Over the years, risk managers have tried various ways to get the business units to participate in the risk management process. Some simplified the risk identification and assessment methodologies, others complicated them. The result in both cases was the same - disappointment. Best case scenario - annual or quarterly risk assessments were perceived as a necessary evil with most employees ignoring them and few actively resisting.
Did it ever strike you as odd, that risk management is supposed to be a support function, yet business units are constantly required to provide the information to the risk managers and not the other way around? It almost feels like the business is there to support risk managers in doing their job.
Maybe, just maybe, it is time for the risk managers to stop living in a universe, where the business is regularly required to provide information, participate in risk assessments and to contribute to lengthy discussions about risk mitigation. After all, this does not make business sense. Why would business units take the time away from making money to supply risk managers with all this information? The only logical answer is because they must, it’s a compliance issue. And this is where it gets interesting, risk managers have for years been telling us that it’s not about compliance, it’s about generating business value. Something doesn’t add up. If an activity takes time and resources and doesn’t have an immediate impact on business decisions or business processes, something is clearly wrong.
Join me in a free webinar where I will talk about an alternative approach. Something that will help integrate risk management into everything the business does, not weekly, monthly, quortely, but every day. I believe risk analysis doesn't need to happen before, during or after the strategic planning takes places, I believe it has to change the very nature of existing business processes. And that is why is so, so, so difficult, because management will actively resist any changes to their business processes.