Our business environment is constantly changing—technologies improve, regulations are modified, competition increases, and demand evolves. Effective risk management grants an ability to adapt to these changes.
Recent headline events, including the Volkswagen emissions deception, the Wells Fargo scandal, and the penalty paid by Dwolla to the Consumer Financial Protection Bureau (CFPB), illuminate powerful motivators for strong risk management programs. Key to a robust program is preventing stressful, and possibly catastrophic, surprises.
When Plains All American Pipeline failed to detect corrosion in its pipeline, for example, the result was a 3,000-barrel oil spill and millions of dollars in fines. The corrosion had run under the radar because the company did not delegate sufficient inspection resources and did not maintain proper procedures and systems for preventing problems from escalating into emergencies. Risk management best practices, however, could have standardized these procedures throughout the organization and prevented the disaster from occurring.
Complying with regulators like the SEC and CFPB
Dwolla, a small, private e-commerce and online payment company, was found by the CFPB to be guilty of risk management negligence for inadequate data security practices. The catch is that Dwolla did not suffer a data breach and none of its customers were compromised. The CFPB fined Dwolla $100,000 as part of its increased focus on companies’ existing prevention strategies. Regulators are no longer simply pursuing organizations that have suffered risk management incidents; organizations need to take proactive approaches rather than simply hope to get by.
Improving productivity and encouraging innovation
An independent, peer-reviewed report, “The Valuation Implications of Enterprise Risk Management Maturity,” published in The Journal of Risk and Insurance, proved that organizations with mature ERM programs (as defined by the RIMS Risk Maturity Model) can achieve a 25% firm valuation premium over those without. Risk management does not have to be a burdensome addition to daily responsibilities—and if it is executed properly, it won’t. It simplifies daily operations by increasing transparency and allowing more resources to be devoted to value-add activities, like product development and customer services.
Checklist for evaluating your risk management efforts
A better question than “does my organization perform risk management?” is “how effectively does my organization identify and mitigate risks?” The following checklist outlines characteristics common to effective risk management programs. Your organization should prioritize development in these areas.
- Effective risk management governance
Boards, through their risk oversight role, are accountable for a risk’s material impact, whether the cause is at the executive level or on the front lines. The SEC considers “not knowing about a material risk” negligence, which carries the same penalties as fraud.
- The board must monitor the effectiveness of the organization’s risk management process, ensuring it reaches all levels and business areas.
- Internal auditors must independently confirm the board is informed on all material risks.
- All material risks must be disclosed to shareholders, along with evidence that they are effectively mitigated.
- Performance management and goal management
- Divide corporate objectives into business-unit contributions.
- Identify business processes contributing to a goal within each business unit.
- Cascade goals to all front-line managers within contributing processes.
- Aggregate goal assessments and determine links between contributing business processes.
- Consistent risk identification and prioritization
Risk assessments must address more than high-level concerns. Effective assessments drill into risk events, uncovering the root cause, or problem “driving” the risk. Repeatable risk assessments are based on common numerical scales and scoring criteria across departments.
- Actionable risk tolerances
Risk appetite is a high-level statement that serves as a guide for strategic decisions. In order to be actionable, it should be accompanied by its quantitative cousin, risk tolerance. Risk tolerance is an effective monitoring technique for key performance goals and risk metrics.
- Centralized risk monitoring and control activities
Risk managers need to do more than design processes to identify risks and appropriate responses. A critical third component—monitoring—is the verification of a control’s effectiveness over the risk. A few key things to keep in mind to make monitoring effective:
- Adjust risk assessments over time (spend less time on risks with decreasing indexes).
- Reduce testing by identifying areas that can share controls (increase organizational efficiency).
- Link risks and activities to determine which processes need to be monitored (prioritize activities/initiatives).
- Monitor business metrics (discover concerning trends before they affect the organization).
- Forward-looking risk and goal reporting and communication
In order to continue funding their organizations’ risk management programs, boards need evidence that those programs are working. Risk managers should ask two basic questions before reporting to the board:
- How might identified risks affect the board’s strategic objectives and key concerns?
- Which metrics or trends most validate the program’s effectiveness?
These items are just a starting point for an analysis of your organization’s program. For a more in-depth blueprint and “state of ERM” report, take the RIMS Risk Maturity Model (RMM), a free best-practice assessment tool that scores risk management programs and generates an immediate report of your organization’s risk maturity.