Ultimate Guide to Risk Management for Businesses

00:02

Craig Stedman: Risk is a way of corporate life and comes in many

00:04

forms. Every organization, no exceptions, faces the risk of

00:09

unexpected harmful events that can cost money or worse shut it

00:13

down. Business leaders IT teams and risk management

00:16

professionals who know how to effectively manage those risks

00:19

can give their company a distinct competitive advantage

00:22

over less risk aware rivals. Risk management is the process

00:25

of identifying, assessing and controlling threats to an

00:28

organization's capital, earnings and operations. These risks

00:32

stemmed from a variety of sources including financial

00:35

uncertainties, legal liabilities, technology issues,

00:38

strategic management errors, accidents, and natural

00:42

disasters. A successful Risk Management Program helps an

00:45

organization consider the full range of risks it faces. Risk

00:49

management also examines the relationship between different

00:52

types of business risks and the cascading impact they could have

00:55

on an organization's strategic goals. This holistic approach to

00:59

managing risk is sometimes described as enterprise risk

01:03

management or E RM, because it focuses on the need to

01:06

anticipate and understand risk across an organization. But

01:10

risks aren't all bad. Enterprise Risk Management emphasizes the

01:14

importance of managing Positive Risk to positive risks or

01:18

opportunities that could increase business value, as long

01:21

as they're recognized as opportunities and acted on not

01:24

taking such risks can damage an organization's business. Indeed,

01:28

the aim of risk management isn't to eliminate all risk, but to

01:32

enable companies to make smart risk decisions that help improve

01:35

business performance and increase enterprise value. With

01:39

that in mind, a risk management program should be intertwined

01:42

with organizational strategy. Here we'll examine the basics of

01:46

risk management as well as the benefits, challenges,

01:49

strategies, and what else businesses need to know about

01:52

it. For a deeper dive, explore our complete collection on all

01:56

things risk management by clicking the link above or in

01:59

the description below.

02:02

The risks that organizations face have grown more complex

02:05

fueled by the rapid pace of globalization and digital

02:08

transformation, as well as other recent developments. For

02:11

example, the COVID 19 pandemic initially manifested itself as a

02:15

supply chain issue at many companies, but quickly evolved

02:19

into an existential threat for some well managed companies made

02:23

rapid adjustments to the business risks posed by the

02:25

pandemic. But going forward, organizations are grappling with

02:29

various new and ongoing risks, including how or whether to

02:32

bring employees back to the office, economic fluctuations,

02:36

environmental and climate related issues, and how to make

02:39

supply chains less vulnerable to disruptions. Companies that

02:43

currently take a reactive approach to risk management are

02:46

or should be considering the competitive advantages of a more

02:50

proactive approach. That includes taking steps to

02:53

increase business sustainability, resiliency, and

02:56

agility. forward looking companies are also exploring how

02:59

AI technologies and sophisticated governance risk

03:03

and compliance or GRC platforms can improve risk management.

