risk, the COO for operational risk, etc. The business units might have sophisticated systems in place to manage their various types of risks, Shinkman explained, but the company can still run into trouble by failing to see the relationships among risks or their cumulative impact on operations. Traditional risk management also tends to be reactive rather than proactive. "The pandemic is a great example of a risk issue that is very easy to ignore if you don't take a holistic, long-term strategic view of the kinds of risks that could hurt you as a company," Shinkman said. "A lot of companies will look back and say, 'You know, we should have known about this, or at least thought about the financial implications of something like this before it happened.'" Here's a primer on risk exposure and how it is calculated.In enterprise risk management, managing risk is a collaborative, cross-functional and big-picture effort. An ERM team, which could be as small as five people, works with the business unit leaders and staff to debrief them, help them use the right tools to think through the risks, collate that information and present it to the organization's executive leadership and board. Having credibility with executives across the enterprise is a must for risk leaders of this ilk, Shinkman said. These types of experts increasingly come from a consulting background or have a "consulting mindset," he said, and possess a deep understanding of the mechanics of business. Unlike in traditional risk management, where the head of risk typically reports to the CFO, the heads of enterprise risk management teams -- whether they hold the chief risk officer title or some other title -- report to their CEOs, an acknowledgement that risk is part and parcel of business strategy. In defining the chief risk officer role, Forrester Research makes a distinction between the "transactional CROs" typically found in traditional risk management programs and the "transformational CROs" who take an ERM approach. The former work at companies that see risk as a cost center and risk management as an insurance policy, according to Forrester. Transformational CROs, in the Forrester lexicon, are "customer-obsessed," Valente said. They focus on their companies' brand reputations, understand the horizontal nature of risk and define ERM as the "proper amount of risk needed to grow." Risk averse is another trait of traditional risk management organizations. But as Valente noted, companies that define themselves as risk averse with a low risk appetite are sometimes off the mark in their risk assessment. "A lot of organizations think they have a low risk appetite, but do they have plans to grow? Are they launching new products? Is innovation important? All of these are growth strategies and not without risk," Valente said. To learn about other ways in which the two approaches diverge, check out technology writer Lisa Morgan's "Traditional risk management vs. enterprise risk management: How do they differ?" In addition, her article on risk management teams provides a detailed rundown of roles and responsibilities. Risk management processThe risk management discipline has published many bodies of knowledge that document what organizations must do to manage risk. One of the best-known sources is the ISO 31000 standard, Risk Management -- Guidelines, developed by the International Organization for Standardization, a standards body commonly known as ISO. ISO's five-step risk management process comprises the following and can be used by any type of entity:
The steps are straightforward, but risk management committees should not underestimate the work required to complete the process. For starters, it requires a solid understanding of what makes the organization tick. The end goal is to develop the set of processes for identifying the risks the organization faces, the likelihood and impact of these various risks, how each relates to the maximum risk the organization is willing to accept, and what actions should be taken to preserve and enhance organizational value. "To consider what could go wrong, one needs to begin with what must go right," said risk expert Greg Witte, a senior security engineer for Huntington Ingalls Industries and an architect of the National Institute of Standards and Technology (NIST) frameworks on cybersecurity, privacy and workforce risks, among others. When identifying risks, it is important to understand that, by definition, something is only a risk if it has impact, Witte said. For example, the following four factors must be present for a negative risk scenario, according to guidance from the NIST Interagency Report (NISTIR 8286A) on identifying cybersecurity risk in ERM:
While the NIST criteria pertains to negative risks, similar processes can be applied to managing positive risks. Experts weigh in on how enterprise risk management is evolving.Top-down, bottom-up. In identifying risk scenarios that could impede or enhance an organization's objectives, many risk committees find it useful to take a top-down, bottom-up approach, Witte said. In the top-down exercise, leadership identifies the organization's mission-critical processes and works with internal and external stakeholders to determine the conditions that could impede them. The bottom-up perspective starts with the threat sources (earthquakes, economic downturns, cyber attacks, etc.) and considers their potential impact on critical assets. Risk by categories. Organizing risks by categories can also be helpful in getting a handle on risk. The guidance cited by Witte from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) uses the following four categories:
