Large companies are under greater pressure than ever before to manage risk and protect their assets. Investors, shareholders, and regulators alike drive implementation of enterprise risk management programs, but those programs are not always effective. Let’s look at some of the most common mistakes made in addressing risk in larger companies and how they can be addressed.
LACK OF FOCUS OR PURPOSE
Because of the demand for risk management from stakeholders in a company and regulators, many large companies start an ERM plan for the wrong reasons. They want to be perceived as doing something or they are addressing a specific concern or complaint.
Such programs often don’t work or are less effective than they might otherwise be, because there isn’t the kind of buy in and vision needed at the organizational level to make real change. Good risk assessment and management needs to be implemented with a clear vision of the future – both from a business goal perspective and from an enthusiasm perspective.
LACK OF LEADERSHIP
Leadership matters for every endeavor undertaken in an organization. Risk management is not the domain of a single department or Director. There needs to be buy-in and support from every member of the organization, from entry-level analysts to C-level executives.
The activities undertaken and changes made by everyone in a company will be dictated by the philosophy and approach of the senior leadership. Without that direction, there may be overlap, gaps, or lack of adherence, undermining the entire process.
One of the most basic steps of a risk management program at the Enterprise level is assessment and categorization of risk events. Where is the company exposed during any given operation?
These identifications can become over complicated when trying to quantify the risk level. Trying to develop a finite, granular quantitative measurement for risk can create overly complex systems that are hard to work with. Your management team has extensive experience working with these risk factors and should be able to assign priority accordingly.
At the same time, some organizations put too many resources toward assessment, spending hours evaluating and scoring risks before doing anything to implement against them. This can draw away valuable resources that would otherwise be used to impact the bottom line.
IT’S AN ONGOING PROCESS
Another major mistake is looking at enterprise risk management as a onetime repair for a static system. While finding the previously unseen problems and addressing them directly is an important first step that can vastly improve performance for your business, it shouldn’t stop there.
There is ongoing oversight that will ensure the factors you have the most control over go right when they should. There is the ever-evolving risk tolerance assessment that evaluates the events in question that matter in the process. These are steps that never stop and that should become part of standard operating procedure, all while continuously evaluating new sources of risk that may not have been present during your initial evaluation.
Risk management is important for all sized businesses – from small businesses with a handful of employees to enterprise organizations with thousands of employees and multiple offices. How you handle it should be the same – a keen focus on how you want your business to operate and how individual events affect those operations.