​​​Risk Is Not a Quarterly Exercise; It Should Be a Way of Life

Comments Views

​The International Organization for Sta​ndardization (ISO) recently released a new risk management standard: ISO 31000. It prompted me to think about what really matters — what makes an organization effective in managing risk.

The only way risk management has value is if it affects the way you do business. It must influence decisions and actions; otherwise, it is no more than decoration. Risk management should not be a "check-the-box" activity. Used well, it can help an organization achieve and sustain optimal long-term performance.

To be effective in managing risks, an organization needs not only to understand and assess its risks, but it needs to have a culture that embraces the active consideration of risk in:

  • Establishing the (short and long-term) strategy, organizational goals, and objectives.
  • Developing, executing, and monitoring its execution of strategy and achievement of goals and objectives.
  • Everyday decisions.

I have seen too many organizations focus on identifying and assessing risks every quarter, maybe even talking in terms of a high-level risk response (e.g., accept the risk or hedge it using currency swaps) at the expense of actually managing the risks day-to-day.

Let’s take a mundane example: my commute to work. One approach is to perform a quarterly assessment of the risks: a) that I will be in an accident, or b) be delayed and miss important meetings. Since I am assigned to SAP’s Palo Alto, Calif., office, which is about 18 miles and 25-30 minutes away (by freeway), to a certain extent I must accept the risk. I believe the risk of accidents to be low, and my response is to train myself to drive carefully. The risk of traffic delays is higher, especially if I leave during the morning rush hour, so my response is to schedule meetings for later in the day.

I assess these [residual] risks, compare them to my risk tolerance, and am satisfied. But should I be?

The other approach is to embed risk in my daily decisions. Each day, I review the next day’s schedule and plan ahead. If I have an early morning meeting, I will decide to leave home very early to avoid most of the traffic. (I will also check to confirm that I have to be in the office, in case I can reduce my risks by calling in). I also check the weather forecast and take that into consideration. When I wake up, I again check the weather to see if I need to leave earlier (for example, if there is rain I should expect driving times to be longer). As I am driving, I am making more risk decisions. If the freeway is clogged up with traffic, I may elect to take side streets — taking into account the risk they are also slow due to increased traffic. I am certainly making a number of accident risk decisions as I drive. For example, I will stay further behind the car in front of me when it is raining.

It’s not enough for me to understand risks in my daily decisions; I need to actively manage them. Do you and your management team embed risk into your daily activities and decisions — and manage those risks constantly? Do you:

  • Consider risks in setting strategy — and assign responsibilities and tasks for minimizing the likelihood and adverse effects of those risks?
  • Include risk mitigation activities in project plans, etc.?
  • Consider the risks to achieving your objectives every time you make a hiring or purchasing decision — and identify what you can do to manage the risks?
  • Do you continue to manage risks by taking actions every day?
  • Are you monitoring risks, so that you are not surprised? Or do you wait until the official risk assessment time?

Is your risk management program a quarterly exercise or a way of life in the business?


 

 

Comment on this article

comments powered by Disqus
  • ITACS_Dec1_Dec15_A_Dec2017_Blog1
  • PwC RPA_Dec2017_Blog2_Cx
  • IIA CIA_LS_Dec2017_Blog3