Risk Mitigation is a Process and then a Technology
Written by William Sellers
A.T. Kearney recently wrote that ‘risk management is not a critical focus for those in that profession but threats are present.’ It would be incredibly difficult to remedy this if you cannot address the issues firsthand. Companies either privately held or publically traded are all too often shrouded by risks of many colors. Those risks are embedded in suppliers and even locations that deliver services up and down the technology and business process spectrum. Most firms do not have mature processes in place to assist with keeping regulatory and critical supplier risk at bay. The processes that are set forth for monitoring and managing risk, across the enterprise are sometimes disparate or there could be too many internal groups managing risks, for different reasons across multiple functions. Another issue across this spectrum, is that not all groups within a company measure, monitor or remedy risk the same.
Processes that work for risk identification, monitoring and correction aid in ensuring an increase in continuous improvement within and throughout the business.
Implement a process
Outline a process that can be implemented across all functions within your firm such as Enterprise Risk, Finance, Compliance, Audit, 3PRM, IT Vendor Risk, Procurement, Strategic Sourcing to name just a few. This is a large but essential plan as to how to aggregate and manage risk across multiple functions. This need not be a large group but a select few with a clearly defined RACI matrix. This group would also
- Drive best practices
- Ensure that the risk management program stays current,
- Co-create a strategy with the executive committee for a complete grouping of responsibility up and across the organization.
Once a cohesive process is discussed and formalized, technology can assist with process flow. Having an organized approach for proper management and then reporting will assist with tackling the issues holistically.
Technology & Software?
Buying software or technology should rarely be the first step. Addressing the issue with technology first before analyzing the process that needs to be in place is akin to the age old adage of ‘putting the cart before the horse’. To start with it is critical for the organization to have total clarity on the desired outcomes from the risk management program. To do this, it is absolutely necessary to define and understand what risk means to the organization, based on its appetite for risk and commitment to its customers and board post which a compliance and governance framework needs to be built. The organization can then build a process for the technology to help. Most mature firms have constructed a tight framework to implement change and then decide on a tool that can help capture, interpret the results and then report on risk change. Allow the business to assist in the risk identification process to evaluate the key elements that can impact your firm. Risk is about continual monitoring of most critical suppliers and locations. The issues are volatile and not in your control. Risk areas like Macro-Economic factors, Geo-Political changes, Scalability of a supplier, financial changes, etc. Risk Management is no longer just about supplier assessments. They are costly and sometimes not effective as they typically do not look at trends over time nor do they continually evaluate risk from that point forward.
On-Going Risk Monitoring
The very best risk management programs include repeatable, ongoing monitoring and measurement as well as trending and predictive analysis. What about responsibility? Who is responsible for continual monitoring and what is the one group or team that is managing risk? Check and double check how you monitor your process and framework to continuously evaluate your risk exposure ensuring that it operates at an optimal level. However if things do not go as planned there needs to be a robust contingency plan without which all of the above mentioned points are meaningless. Organizations must outline a clear framework and an escalation & contingency plan, while also identifying a way to sift through all of the data streams to pinpoint what is critical to each line of business.
Define and identify your risks, develop an action plan/framework and then begin monitoring those risk ongoing.