Now more than ever, business executives need a clear view of perils that could inflict harm on their finances or reputations. Commerce is fraught with so-called strategic risks, from global supply chain disruption and cybersecurity breaches to competitive weakness and corruption. And they are emerging faster and packing a bigger punch than ever before.
Despite such far-reaching threats, too many companies take the check-the-box compliance officer's view of risk: a matter that should be handled by individual business units. But consider just one obvious counterexample -- cybersecurity, no longer the sole domain of the CIO.
What's needed is a new risk management plan, with designated "process owners" who have decision-making rights authorized by the board of directors and CEO. Their objective is twofold: ensure that business-unit heads -- the "risk owners"-- follow well-defined steps for identifying, assessing, mitigating and tracking strategic risks and report regularly to board members and senior executives. This gives them a good handle on the risks that could put the company in a harsh light if any were to materialize.
The current sense of urgency about risk management comes from the increased tenacity of watchdogs and law-enforcement groups of all stripes -- never mind class-action lawyers -- in the wake of the global financial crisis. The U.S. Department of Justice, the Securities and Exchange Commission and the Senate Permanent Subcommittee on Investigations, among others, have been pursuing corporate missteps and wrongdoing with fervor.
Yet research by my benchmarking firm, APQC, shows that most organizations have work to do before we can call their risk management plans “best practice.” A survey of senior executives at 96 large multinationals indicated significant process weakness. Forty-three percent do not have a process owner who updates the board about shifts in the ranking of risks large enough to disrupt the organization's strategic objectives. In contrast, the 57% that do have one feel confident about identifying emerging risks.
That confidence comes from regular, well-structured and robust conversations among board members --with senior managers and the process owner present -- about the desired balance between risk versus reward, events that could tip the balance and emerging risks. And it comes from everybody in the company having the right kind of decision-support software.
A good example comes from coal and mineral mining company Exxaro Resources Ltd., the second-largest coal producer in South Africa, churning out 40 million tons a year.
For more on risk management plans
Learn how to present a risk management plan to the board
Design a risk management plan from scratch
Test your knowledge of risk management planning
Exxaro uses governance, risk and compliance software from SAP that drives uniformity, collaboration and risk correlation. Before adopting a standardized approach to risk identification and assessment, "Finance had a high-level risk assessment that was done annually to ensure that we comply with legislation and license requirements," said Saret van Loggerenberg, Exxaro's risk and compliance manager. "Safety risk management followed its own methodology, definition and terminology. We had an operations methodology that was also completely different, and we had a separate project risk management methodology as well."
Now Exxaro can depict identified risks on color-coded heat maps. The software also enables access to the "risk-per-page" report, which provides full details on a specific potential hazard. Used by Exxaro's corporate executives and operations-level business managers, it maps out a particular risk -- inability to attract critical skills is one, according to van Loggerenberg -- its root causes and potential impact. The report also shows whatever controls the company has put in place to address the risk -- for example, more on-the-job training and use of contractors. It also shows how effective the controls are and who is responsible for them.
Today, Exxaro's risk management efforts are highly organized and collaborative. "People across functions, departments and business units can have conversations about risks with different viewpoints on impact and different thoughts on probability," van Loggerenberg said. When people see a risk has been logged into the system, they're on alert. "No matter whether you are assessing at a business unit or corporate level, if you see risk raised, you know that you need to pay attention."
By exploiting technology to help implement this reform of its risk-management processes, Exxaro can compare risks throughout the company more easily. "We are able to look at one risk across multiple business units and multiple projects," van Loggerenberg said.
And that suggests where the true value of enterprise risk management planning lies: helping people grow the culture's risk intelligence.
MARY DRISCOLL is senior research fellow at APQC, a nonprofit that provides expertise on business benchmarking and best practices. Email her at firstname.lastname@example.org.