Risk management is one of the key responsibilities of C-Level executives and boards of directors. In today’s business world, where technology is accelerating the pace of change, reshaping industries, and enabling new competitors, having a clear risk management process is more important than ever.
Risk, Governance, and Compliance
You have likely seen or are aware of the term “GRC” which stands for Governance, Risk, and Compliance. Governance, or corporate governance, is the overall system of rules, practices, and standards that guide a business. Risk Management is the process of understanding what risks and opportunities a company has, how they could affect a project or the organization, and how the company should respond. Compliance is the process of making sure your company and employees follow all laws, regulations, standards, and ethical practices that apply to your organization and industry. For this post, we’re going to focus on a framework for Risk Management that can help you guide your company, board, and employees through the process.
The Risk Management Process
If you haven’t been actively involved in implementing a Risk Management process before, you may think of it as a purely defensive process, ruled by auditors and regulators. Depending on the complexity of the process there can be a lot of internal work and effort, much of which might seem like documentation as opposed to action that directly impacts your current business.
An agile, coordinated process however can help illuminate new opportunities, define the right resources and help improve the success of new growth initiatives for your business. The way to think about this is Risk/Opportunity. In other words, how do you raise the probability of success with a new opportunity, by reducing the execution risks?
There are four essential steps in a Risk Management process:
- Identify the risk/opportunity
- Assess the risk/opportunity
- Treat the risk/opportunity
- Monitor and report the risk/opportunity
1. Identify the Risk/Opportunity
This first step is about identifying all of the issues that can negatively (Risk) or positively (Opportunity) affect the goals of the project. These are developed with clear descriptions, causes and consequences, qualitative assessment, quantitative assessment, and risk mitigation plan. It’s also at this stage that you need to identify who is responsible for the individual actions. A word of caution at this stage…It’s easy to let the opinion, or strength of personality of a senior leader overwhelm the common sense of the team.
All too often, I’ve seen business leaders ignore risks or over-emphasize opportunities based on the experience of an individual leader. This is also where the undue influence of market trends can come into play.
In every board room in the world, directors are asking CEOs, “what’s our Metaverse or Web 3.0 strategy?” You may well have an incredible opportunity in the Metaverse, or be facing a massive competitive risk. You need to make sure that you don’t over or under react, however.
2. Assess the Risk/Opportunity
There are two basic forms of risk and opportunity assessment: qualitative and quantitative. Qualitative analysis looks at the event’s probability and impact. Quantitative assessment looks at the financial risk or opportunity. To have a successful risk management process, both qualitative and quantitative analysis must be done.
At this stage, having a diverse team is a huge benefit. If your organization has a strong sales culture, it’s easy to see every opportunity, or risk, through the lens of sales. Conversely, if your senior leadership comes from an accounting or auditing background, they may lean too heavily into risks and not focus enough on opportunities.
My experience is that taking the time to be as detailed and precise in assessing risk and opportunity upfront is time well spent. Also, assuring that you have a cross-functional team working on these assessments is critical for success.
3. Treat the Risk/Opportunity
Think of this step as the execution plan. This is where you identify the specific strategies and tactics you will deploy to exploit the opportunity or avoid the risk. This is the stage where I’ve seen more CXOs misstep than any other.
It is easy to ignore potential risks. “Heck, there hasn’t been a global pandemic in over 100 years”. “The banking system in the US is too big to fail. This is just a glitch with home mortgages”. You need to be transparent and rigorous in assessing risk and opportunity. Risk and opportunity treatment plans vary. But in my experience, these are the major themes for developing risk/opportunity game plans: Accept. Reduce/Enhance. Transfer/Share. Avoid/Exploit.
4. Monitor and Report the Risk/Opportunity
This is actually one of the most critical components of a successful risk/opportunity management process. It’s here where you need to define the key metrics that matter—those that will be measured on an ongoing basis—and assure that you have a clear process for monitoring and reporting these metrics.
This is also where having a well-understood process at the board level matters. It’s a very smart step to assure your organization has a tight connection between your risk management and project management.
Risk and Governance is a huge and important topic for CXOs. In this post, we’ve focused on only a small portion; a basic framework for Risk and Opportunity management. I would strongly encourage business leaders to keep current with the ongoing changes in regulatory and compliance rules in your industry. I would also recommend that you take advantage of the wealth of information, courses, and niche consultancies that can help you develop your own Risk Management processes.
Want more CXO insights? Subscribe to the Future Office of the CXO channel: