Bringing Risk Communities Together
The discipline of enterprise risk management is constantly evolving. Risk management is an aspect of all areas of your organization. However, sometimes we see that those areas aren’t pulling together in a way that supports an enterprise-wide view of risk.
In this article, we’ll look at where you will find employees with a focus on risk, and take a quick look at how you can start bringing those communities together as a step on the journey to a fully-fledged enterprise risk management strategy.
Risk communities in your organization
In many businesses, the strongest links with risk management come from within the Finance and Audit teams.
Historically, these teams have been the guardians of risk management at a corporate level. Their role has involved assessing the financial and operational impacts of business risk. They consider the impact of the market and credit lines. The audit function provides oversight and governance for risk management actions, ensuring that risk is managed appropriately and in line with the risk tolerance of the business.
However, today risk management is often embedded in plenty of other areas across the business too. You might have active risk managers in other departments too. Here are some of the most common business functions where risk managers can be found.
Health and Safety
Risk is such a large part of effective health and safety management. You may find colleagues with a full focus on risk, or individuals for whom risk management is part of what they do.
Project Management Office
At a company level, the PMO should be collating project risk and reporting on the risk profile of the current and proposed change projects across the business. Project managers within the PMO will also be handling project risk as it relates to the team’s ability to complete project work as expected.
The quality management function may have full-time risk managers, or those who have risk as a part or substantive part of their role.
Disaster Recovery and Business Continuity Planning
The teams responsible for disaster recovery plans and business continuity plans are basically responding to a very particular type of risk. While there might be one person responsible for this across the enterprise (or a small team), they are likely to have a distributed network of individuals with responsibility for certain actions should the risk materialize. This risk management community could involve a significant number of people at all levels of the organization – although many of them won’t be risk managers on a day-to-day basis.
- Your technical teams may have someone, or a group of people, focused on IT risk. Disaster recovery and business continuity plans from an IT perspective will definitely be part of that, but they’ll also be looking at the risk of viruses, hacking, ransomware and other tech threats.
Business Specific Areas
If your business provides clinical services, there will be teams looking at patient care risk, such as infection control or adequate clinical training for staff. If your business relies on the energy markets, you will most likely have a team looking at energy risk management. Whatever your industry, you probably have a specific industry-related type of risk that someone in the business needs to be managing.
The value of enterprise risk management
There’s a case for bringing all these different individuals playing a role in risk management together. Enterprise risk management means taking a holistic view of the risk facing the organization, and it’s hard to do that when different specialist teams are managing risk in their own way.
The value of enterprise risk management is in creating a framework and structures that allows risk to be captured, analyzed and managed in a standard way across the business. When this is in place, risks can be consolidated and reported on as a whole.
Being able to see the whole picture makes it easier for senior leaders to take appropriate decisions. They’re faced with a rounded picture of the risk profile for the organization, including risks from all areas. They can more easily make connections between risks – for example, if one risk is mitigated, that might make another risk better or worse in a seeming unconnected area of the business. When the whole risk portfolio is laid out in front of you, those patterns are suddenly clear, and you’re making choices about actions with all the information available.
Managing risk across the enterprise in a standard way can have an impact on efficiency and the financial performance of the business – there are lots of benefits to doing it right!
Bringing teams together
If you’ve been reading this and identify your business as one that has many areas with risk specialists, how can you start to bring the risk communities together?
Enterprise risk management, like all things cultural and process change, is a journey. You can choose which departments to work with first to standardize and manage the way they approach risk. Once your framework is designed, you can organize training and awareness sessions with the relevant stakeholders, to spread the word about the new direction you are taking for managing risk. You’ll want to involve everyone in time, but think carefully about the impact of rolling out your enterprise risk management framework to everyone at the same time.
It’s likely that each area has adopted a slightly different approach for categorizing and managing risk. A standard enterprise approach is going to mean changing the way they carry out their risk management activities. It probably won’t be a substantial change, but it might involve changing the language used to describe risk, or using a different categorization method. As you grow in risk management maturity, you might need to introduce them to the appropriate software tools to use, or modelling methods.
Enlist the support of your PMO to manage this – it’s effectively a change management program. Proper project management and change management will really boost the efficiency of your changes and help rollout a standard approach across the organization with the least possible impact on the way things are done.
Enterprise risk management offers huge benefits to businesses big and small. It improves management decision making and shapes which projects to invest in. To be truly efficient, risk management needs to take in all communities across the business where risk forms part of the day-to-day operations. When that happens, you’ll have an integrated risk management function, with colleagues able to support each other, and use language and processes that are comparable across business areas.