Break Down Barriers to Enterprise Risk Management
According to legend, when asked why he chose to build automobiles, Henry Ford responded, “If I had asked people what they wanted, they would have said faster horses.”
While this possibly apocryphal story is often used to negate consumer opinion and market research, it can serve another purpose: reminding executives that the conventional way of doing something is not always the best way to provide continuous value for an enterprise and its customers. In other words, one needs to imagine what things could be like if they were different, and how they could be better – including when it comes to managing operational risk within the enterprise.
A recent report from the American Institute of Certified Public Accountants’ (AICPA) Management Accounting – Business, Industry, and Government Team surveyed business leaders about their current enterprise-wide risk management efforts. While the report revealed many insights, one of the most telling was that organizations see multiple barriers to enhanced risk oversight: competing priorities, lack of sufficient resources, lack of perceived value, perception that enterprise risk management adds bureaucracy, and lack of board or senior leadership buy-in.
Each one of these barriers may be real – or only imagined – but there’s one string connecting them all: They can all be overcome by changing the way an enterprise thinks about risk management.
A New Mindset
A business has one main objective: to fulfill its customers’ needs by providing products and services while turning a profit. With this as an enterprise’s lodestar, therefore, it is surprising to think that an organization would not be more focused on enhancing its risk management strategies – as not being properly set up to manage risk events can deeply impact a company’s ability to fulfill this main objective.
Overcoming barriers requires integrating enhanced risk management needs within an organization at the operational or enterprise level. The legacy mindset is that it belongs to a single department (risk, finance, insurance, etc.), but in fact, that is an outdated way of thinking.
When risk management is viewed as an enterprise-wide process, it focuses the entire organization on heading off disruptive events while ensuring the company stays on track toward its ultimate business goals. With this mindset, many of the barriers can be overcome: By understanding that risk management is woven into the fabric of the main objective, its value is realized, and it becomes a high priority for everyone, including senior leadership – thus ensuring resources are allocated toward it.
There are several actionable steps an enterprise can take toward calibrating its approach and removing some of the barriers preventing enhanced risk management strategies.
5 Steps to Enhancing Risk Management Programs
- Know your company’s business. Understand what the business plan is, what your company is trying to accomplish, how it is measuring success, and what metrics matter.
- Gather and organize the facts – and then analyze them. Put the pieces of the puzzle together and look for meaningful insights into and nuances of how the business operates, as well as where the risks are. Building an information foundation will show any strategic holes as well as opportunities, and allow the enterprise to tie risk management goals and objectives to the business plan to ensure they are strategically aligned.
- Assign responsibility. Formal assignment of risk management to a qualified senior-level manager who can be provided with appropriate funding is an important success factor, as this executive can project-manage, own the program, and monitor progress to goals.
- Build a business case. Related to the last point, however, is that one person can’t win on their own. Everyone needs to buy into the need to allocate resources to and prioritize risk management. When everyone in the organization can understand how a program will support the company’s objectives and fulfill its mission, risk management becomes a valuable factor in a business transaction that will help the organization increase its brand value and revenues.
- Lean on technology. One section of the AICPA report asked respondents whose organizations had not yet implemented an enterprise-wide process why they hadn’t done so. More than half believed, “risks are monitored in other ways.”
Now, this may be true – but how successful are these ways? Do they really give you a handle on all of the risks and controls in place? Are they integrated throughout the organization? Are you spending a lot of time with your current processes, but yielding only minimal value? Are you using outdated data management programs, or spreadsheet and word processing software that need to be updated manually? Is the data from your current process producing defendable, actionable business decisions?
This is where technology becomes critical to enhancing risk management. Applying automation to the process improves workflow efficiency while making everything more accurate, by basing the risk management ecosystem on real-time data and eliminating the human element. Additionally, it gives executives everything they need at their fingertips to make better business decisions, using tools like heat mapping and graphs.
The best technology will allow you to capture structured data instead of creating traditional plan documents. Think of that structured data as an information foundation that shows how everything works and interrelates. Being able to capture your planning information in a database allows you to know who is responsible for every piece of information, as well as what information is missing – and this ownership keeps people engaged.
With a data-driven system, you can leverage tools that help you formulate the right response to an unfolding situation, with the ability to take only the parts of each plan that directly apply, and create a targeted action plan in minutes.
Static, document-based plans just can’t keep up when you realize how different each situation will be. The fact is, those binders often wind up being set aside when incidents occur, but that is not the case when you have an information foundation and the right tools to put you in command and control. Managing data over documents allows you to provide clear metrics on where your risks are, so you can prioritize where to focus – giving an executive team confidence that the risk management program is a center of excellence in the company.
One of the perceived barriers in the report is that robust risk management strategies will add levels of bureaucracy no one wants to deal with – and they can if they are done in an outdated fashion. But when you can leverage technology that enables you to become more effective, efficient, and economical, the value of what you’re providing to your internal constituency goes through the roof. And when value goes up, bureaucracy goes down – adding even more value.
Reimagining the Possibilities
While organizations have been progressing toward identifying, assessing, and managing key risks, there are still barriers, both actual and perceived. Yet for a risk management program to be successful means reimagining what it means to manage risk and looking to new possibilities, then tying the program to business objectives.
Realizing the intense importance of risk management requires a change of mindset and company culture. This is only the first step of several strategies, but without it, it becomes very difficult (or even impossible) to overcome the other barriers.
No one is saying it’s easy to think differently – Henry Ford would certainly agree with that – but risk management is ultimately what protects a company’s ability to fulfill its purpose, and that’s a great reason to change your mind.