Opinion | Having Lots of Risk Management Resources Isn’t as Important as Using Those Resources Wisely
When it comes to a risk management program, what dictates the level of effort and resources?
Smaller organizations are weary of my answer: Size does not matter.
When we think of house construction, how many studs do you need to support the walls of the structure? Let’s hope enough are installed so they can support the purpose, design complexity, instability and total weight of your house for a long period of time as it stands in its unique environment. You may have a small house with a tiny footprint, but it is intended to hold very heavy and dangerous items.
So again, size does not matter. Too few studs, you will eventually see damaging results.
Risk management is about the long haul. For your organization’s strategy and goals to remain whole and relevant, you need risk management eyes on it continually, recalibrating efforts perpetually. How well your organization manages and survives risks will dictate at the outset the effort you ought to be putting into your risk program.
Resources for risk management should be directly proportional to how steadily you are managing and hedging risks on a routine basis and on the planned future direction of the organization.
In good and steady times, too often risk management is seen as tedious, too resource intensive, and a waste of time. Often management will see the risk program as “over-engineered.”
Risk management’s scarce resources get eliminated — ripping out studs, one-by-one, from the organizational walls.
Often, I see what is regarded as an overengineered risk management program as one that is engineered badly, with precious efforts squandered and not being put to their best use. I always advise to try to avoid energy-sucking practices in risk management programs and ensure resource-optimizing ones.
Assign clear accountability for risk management.
Creating a strong, sustainable risk culture is a team sport. Risk management involves any stakeholders and resources outside the risk team. It is vital to utilize them properly.
Hash out responsibility of risk owners, overseers and assurers.
Make crystal clear who owns the risk and who owns the control and its price tag.
Give advance warning as to whose report will flash red if things go south.
Focus on material risks.
Though it is tempting and reassuring to track everything, not everything needs to be reported.
Nothing is worse than losing your champions with thicker and thicker risk reports and decks where it is difficult to find the risks that actually keep them up at night. Reports should be structured around “material risks.”
Highlight net-new information on old and new risks.
Work with processes already in place in the organization.
Leverage existing, even broken, processes instead of designing new practices from scratch.
Find other assessment exercises and coordinate with them.
For example, consider using a routine audit to help with risk treatment assessments rather than using your scarce resources. Programs that are built autonomously tend to never be aligned with the business.
I have always said: Dance to the rhythm of the organization.” Every organization has a routine, a cadence and rhythm. Best to dance to that music. Otherwise, the cheese will stand alone while the rest of the organization dances around the risk management program. &