Another way for businesses to categorize risks, according to compliance expert Paul Kirvan, is to bucket them under the following four basic risk types for businesses: people risks, facility risks, process risks and technology risks. The final task in the risk identification step is for organizations to record their findings in a risk register. It helps track the risks through the subsequent four steps of the risk management process. An example of such a risk register can be found in the NISTIR 8286A report cited above. Witte provides an in-depth analysis of the entire process in his article, "Risk management process: What are the 5 steps?" Risk management glossaryThe risk management field employs many terms to define the various aspects and attributes of risk management. Click on the hyperlinks below to learn more. What is pure risk? Risk management standards and frameworksAs government and industry compliance rules have expanded over the past two decades, regulatory and board-level scrutiny of corporate risk management practices have also increased, making risk analysis, internal audits, risk assessments and other features of risk management a major component of business strategy. How can an organization put this all together? The rigorously developed -- and evolving -- frameworks developed by the risk management field will help. Here is a sampling, starting with brief descriptions of the two most widely recognized frameworks. For more detail on them, readers should consult security expert Michael Cobb's analysis of ISO 31000 vs. COSO, which delves into their similarities and differences and how to choose between the two:
As Cobb notes in his comparison article, COSO's updated version highlights the importance of embedding risk into business strategies and linking risk and operational performance.
Enterprises might also consider establishing frameworks for specific categories of risks. Carnegie Mellon University's enterprise risk management framework, for example, examines potential risks and opportunities based upon the following risk categories: reputation, life/health safety, financial, mission, operational and compliance/legal. Risk management teams choose different options to address risks, depending on the likelihood of their occurring and the severity of their impact.What are the benefits and challenges of risk management?Effectively managing risks that could have a negative or positive impact on capital and earnings brings many benefits. It also presents challenges, even for companies with mature governance, risk and compliance strategies. Benefits of risk management include the following:
The following are some of the challenges risk management teams should expect to encounter:
How to build and implement a risk management planA risk management plan describes how an organization will manage risk. It lays out elements such as the organization's risk approach, roles and responsibilities of the risk management teams, resources it will use to manage risk, policies and procedures. ISO 31000's seven-step process is a useful guide to follow, according to Witte. Here is a rundown of its components:
For more detail on what each step entails, consult Witte's article on ERM frameworks and their implementation in the enterprise. Risk management best practicesA good starting point for any organization that aspires to follow risk management best practices is ISO 31000's 11 principles of risk management. According to ISO, a risk management program should meet the following objectives:
Another best practice for the modern enterprise risk management program is to "digitally reform," said security consultant Dave Shackleford. This entails using AI and other advanced technologies to automate inefficient and ineffective manual processes. Here are some of the top reasons risk management programs fail.Risk management limitations and examples of failuresRisk management failures are often chalked up to willful misconduct, gross recklessness or a series of unfortunate events no one could have predicted. But, as technology journalist George Lawton pointed out in his examination of common risk management failures, risk management gone wrong is more often due to avoidable missteps -- and run-of-the-mill profit-chasing. Here is a rundown of mistakes to avoid. Poor governance. The 2020 tangled tale of Citigroup accidentally paying off a $900 million loan, using its own money, to Revlon's lenders when only a small interest payment was due shows how even the largest bank in the world can mess up risk management -- despite having updated policies for pandemic work conditions and multiple controls in place. Human error and clunky software were involved, but ultimately a judge ruled poor governance was the root cause. Citigroup was fined $400 million by U.S. regulators and agreed to overhaul its internal risk management, data governance and compliance controls. Overemphasis on efficiency vs. resiliency. Greater efficiency can lead to bigger profits when all goes well. Doing things quicker, faster and cheaper by doing