by Doug Farmer, Troy Snyder and Jack Kristan
Plante Moran is an IMA member certified public accounting and business advisory firm…
When we speak to organizations about risk, the response is predictable: vigorous head-nodding and comments from company leaders who acknowledge the need to better manage their organizations’ risk going forward. “We know,” they say, “we’re on it.”
It’s quiet for a while — three months, six months, maybe even a year — but then, we receive the panicked phone call. Catastrophe has struck. Perhaps a major operational or governance issue was caught by an important customer or an auditor, maybe there was an unwitting violation of a debt covenant with a lender or investor, or maybe there was an embarrassing data breach.
The actual event is irrelevant; the point is that a real threat has occurred that could cause (or may have already caused) a decline in profits, value, or reputation — all because the organization didn’t fully understand its risks and, as a result, lacked the appropriate controls and mitigating strategies.
Is your organization making itself vulnerable? Ask yourself these five questions.
1. Do you treat risk reactively rather than proactively?
“What are the odds?” “It probably won’t happen to us.” Sound familiar? Too often, management teams are overconfident in their knowledge of what’s going on in the organization or over-rely annual financial audit results, and they don’t realistically assess the chance a risk event will occur.
Rather than invest resources now, companies roll the dice. And, they may be fine — temporarily. But, eventually something will happen, and the first question stakeholders, and often regulators, ask is, “Where was management?” In these situations, it’s not uncommon to see major turmoil and repeated turnover in top positions in a short period of time. Not only does it create problems for the organization and its stakeholders; it impacts many individuals personally, too.
2. Are risk awareness and risk management aligned with your organizational strategy?
The strategic planning process is myopic at many organizations — top-down, numbers-driven, and lacking an appropriate level of risk awareness. (Hint: If leadership isn’t continuously asking, “What are types of things that can get in the way of the organization meeting its targets?” the answer is likely no.)
Unfortunately, we observe a real lack of understanding about potential exposures. When organizations do think about risk, they tend to focus on creating what they believe is a once-and-done plan and toss it over the fence to the rest of the organization, or they may over-rely on insurance coverages to cover loss.
But, department heads aren’t likely thinking a whole lot about risk. For example, your manufacturing and distribution team might be planning to expand into China, assuming (falsely) that since you plan to sell the same products using the same strategies that worked at home, it should happen like clockwork. But, the capital investment is different, as are safety requirements, regulations, and labor laws. Organizations face many risks they don’t take adequate time to consider when creating what, in hindsight, often looks like a utopic international strategy.
3. Does your organization treat risk management as a discrete event rather than continuous process?
As we talk to executives and managers, we often hear comments like, “We talked about risk management, so we’re good,” as if it’s a box to check. Or, “We had a risk assessment done last year — it’s in that binder on the shelf.”
Clearly, for these organizations, risk management isn’t interwoven in how leadership thinks. Such comments also reflect a lack of understanding about the different types of risk — compliance, strategic, operational, preventable, treatable, inherent — and that’s naming only a few. Therefore, these organizations don’t — can’t — have effective, ongoing risk monitoring. They tend to focus more on the now rather than the future. “Nothing happened, so we’re okay,” rather than, “The winds of change are in the air — which they always are — and what does that mean going forward?”
4. Does your organization focus more on internal rather than external risks?
With so much uncertainty in the world — unstable governments, volatility in markets, a lot of arguing and murkiness about the direction of regulations and compliance — it’s easy to focus on things you can control. But if, for example, you’re a manufacturer with a global reach, and you were doing business in the Ukraine three years ago, not keeping close tabs on the political climate, the Russian takeover of the Crimean Peninsula may have put your operations at risk.
Or, if you’re a healthcare provider or a business partner of a healthcare organization, underestimating cyberattacks could put the entire business at risk, not just organizational data as commonly perceived by many executives. These attacks are very real, increasing the risk of ransomware; PHI (protected health information) and PII (personally identifiable information) data leakage; privacy and security breaches; and business disruption. It’s important to be looking at your external risk environment, including your business partners, just as carefully as your internal environment to accurately assess and mitigate those risks and minimize their impact.
5. Who owns risk management?
Without clear ownership and accountability for risk management, everyone in the organization assumes someone else is taking care of it. Culturally, it must be embedded across department managers and division vice presidents; it should have distinct practices and processes within the organization and an individual such as an ERM (enterprise risk management) specialist or group to infuse meaning and keep it front and center of the organization. What you don’t want is, “Oh, that belongs to internal audit” or “That’s risk management’s area.”
That said, having someone own risk management and making sure that someone is the right person are two distinct needs. Your risk management specialist must understand organizational risks, have the right technical and communications skills and, most importantly, have the capabilities and organizational authority to reconcile risk management processes with overall strategy.
To view the original article, click here.