How many times must we learn the same lesson before we do something different? The world is a scary scary place to do business. There are risks all over the place from unseen hackers to known competitors to weather to regulatory changes to employee theft. The lesson is that every organization must take a comprehensive, top to bottom, strategic approach to risk management involving everyone in the organization.
RSM US LLP’s Sudhir Kondisetty argued just this point forcefully and elegantly at the “Best Practices in Risk Management” workshop at the CEO Connection Mid-Market CEO Convention this year. He drove home the importance of a strategic approach to risk management. As he puts it, “Managing risk can only be successful it it’s in every phase of your systems, policies and processes.”
Three ideas: 1) Take a strategic approach to risk management; 2) Clarify roles; 3) Act appropriately depending upon the threat
1. Strategic Approach To Risk Management
Strategy is about the creation and allocation of resources to the right place in the right way at the right time over time. By definition, this means your strategies must be fluid. Every action has a reaction. Thus your actions change the world and render your strategies out of date instantly. This is why you must adopt an observe – assess – plan – act – observe cycle.
Observe, continually looking for risks across the Five Cs of Conditions, Customers, Competitors, Collaborators, Capabilities, The essential question is how you can best build and marshal your own and your collaborators’ capabilities to serve your customers better than can your competitors in the conditions you all face. Some of the most important risks include:
• Conditions: country, political/regulatory, social, environmental, financial
• Customer: demographic, psycho-graphic, brand, reputation
• Competitor: market
• Collaborator: systemic
• Capability: leadership, team, technology, resource
Pay attention to what’s going on, looking for changes in any of these factors or sub-factors. The questions to ask are “What’s different?” or “What’s changed?” Be comprehensive in identifying changes. Few people worry about small, white cigar shaped clouds on the horizon. No one who took place in the 1998 Sydney-Hobart yacht race will ever overlook one of those again as its appearance was the only early warning sign of the disastrous storm that hit on the second day of the race.
Assess the risk. Some small, white cigar-shaped clouds are just that, signifying nothing. Understand the risks and their implication. Are the risks major or minor, temporary or enduring.
Plan. That assessment informs your plans to act on the risks.
Act in accordance with your plans.
2. Clarify Roles
The board, CEO and operational group have different roles when it comes to risk management.
The Board is accountable for governance. It sets policies and must ensure the organization has the capabilities required for appropriate risk management. This may or may not include and Enterprise Risk Management system.
The CEO is accountable for execution. Hence the title Chief Executive Officer. They own the culture along with its biases, beliefs and filters and manages the observe – assess – plan – act cycle described above.
The Operations Group implements the plans. Beyond that, they must serve as the organization’s eyes and ears and drive continuous improvement.
3. Act Appropriately Depending Upon The Threat
Not all risks are created equal. The Gore company used to look at risks and threats using a water-line analogy. Something that damages things above the waterline would be a minor risk. Something that puts a hole in the board below the waterline and can sink the boat (or organization) is major.
- Minor change/temporary impact: Control the damage while staying focused on your priorities.
- Minor change/enduring impact: Factor into your ongoing organizational evolution.
- Major change/temporary impact. This is a crisis or opportunity that must be managed. Deploy the incident management and response plan that you already have in place. (And have it in place ahead of time.)
- Major change/enduring impact. Hit a restart button at this major point of inflection, re-look at your critical relationships, and change your strategy, organization and operations all together, all at the same time.