them the same way every time, however, can result in a lack of resiliency, as companies found out during the pandemic when supply chains broke down. "When we look at the nature of the world … things change all the time," said Forrester's Valente. "So, we have to understand that efficiency is great, but we also have to plan for all of the what-ifs." Lack of transparency. The scandal involving the misrepresentation of coronavirus-related deaths at New York nursing homes by the governor's office is representative of a common failing in risk management. Hiding data, lack of data and siloed data -- whether due to acts of commission or omission -- can cause transparency issues. As risk expert Josh Tessaro told Lawton, "Many processes and systems were not designed with risk in mind." Data is disconnected and owned by different leaders. "Risk managers often then settle for the data they have that is easily accessible, ignoring critical processes because the data is hard to get," Tessaro said. Limitations of risk analysis techniques. Many risk analysis techniques, such as creating a risk model or simulation, require gathering large amounts of data. Extensive data collection can be expensive and is not guaranteed to be reliable. Furthermore, the use of data in decision-making processes may have poor outcomes if simple indicators are used to reflect complex risk situations. In addition, applying a decision intended for one small aspect of a project to the whole project can lead to inaccurate results. Lack of risk analysis expertise. Software programs developed to simulate events that might negatively impact a company can be cost-effective, but they also require highly trained personnel to accurately understand the generated results. Illusion of control. Risk models can give organizations the false belief that they can quantify and regulate every potential risk. This may cause an organization to neglect the possibility of novel or unexpected risks. Risk management for career professionalsThe following articles provide resources for risk management professionals: What is a risk management specialist? Top risk management skills and how they help you do your job Important enterprise risk management certifications for risk professionals Risk management trends: What's on the horizon?The spotlight shined on risk management during the COVID-19 pandemic has driven many companies to not only reexamine their risk practices but also to explore new techniques, technologies and processes for managing risk. As Lawton's reporting on the trends that are reshaping risk management shows, the field is brimming with ideas. More organizations are adopting a risk maturity framework to evaluate their risk processes and better manage the interconnectedness of threats across the enterprise. They are looking anew at GRC platforms to integrate their risk management activities, manage policies, conduct risk assessments, identify gaps in regulatory compliance and automate internal audits, among other tasks. New GRC features under consideration include the following:
In addition to using risk management to avoid bad situations, more companies are looking to formalize how to manage positive risks to add business value. They are also taking a fresh look at risk appetite statements. Traditionally used as a means to communicate with employees, investors and regulators, risk appetite statements are starting to be used more dynamically, replacing "check the box" compliance exercises with a more nuanced approach to risk scenarios. The caveat? A poorly worded risk appetite statement could hem in a company or be misinterpreted by regulators as condoning unacceptable risks. Finally, while it's tough to make predictions -- especially about the future, as the adage goes -- tools for measuring and mitigating risks are getting better. Among the improvements? Internal and external sensing tools that detect trending and emerging risks. Which of the following is the primary function of an operations manager?The Operations Manager role is mainly to implement the right processes and practices across the organization. The specific duties of an Operations Manager include formulating strategy, improving performance, procuring material and resources and securing compliance.
Is where the main activities are more focused on providing services rather than producing goods?The United States currently has a service economy, where the primary economic activities revolve around providing a service rather than manufacturing goods. This focus on the provision of services is the core characteristic of a service economy.
Which of the following is are true about the impact of variability on managing processes?Which of the following is/are true about the impact of variability on managing processes? Process variability can lead to product delays and shortages, which can lead to a damaged company reputation. Variability in processes can make planning and managing the process more challenging.
IS operations marketing and finance function independently of each other in most organizations?Operations, marketing, and finance function independently of each other in most organizations. Goods-producing organizations are not involved in service activities. Traditional strategies of business organizations have tended to emphasize cost minimization or product differentiation.
|