Most executives are convinced that they have a suitable risk management program in place. They maintain that mindset until something unexpected happens. I see it time and time again.
Usually, at some level, workers and managers have summarized their perceptions of risk to some standard or methodology, and produced reports that are collated and provided to senior decision-makers. Executives then make decisions based on purely subjective data, with little formality for studying and assessing operational risks as they apply to the entire organization.
When considering the size and scope of an enterprise risk program, managers and executives often have the same questions: Where do we start? How do we prioritize which risk studies are performed first? How do we realize benefit without waiting on the final study to be complete? How do we know we are measuring, ranking risk and managing risk to the same standards?
Every company knows its most profitable or impactful product, customer, location, or line of business. Unless there is a regulator or customer driving your organization in another direction, this is the first place to focus risk management efforts. As your company builds a larger sphere of knowledge libraries and risk assessment studies, the speed at which other areas will develop risk assessments and adopt the processes will increase exponentially with an operational risk platform. Knowledge from one operation can be shared with others and previous controls or workarounds can be passed from one manager to the next.
Commonalities in processes exist in every organization. The basic elements of any risk program are typically at hand, but largely underutilized; employees’ personal experience is hard to scale without a mechanism for knowledge management.
Widespread adoption of an enterprise-wide operational risk management programs is just beginning. Almost all finance organizations have implemented some form of GRC (governance, risk, compliance) tools to manage financial controls. Many process manufacturers focus on environmental, health and safety (EHS), and have adopted OSHA 1910.119 for Process Safety Management. Too often, however, little is done beyond meeting minimum compliance standards.
Observing a deviation or investigating an incident and performing a root-cause analysis, is a top-down, rear-view mirror approach to risk. Only with a ground-up predictive approach, using a cross-functional study of risk to address a particular product, process, or location with proven hazard and failure mode methodologies, can operational risks be mitigated or eliminated.
Industry leaders are able to go beyond using risk management to prevent disasters and leverage their risk programs as a competitive advantage. They are able to make more capital available to their real business priorities, and strategically align the available resources to initiatives that will benefit the top and bottom line, customers, employees, and shareholders.
All companies take risks. Their appetites for risk need to match operational reality. In order to gain true competitive advantage and act more strategically, companies must move from a compliance culture to a proactive strategy of risk prevention.
What are your strategies for risk assessment and prevention? What tactics have you used to focus the conversation about risk management at your organization?