The magnificent 7 – Aspects to consider when setting up a risk management program
So you were put in charge of finally building that risk management implementation. Congratulations!
If you don’t feel comfortable about how and where to start, you’re not alone. Everyone who’s ever had the chance of implementing their first ‘from scratch’ approach has been on this daunting but nevertheless exciting journey.
In this article we highlight seven aspects that you might want to consider in order to turn your risk program into a success.
1. Make it value-adding
Many risk management implementations were set up because of external pressure. External reasons can be many. Regulatory requirements or industry standards often require companies to have risk management in place. Even customers may request your company to prove that adequate risk management is in place before they choose your company as a supplier. Don’t only focus on the external requests. It is important to fulfill those needs, but to make risk management successful it has to add value for the company and the individuals involved. If it ends up as just a compliance exercise, it will not be a success.
2. Think like a CEO
Good risk managers think like CEOs. Translated into identification and reporting of risks, this means to start and end with objectives. Without knowing what your senior management aims to achieve, focused risk management is not possible. The reason is simple: Risk management is decision management.
Ultimately, senior management wants to know if they can invest in opportunities or if they have to focus on “stay in business” actions. No matter if you report directly into the CEO or if you report into unit management, if your risks are not in line with these concepts, your risk program is of little use for them. It is often hard enough to convince them about your added value but if you don’t focus along their lines of thinking, they will quickly lose interest and your ambitious program turns into a compliance exercise.
This is also valid for reporting. As much as it is important to track actions and controls, your senior management is not interested in how many actions failed their due date. Tell them about what they are actually interested in. If escalation is required, take care of it operationally.
3. Create awareness
If you want to implement risk management successfully, you first have to create the awareness and get the buy-in from your stakeholders. That is the essence of the often discussed risk culture. Obviously, having senior management on board is of particular importance, but do not forget your peers and people in operations. They have a tremendous knowledge about how the company operates and they can feed your risk framework with valuable input. You do not want them to feel they’ve wasted their time on providing input for just another management report. Draw a stakeholder benefit map for all the roles involved. Identify and lay out the approach and the benefits to each of them. It is worth it.
4. Don’t copy someone else’s work
Especially when setting up the risk management program without having previous experience, it is tempting to copy existing catalogues of risks. Our simple advice: Don’t do that!
It is okay to get ideas and look at examples of how others have defined and phrased risks. But assessing their risks or other generic risks against your organization is not effective.
So what to do instead? As stated in the section “Think like a CEO,” the best way to develop your risk landscape is to discover the objectives and risks of your organization. Then identify the underlying risks by understanding, for example, the essential people, processes and technologies that could have a negative effect on your objectives. Drill this down further across your organization and supply chain until you are comfortable that you have a good picture of your risk landscape.
The above describes the integrated risk management approach. It is the most mature and most effective way of managing risks. Realistically, there are a couple of challenges to overcome and it takes more than just the buy-in from your stakeholders to achieve this. When you are just about to start your program, don’t try to get there too hurriedly. But, particularly in larger organizations, make sure that for all identified risks the risk owner also identifies the potential upward impact beyond his/her remit. If another process or unit is affected, make sure you follow through. You will be surprised how many times the impact assessment is inaccurate. The same applies for likelihood in the other direction.
5. Don’t waste your time on policies
It is important to define a risk management process with roles and responsibilities and to train the organization accordingly. For good governance, it should align with a risk management policy. We strongly recommend that you do that! But, make it practical. Don’t waste your time on defining aspects like risk appetite and tolerance. Apart from that many stakeholders have different ideas of what risk appetite and tolerance is, as soon as your well-defined appetite statement hits reality, you most probably realize that for many cases it is not applicable or useful. You can better use your time.
6. Use software
There are many recurring tasks and workflows in operational risk management. Particularly if you are the only risk manager or work in a small team, you might want to look for software that supports you in your endeavor. Most solutions support automated workflows, task scheduling, tracking and report generation. Components of the daily work that otherwise can be very time consuming. Storing information in a centralized place also helps to avoid those inconsistencies that you easily face with Excel.
The better risk and compliance solutions will also help you with the challenges of managing risk across units and the supply chain to achieve better collaboration and insights across the organization.
7. Start small, think big
Let’s face it. Your newly introduced risk management program will not yet be comprehensive. To get the organization used to it, you will want to introduce it in phases. Nevertheless, identify how risk management can help your organization, define what you want to achieve and make plans for how you can get there. Value-adding risk management helps stakeholders on all levels to make more informed decisions.