What's the Right Level of Risk Management?

by Janice Giannini

With a deep mastering at the intersection of IT and business strategy, consultant, board adviser and former C-suite executive, Janice has been harnessing the true power of IT for more than 30 years. An Executive and Board-level digital strategist at the intersection of risk and IT, she enhances competitive position through vision and equity with large-scale risk identification, quantification and mitigation in an ever-changing marketplace, generating long-term value for clients. She engages with senior executives and teams, particularly in complex businesses where misalignment is blocking their desired success, to develop and execute practical business strategies and plans. Clients have found her especially helpful when they recognize they must integrate an eagle's eye and worm's eye view in order to identify and remove obstacles. Janice has consistently taken on those challenges that others chose to run from. This typically involves those challenging times when failure is not an option and integrating business, technology and people changes must be accomplished simultaneously. As a result, many of her clients are complex organizations who won't settle for anything less than developing widespread professional competence.

In today's unpredictable world, it is increasing important to have effective risk management in a business. The natural questions that arise are:

  • How do you build such a plan?
  • What are the critical elements of the plan?
  • How do you know if the plan is complete?
  • What issues get in the way of establishing effective risk management?

Research indicates there are any number of frameworks for creating context and identifying risk. Regardless of the framework you choose, the following areas are worthy of consideration:

  • Internal risks
    • Governance
    • Strategic
    • Financial, compliance and reporting
    • Operational, environment, infrastructure, process
  • External risks

As you embark on your journey to develop the appropriate level of risk management for your business, there are several underlying attributes that heavily influence the success of an effective risk program.

These attributes apply whether your business is implementing an initial plan that may be highly subjective or you're an advanced-stage company using big data analysis to inform your risk position.

Companies that do successful risk management tend to address the basics first. I encourage you to ask and answer the following questions:

  • What are the expectations of the enterprise risk management program?
  • What level of support is required from the C-suite? How do you create that level of support?
  • Does the company have a culture that encourages and rewards risk identification and mitigation? How do you know?
  • What is the level of institutional awareness of the significance and impact of effective risk identification and management?
  • How comprehensive is the risk assessment?
  • How well does the team understand the assumptions embedded in the risk assessment? Are the assumptions full vetted and periodically reexamined?

It is relatively straightforward to implement the mechanics of identifying risk in a business. What gets in the way of effective risk management is a failure to address the basics.

The list above points to establishing expectations, culture, and behaviors from top to bottom that encourage realistic assessment of all the risks. After that, the key is to regularly challenge those assumptions for continued validity as internal and external environments change.