Risk management is the crux of sound decision-making; it provides organizations with the context necessary to act strategically. Not all obstacles are apparent from the start, but if we let them fester, things can take a turn for the worse in the blink of an eye. This is exactly what risk management attempts to solve; by identifying potential problems before they become problems, we can prevent them from ever rearing their ugly heads.
One of the best-known examples of risk management, or more accurately, the lack thereof, is the 2008 financial crisis. The first mark of the catastrophe that devasted the U.S. housing market was mass loan defaults. The possibility that borrowers would not repay loans presented financial institutions with a credit risk, but unfortunately, they didn’t adequately account for that risk until it was too late.
The credit risk swiftly gave light to a liquidity risk; widespread panic drove hordes of citizens to pull cash from their banks, and lenders didn’t want to give funds when they couldn’t guarantee repayment. The financial institutions involved in the housing crisis then faced the repercussions of unmanaged reputation risks, which they are still recovering from to this day.
It’s impossible to prevent risks entirely, but this chain reaction of disasters highlights the need to be proactive and unified in our risk management procedures. Had these institutions known the interconnectedness of their risks, they may have been able to predict how one could trigger another and stop things from snowballing out of control.
Risk And Risk Management: an Overview
Risks are areas of uncertainty that could impact an organization’s ability to meet its goals, particularly financial goals. Though risk tends to have a negative connotation, not all risks are bad; positive risks, though handled the same as negative ones, are the uncertainties with the potential to help an organization, such as the implementation of time-saving technology or a policy change that benefits the company.
Risk Management is the process of identifying, analyzing, and handling these potential threats and opportunities. Regardless of whether the risk is positive or negative, following proper risk management procedures is crucial – especially now. With progress comes change, and with change comes new and unforeseen risks. Innovations in technology, the relatively new practice of cybersecurity, the rise of social media, political and environmental volatility, and increased globalization are rapidly changing the business landscape. While risk is an inherent part of growth, we need to navigate these uncharted waters carefully to avoid the possible pitfalls.
Why Unify Risk Management Procedures
Traditionally, risks in one department were viewed as separate from risks in another, but that structure isn’t equipped for the modern world; the evolving business environment isn’t just adding new risks, it’s complicating existing ones.
Nearly every area-specific risk to an organization has the potential to impact the company as a whole, not just that one department. A manufacturing risk that results in delayed production could impact both sales and reputation (likely many more areas as well). If you only look at risks through the narrow lens of the department they directly involve, you could miss how one risk could trigger an onslaught of others.
The goal of risk management procedures is to identify, prioritize, protect against and make well-informed decisions around risks. This poses yet another problem with siloed risk management: it’s nearly impossible to make decisions at a business-wide level when you have only bits and pieces of the necessary information. By balancing area-specific risk activities with a standard approach in each stage of your risk management procedures, you can get a far more holistic view of the forces at play.
The first step of risk management is to identify risks. At this stage of risk management, the main goal is to document and describe potential threats that could prevent an organization from meeting its objectives. A company should be cautious about identifying risks with a siloed approach. Silos can turn into little communities, each with their own culture and terminology. While this isn’t an issue in and of itself, it can prevent a company from having a common language around their risk management procedures. Most organizations are composed of people from many different backgrounds, so a common language everyone can understand is key to effective communication.
The next step is risk analysis, which involves determining the likelihood and possible consequences of each risk. When working in a silo, people tend to see only what impacts their specific community, making it harder to get an overall understanding of the risks and how they interact. Silos also tend to hinder the exchange of information between segments of a company, which could lead to gaps in the analysis of risks. These gaps could have multiple departments solving the same risk in different ways, or worse, each silo could believe a risk is being handled elsewhere – leaving that risk woefully unmanaged.
The third step in risk management is to evaluate, or prioritize, the risks at hand. This involves looking at the likelihood and consequences discovered in the analysis phase, which will typically be the basis of how you rank the risks. Since a business may not have the resources to deal with each and every risk they find, accurately determining the hierarchy of importance is crucial. To make good decisions around risk prioritization, you need to know all of the possible risks and their consequences. The siloed approach doesn’t take into account the impacts and added complexity of risks interacting; prioritizing department by department means you may make the best decision for one specific area, but not for the company as a whole.
Once you know the risks and have prioritized them appropriately, you can work towards strategically treating them. One method of risk treatment, perhaps the easiest to employ, is acceptance. In terms of risk management, acceptance means opting to take the risk. For example, when choosing to open a new branch, you accept the risks of losing your investment if the branch does not succeed.
Risk avoidance is a treatment method where you lessen the activities that cause the risk. An example of this would be if a company produced a line of paint products and found one of them to be toxic. To avoid this risk, the company may decide to simply stop producing the toxic product. Following the same example, if the company chooses risk reduction instead, they could require legal identification to buy the toxic product and include a large disclaimer on the packaging.
The final treatment option, transference, occurs when you pass the risk to another party. A company could do this through insurance policies, contracts, or outsourcing certain business activities. If you’ve ever been skydiving, you probably had to sign a waiver saying you won’t sue in the case of death or dismemberment – which was the company’s way of transferring their liability risk to you, the consumer.
Silos can end up wasting a large amount of resources in the treatment of risks. Duplication of risk mitigation efforts is common when multiple departments are independently treating risks, meaning the company could end up spending far more than it needs to. Another issue with siloes is that they lead to uncoordinated risk treatment. The impacts of this could be relatively minor; for instance, mitigating each risk separately when multiple risks could have been solved with one treatment plan. Unfortunately, the impacts could also be immense. The treatment for one risk could counteract the treatment of another, or, form a new, unforeseen risk in different areas.
The Upside to Area-Specific Risk Management Procedures
Like all things in life, the best approach to risk management isn’t black and white. Under the right circumstances, work silos can actually be an asset to a company. Silos, despite their flaws, allow departments to specialize in the risks relevant to them. The accounting department likely has a much deeper understanding of the financial risks than those who work in marketing, and accordingly, the marketing department likely knows more about the reputation risks.
The key is finding the right balance. Silos know their area-specific risks best, but in order to make well-informed decisions for the company as a whole, you need risk management procedures that provide a common language, a complete view of the risks, and a standardized approach to treatment.
Finding the Balance with ComplianceBridge
Every decision a business makes, every policy a government passes and every change in the business landscape has the potential to impact a company’s risks – and tracking all of these factors would be a full time job on it’s own. Luckily, we can transfer this burden to risk management software.
TotalCompliance Risk takes into account every piece of the puzzle. Risk managers and compliance officers can use this software to build customized assessments and get the full picture of their organization’s risks. You shouldn’t have to choose between a siloed approach and a unified approach – and our software won’t make you. Managers can assign sections of the assessment to subject-matter experts, allowing them to reap the benefits of both area-specific expertise and standardization.
Not all risks are of equal significance, so managers can weigh assessment questions to accurately reflect the company’s priorities. Once the assessment is complete, clients can track their results on the company dashboard, equipped with real-time updates so risk managers can share reports as soon as they come in.
We can’t remove threats from the business landscape, but TotalCompliance Risk provides all the tools you need to navigate them effectively. If you’re thinking of revamping your company’s risk management procedures, give us a call! We look forward to setting your business up for success.