In this two-part blog, we’ll look at some tips for making the most of your enterprise risk management. (Read Part One here.)
Categorizing risks allows strategic thinkers to easily identify patterns and trends. However, strategy and risk management have too many interconnectivities and are too complex to rely on simple classification. Despite agreement with this premise, many organizations compartmentalize risk and then assign risk based on simple categories.
For example, organizations may categorize risks as supplier-related, technological, operational, external, etc. This focus on compliance-based categorization ignores inherent strategic and enterprise-wide risks that ERM is designed to address. It also fails to acknowledge that risks do not materialize in a vacuum. For example, a supplier-related risk and IT risk materialized and an information control is compromised in the supply-chain process. This in turn causes quality control issues, and now a quality risk has materialized. This quality risk can lead to an external risk if it affects customer perception of the product.
All of these risks decrease progress towards a strategic objective. This slippery slope is hard to stop, and because risks have been assigned to functional area leads (based on their category), operational leads may be inclined to blame rather than collaborate to mitigate problems. If the IT team is concerned only with mitigating information risks and the quality team is focused on supplier quality, neither team has been encouraged to work together in addressing the impact IT risk triggers, which then cascades down and across the organization.
To address this issue, there are two steps an organization can take. One is to rethink how risks are categorized and the other is to assign risk mitigation to the level where strategy is operationalized. Relabeling risks based on broader, strategy-based dimensions may promote a more collaborative view of risk mitigation. A 2012 Harvard Business Review article written by Robert Kaplan and Anette Mikes recommends classifying risks as preventable (risks with no strategic benefit such as fraud or failures); strategic (risks accepted in achieving objectives such as researching new product offerings); or external (uncontrollable risks from the environment like macroeconomic trends).
Expanding on Kaplan and Mikes’ framework for risk classification, risks can be and often are interconnected between the three dimensions. External risks place pressure on strategic risks, which influence potential realization of preventable risks. This may also work from the bottom up: A preventable risk may inhibit strategic objectives, influencing the strategic risk level, and in turn, external risks are affected as was the case in the supply chain example. During the risk assessment, data collected should identify other associated, second-order risks and potentially affected strategic objectives if the risk materializes. Once those risk relationships are identified, the next step is assignment and monitoring.
The assignment of risk monitoring and mitigation is an indication of the priority organizations give to risk management. Strategic objectives should be assigned to a level where decision making can most affect the direction of operations towards achieving strategic objectives. This allows policies and tactics to be approved and implemented effectively. Risk mitigation should be assigned at the same level. Assigning risk management responsibilities to strategic decision makers aligns strategy and risk management. With the authority to make tradeoff decisions between the occurrence of a risk event and its related strategic objective, the decision maker can decide which response would most likely to be adhered to. Assigning mitigation to a lower, more tactical level increases the probability that risk management will compete with strategy and can lead to confusion across operations.
Risk monitoring should be a part of an organization’s internal strategic reporting to ensure risks are monitored alongside strategy. These metrics can be embedded in the areas that track success towards accomplishing objectives, so separate reporting areas are often not required. For example, a government IT division responsible for maintaining communication systems can integrate metrics to track vulnerabilities to core communication systems. Another example would be a scorecard that tracks attempted breaches to a customer-facing support solution. Many metrics already inherently incorporate different types of risk control measures. These types of metrics should be highlighted at the decision-maker level; the risk details can be tracked separately, but the key is to keep risk management closely aligned with strategy through reporting.
Enterprise risk management should not be considered an additional process to be completed by leadership. It is a process enveloped in the development of strategy. Every strategic decision should consider the uncontrollable factors that might affect those decisions, the uncertain factors resulting from the decisions, and the capabilities required to enact them. This is what the risk management is truly about. Continuing to treat risk management as a separate process limits the full evaluation of strategy, leading to inadequate strategy development and a risk-nescient plan. Choosing to keep strategy and risk management process separate, with separate responsibility for strategy execution and risk management, reduces an organization’s ability to respond quickly and effectively when risks materialize. Keeping the processes separate also increases time spent on duplicative efforts and can create competing objectives. Leaders should evaluate how risk management is developed in their organizations and look for ways to integrate it into the strategic development cycle wherever it does not exist.