Home > Risk > Anybody can have effective risk management

Anybody can have effective risk management

July 8, 2022 Leave a comment Go to comments

In my last post, I outlined (at a very high level, with no detail) what I considered effective risk management entailed:

  1. When setting objectives, goals, and strategies, consider the things that might happen (both positive, opportunities, and negative, risks) and set achievable (if a bit of a stretch) objectives that will achieve the purpose of the organization over time.
  2. For each objective, identify what might happen that could have a significant effect on achieving it, both risks and opportunities >> Assess the likelihood of achieving each objective >> If that is not acceptable, consider the options, which can include modifying one or more risks (changing their range(s) of effects and likelihoods, taking more, or taking less), modifying opportunities, or both >> Select an option >> Execute >> Monitor performance and changes to either risks or opportunities, and continuously assess the likelihood of achieving objectives >> Adjust as needed, including changing objectives were appropriate!
  3. Identify the need for a decision, which can be a problem or an opportunity, or something different >> Understand the current situation and whether action is needed >> Understand the things that might happen (good and bad) >> Understand and assess the Options >> Make the right Business Decision to achieve objectives >> Execute >> Monitor >> Adjust as necessary.
  4. For those sources of risk that are of special concern (for any reason, such as those that can have a major impact on multiple objectives or those that are getting board or regulator attention), continuously monitor and assess, taking action as needed. These are risks that are of such individual significance that they merit special attention by top management and perhaps the board. (It is not a top-ten list!)

While most liked this, a few commented that this could only be achieved by an organization large enough to be in the Fortune 1000.

I disagree. In fact, I think it is easier for a small organization than a multi-billion dollar one!

Let’s consider each of those for the smallest organization, a one-person business (like mine), and then contrast that with a large corporation.

The first of the four prongs is:

When setting objectives, goals, and strategies, consider the things that might happen (both positive, opportunities, and negative, risks) and set achievable (if a bit of a stretch) objectives that will achieve the purpose of the organization over time.

You won’t see a formal set of objectives for me; they are in my mind rather than written down. But they include trying to be retired and work only on things that I will enjoy, keeping this blog up and interesting to readers, and more. I certainly consider all the things that might happen in setting my goals and objectives for each year, such as the possibility of speaking engagements (affected by the pandemic and the move to more virtual conferences and seminars), and the need to stay healthy.

Its actually harder for a large corporation because it has so many more things to consider. A global company has to consider, for example, economic trends in every major market segment and geography, what its competitors are doing around the world, how each of its product lines are likely to do, and much more.

But, effective risk management requires setting the right objectives and strategies for achieving them. Frankly, I don’t believe many global organizations are doing it well. They also fail to cascade them down from the enterprise to each operating unit and department. (More can and perhaps should be written about that issue, which I discuss in my books.)

The second is:

For each objective, identify what might happen that could have a significant effect on achieving it, both risks and opportunities >> Assess the likelihood of achieving each objective >> If that is not acceptable, consider the options, which can include modifying one or more risks (changing their range(s) of effects and likelihoods, taking more, or taking less), modifying opportunities, or both >> Select an option >> Execute >> Monitor performance and changes to either risks or opportunities, and continuously assess the likelihood of achieving objectives >> Adjust as needed, including changing objectives were appropriate!

In my tiny business, I do that constantly and have tools (like a spreadsheet with all my travel and speaking commitments) to help me.

However, most global organizations fail to perform any top-down risk and performance assessment. Instead of taking each objective and identifying the more significant things that might happen to affect their achievement, they manage a list of risks. Enough said!

Third is:

Identify the need for a decision, which can be a problem or an opportunity, or something different >> Understand the current situation and whether action is needed >> Understand the things that might happen (good and bad) >> Understand and assess the Options >> Make the right Business Decision to achieve objectives >> Execute >> Monitor >> Adjust as necessary.

I am making decisions all the time, such as whether to write a blog post like this and what to write about. I have to decide whether to accept an invitation to a speaking or consulting opportunity, and what to charge.

In a large, global company, people at all levels are making decisions constantly. Surveys indicate that as many as 80% of decision-makers are not even aware, let alone making good use, of the information available to them in making an informed decision. Instead they rely on their ‘experience’ (i.e., their gut feeling.) I doubt that they are consulting the right people (those who can help with insight, or who may be affected by the decision), let alone following any disciplined process.

In a large company, decisions are being made in far-flung areas that can have a massive impact on the organization as a whole. Just take the Deep Water Horizon disaster, where decisions made by a third-party led to a fire, a huge oil spill, and the resignation of the CEO.

Getting the right decisions made to ensure success is hard for a global corporation.

Finally, there is:

For those sources of risk that are of special concern (for any reason, such as those that can have a major impact on multiple objectives or those that are getting board or regulator attention), continuously monitor and assess, taking action as needed. These are risks that are of such individual significance that they merit special attention by top management and perhaps the board. (It is not a top-ten list!)

I have a few sources of risk that I monitor, such as the possibility that I don’t get paid for the work I do. (It was only a serious problem once, fortunately.) I also check to see that my blog posts are generating sufficient interest (I get statistics from WordPress).

Global organizations have innumerable sources of risk. They tend to do well with issues that get a lot of press attention, but in my experience often focus on too few (a top ten) or too many (long lists that diffuse rather than focus attention). They also miss issues like employee morale.

Overall, ERM is fairly easy for me in running my business.  Its harder for a large, global corporation.

But its doable, whether you are a tiny microorganism or a giant amoeba – or something in between.

Remember, enterprise risk management is something that is done by the full company, not just its risk function. Decision-makers (should) do most of the work, with the help of the CRO and their team.

That’s my opinion.

What is yours?

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.