Risk management is the responsibility of everyone in an organization, not just that of the owner or senior executives. And savvy leaders take a holistic approach to managing risk, involving employees and thinking in a cause-and-effect manner about how actions in one business line can affect security in another area of the company.
Enterprise risk management is a way of capturing risk from every angle and managing it proactively with a comprehensive plan. And in today’s economy, thinking about risk in a broader sense is critical, says Rod Sloan, chief risk officer for Old Second National Bank, Aurora, Ill.
“Economic conditions expose companies to a variety of risks,” says Sloan, noting that businesses should approach their operations with a heightened awareness of the potential risks across all areas, as “the Internet and all of the electronic business we do today creates additional risk characteristics.”
But instead of being proactive, many organizations wait to implement an enterprise risk management plan until after an incident compromises the company’s security or reputation.
Smart Business spoke with Sloan about what is involved in enterprise risk management and how a business can design and implement an effective plan.
How has risk management evolved?
With all of the post-mortem occurring in the financial industry, businesses in all sectors are taking a serious look at the viability of their plan and what leaks exist in it. This leads to the concept of enterprise risk management understanding risk on a cross-dimensional basis. Your definition of risk must extend beyond firewalls and financial security to address every single aspect of the business, down to a company’s social media presence.
What is the first step to implementing a holistic risk management plan?
First comes risk awareness within specific business units. Then, leaders at the company must get those business units to talk to each other. The typical business unit manager is focused on daily, departmental tasks. A sales manager concentrates on meeting sales objectives and networking with prospective clients. But it’s important for a sales manager to understand pertinent risks to his or her line of business, and the risks that affect other areas of the organization.
If commissioned salespeople use social networking opportunities to generate leads, how does that affect the entire company? To embrace the enterprise risk management philosophy, those business unit managers must connect with one another and start a dialogue on the cause-and-effect relationship between the risks that each department faces.
How does a business identify what type of risk to address in a plan?
A company may perform a formal risk assessment by bringing in a third-party expert to evaluate every aspect of the business for risk susceptibility. The comprehensive reports produced from rigorous assessments like this are extremely valuable to managers and serve as conversation starters.
But businesses can conduct a less rigid risk evaluation by asking key managers what top five issues worry them the most. From there, dig deeper and consider how someone might perpetrate fraud against the company in those five areas. Then, determine whether there are controls in place to stop fraud and/or minimize risk. Put numbers around those risks; will it cost the company a large dollar amount from a single, spontaneous event, or will it cost small dollar amounts but eventually result in a big event that could cost the company its reputation? Finally, discuss what else could be done to protect the company. This dialogue becomes the basis of an enterprise risk management plan.
Who should be involved in developing and executing the plan?
Some companies have a chief risk officer who can manage the planning/execution of a risk management policy. Larger companies have formal methods of risk assessment, but it isn’t necessary to go to that level of formality. Smaller companies can get the ball rolling by going to business unit managers to have them share their top five risk concerns and then drilling down from there.
For companies not familiar with risk management techniques, a consultant may help give structure and direction. But, if a small company is hesitant to hire a consultant, they can do a lot from a risk management perspective by instead using the top-five method to self-identify risks and then cross-organizationally consider ways they might reduce their exposures to those risks.
Commitment from key leaders is critical, but so is buy-in from managers and supervisors, and employees who are working on the ground level where a great deal of fraud opportunities may exist. Emphasize to managers that managing risk is a key component of their leadership responsibilities and that a sales manager is also a risk manager.
How do you create a risk management culture?
Don’t miss an opportunity to champion risk management whenever you can. Form a risk committee with members from all levels of the organization. Address a risk topic at regular company meetings. Reward people who do an excellent job of engagement people who are not just managing risk in their own silo. Create a variety of policies and procedures around the key control areas identified in the risk assessment and involve the risk management committee on approving these processes.
Ultimately, enterprise risk management works a lot like quality control. You can generate widgets and hire someone to sit at the end of the production line and check to see if the widgets are up to par. Or, you can institute a process that ensures those widgets meet high standards before they go down the line. The objective is to build quality from the start and not to go about business and leave risk management as an afterthought.
Rod Sloan is chief risk officer of Old Second National Bank in Aurora, Ill. Reach him at (630) 906-5459 or firstname.lastname@example.org.