Risk management: “What’s the point, again? Why are we doing this?”
Risk management is challenging for corporations under the best of circumstances. It’s natural for exasperated executives to ask, “What’s the point, again? Why are we doing this?”
Today let’s explore some compelling reasons for investing time and energy in risk management. Why? Superior risk management allows a company to tolerate more risk. You can take more risks, and you can take bigger risks. That puts you at a competitive advantage relative to your peers.
The roots of this insight actually come from military strategy. Military theorists developed the understanding that success on the battlefield depends on your use of time. The more efficient you are (a fighter jet, a naval convoy, an army squad) in observing your environment and responding to it, the more responsive you can be — which lets you position yourself to defeat your enemy.
That holds just as true in the business world. A company isn’t displaced by bigger competitors; it’s displaced by more nimble competitors able to respond to changing market conditions more quickly.
We can connect that idea back to risk management, too. Remember that “risk tolerance” is just another way of saying “acceptable variation from a performance goal.” Risk management is about pushing your company forward to its objectives while staying within those guardrails of acceptable variation from a stated goal.
So really, you want to design a risk management system that monitors key risk indicators and alerts people immediately when they stray beyond those acceptable performance guardrails. The more quickly you can respond when something goes wrong, the more “things” your company can try to do.
For example, if your third-party due diligence and monitoring program is solid, and can easily identify highrisk vendors or alarming changes in ownership, you can expand into new markets more quickly. If your vendor risk management program works well, you can bring new IT services for customers and employees more quickly. If your policy management program responds briskly to regulatory change, you can pivot to new market conditions without incurring regulatory risk.
At its core, a business is simply a group of people cycling through certain processes over and over: making products, closing sales, striking joint ventures, filing lawsuits, hiring new employees, and so forth. Those processes are all supposed to behave in certain ways. Risk management is the system of observing those processes and communicating when they are not behaving in the right ways.
However, performing effective risk assessments can be a difficult art to master. The very phrase — “compliance risk assessment” — can encompass a dizzying range of risks: * anti-bribery,
* whistleblower retaliation,
* data privacy,
* cyber security,
* workplace harassment,
* anti-competition,
* product safety, and much more.
And within each of those risks are more risks to assess. Consider anti-bribery alone:
* What are the company’s risks from third parties? * What are the risks of poor due diligence?
* What are the risks that compensation schemes will lead sales agents to bribe their way to a performance bonus?
* What are the risks that internal controls won’t detect bribery payments?
So the better your risk management is, the more quickly you can intercept those processes or transactions that have gone off course — and therefore, you can keep more processes cycling through on the correct course. The company can take more risks, or bigger risks, because it’s better at managing them and reducing the chance they’ll go wrong.
That’s how compliance and risk officers can frame risk management programs as a driver of strategic advantage — because, when you structure them smartly, they are. If you need assistance in training compliance and risk officers, contact us/email Schumacher@eitsc.com