Over the years, risk managers have tried various ways to get the business units to participate in the risk management process. Some simplified the risk identification and assessment methodologies, others complicated them. The result in both cases was the same – disappointment. Best case scenario – annual or quarterly risk assessments were perceived as a necessary evil with most employees ignoring them and few actively resisting. We are proposing an alternative approach. Something that will help integrate risk management into everything the business does.
Did it ever strike you as odd, that risk management is supposed to be a support function, yet business units are constantly required to provide the information to the risk managers and not the other way around? It almost feels like the business is there to support risk managers in doing their job.
Maybe, just maybe, it is time for the risk managers to stop living in a universe, where the business is regularly required to provide information, participate in risk assessments and to contribute to lengthy discussions about risk mitigation. After all, this does not make business sense. Why would business units take the time away from making money to supply risk managers with all this information? The only logical answer is because they must, it’s a compliance issue. And this is where it gets interesting, risk managers have for years been telling us that it’s not about compliance, it’s about generating business value. Something doesn’t add up. If an activity takes time and resources and doesn’t have an immediate impact on business decisions or business processes, something is clearly wrong.
This guide is designed to help the business take risks into account every time they take a decision, not quarterly or annually. The authors believe that this can only be achieved by changing the very nature of existing business processes (planning, budgeting, investment management, performance management, procurement and so on) and making them more risk-based. This also means that risk management process is not a singular process, there should be multiple, different risk management processes in the organisation.
HERE IS A QUICK CHECKLIST TO TURN THIS SECTION INTO ACTIONS
|Critically review existing risk management processes and methodologies to determine whether they do in fact help management make day to day business decisions based on timely and accurate risk information|
|Document risk information flows in the company to make sure risk management provides adequate and timely support to all business units|