03:10

Various standards and frameworks document ways for organizations

03:14

to manage risk. One of the best known resources is the ISO

03:17

31,000 standard developed by the International Organization for

03:21

Standardization. a standards body commonly known as ISO ISO

03:26

31,000 outlines a risk management process that includes

03:29

the following five steps for identifying, assessing and

03:33

managing risks. First, identify the risks faced by your

03:37

organization. Second, analyze the likelihood and possible

03:41

impact of each risk. Third, evaluate and prioritize the

03:46

risks based on business objectives. Fourth, treat or

03:50

respond to the risk conditions. And fifth, monitor the results

03:54

of risk controls and adjust as necessary. While these steps are

03:59

straightforward, risk management teams shouldn't underestimate

04:02

the work required to complete the process. For starters, it

04:05

requires a solid understanding of what makes your organization

04:08

tick. The ISO 31,000 process also includes upfront methods to

04:13

establish the scope of risk management efforts, the business

04:16

context for them and a set of risk criteria. The ultimate goal

04:20

is to know how each identified risk relates to the maximum risk

04:24

the organization is willing to accept known as risk appetite,

04:28

and what actions should be taken to preserve and enhance

04:30

enterprise value. The Committee of sponsoring organizations of

04:34

the Treadway commission, better known as COSO, has created

04:37

another enterprise risk management framework that's also

04:40

widely used. It includes a set of 20 principles organized into

04:44

these five interrelated components, governance and

04:47

culture. This involves setting risk management oversight

04:50

responsibilities and documenting corporate culture including an

04:53

understanding of business risks, strategy and objective setting

04:58

as part of strategic planning the organization must determine

05:00

its risk appetite and then align that with business strategies

05:03

and objectives. Performance. Different risks are identified,

05:08

assessed and prioritized in accordance with the company's

05:11

risk appetite. It then decides how to respond to them and

05:14

implements the required actions, review and revision. The

05:18

organization reviews business performance and how well the

05:21

risk management process is functioning then decides whether

05:24

changes are needed to improve the process, Information

05:27

Communication and reporting. Information about the risk

05:31

management process is collected and shared internally through

05:34

ongoing communications and reporting. The COSO Framework

05:38

also recommends taking a portfolio view of business risks

05:42

to help do so companies can record information about

05:45

identified risks in a risk register that's used to track

05:48

them throughout the risk management process. Various risk

05:51

maturity models are also available, they can be used to

05:54

benchmark risk management capabilities and assess their

05:57

maturity levels. When it comes to identifying risks scenarios

06:00

that could affect an organization's ability to meet

06:03

its business objectives. Many risk management teams find it

06:06

useful to take a top down bottom up approach. In this case, top

06:10

down means identifying the organization's mission critical

06:13

business processes, and working with internal and external

06:17

stakeholders to determine the conditions that could impede

06:19

them. Bottom up means identifying potential threat

06:23

sources like earthquakes, economic downturns and cyber

06:26

attacks, and assessing their potential impact on critical

06:29

assets. You'd think effectively managing risks that could have a

06:36

business impact should bring numerous benefits, it does,

06:40

including increased awareness of risk across the organization,

06:44

more confidence in organizational objectives and

06:47

goals since risk is factored into business strategy, better

06:50

and more efficient compliance with regulatory and internal

06:53

mandates because compliance work is coordinated, improved

06:57

operational efficiency due to a more consistent application of

07:00

risk processes and controls, improved workplace safety and

07:04

security and a competitive differentiator to be exploited

07:08

in the marketplace. But with benefits come challenges too and

07:12

risk management is no different even for companies with mature

07:15

GRC and risk management strategies. challenges include

07:19

higher costs initially, at least because risk management programs

07:23

can require expensive software and services. greater emphasis

07:27

on governance, which also requires business units to

07:30

invest time and money to comply. difficulty reaching consensus on

07:34

the severity of risk and how to treat it, which sometimes leads

07:37

to risk analysis, paralysis, and difficulty demonstrating the

07:42

value of risk management to executives without hard ROI

07:46

numbers. Simply put, a risk management plan describes how an

07:53

organization will manage risk. It lays out elements such as

07:57

your organization's risk approach the roles and

07:59

responsibilities of risk management teams, resources that

08:03

will be used in the risk management process, and internal

08:05

policies and procedures. ISO 31,000 is overall seven step

08:10

risk management framework for enterprises is a popular option

08:13

that can help you build and implement a plan. Those steps

08:16

include develop a communication program to convey your

08:20

organization's risk policies and procedures to employees and

08:23

other relevant parties. Define the organization's risk appetite

08:27

and its risk tolerance which spells out how much the risks

08:31

associated with specific business initiatives can vary

08:34

from the overall risk appetite. Define the risk scenarios that

08:38

could have a positive or negative impact on the

08:40

organization's ability to conduct business. Analyze the

08:44

likelihood and impact of each risk and create a risk heat map

08:47

also known as a risk assessment matrix to visualize the

08:50

findings, evaluate risks and decide how to respond to them.

08:55

possible approaches include risk avoidance, risk mitigation, risk

08:58

sharing, or transfer and risk acceptance. Apply the agreed

09:03

upon risk management controls and processes and confirm they

09:06

work as planned. And finally, monitor the plant's performance

09:10

and look for key risk indicators that might trigger a change in

09:13

strategy, then report the results to internal decision

09:16

makers.

09:20

With the increased spotlight on risk management, many companies

09:24

are not only reexamining their risk related practices, but also

09:28

exploring new techniques, technologies and processes.

09:31

They're looking at E rm and GRC platforms to integrate the risk

09:34

management activities manage policies, conduct risk

09:38

assessments, identify regulatory compliance gaps, and automate

09:41

internal audits plus software that helps measure and mitigate

09:45

risks is improving. For example, risk sensing tools can detect

09:49

trending and emerging risks. Businesses are also formalizing

09:52

ways to manage positive risks and they're connecting risk

09:56

management initiatives to their environmental, social and

09:59

governance or ESG programs to make operations more sustainable

10:03

and ensure they're acting in responsible and ethical ways.

10:06

All these developments and other measures won't eliminate

10:09

business risk, but they're designed to make it more

10:13

manageable and less risky.