Risk Management: Plan, Then Execute

by Janice Giannini

With a deep mastering at the intersection of IT and business strategy, consultant, board adviser and former C-suite executive, Janice has been harnessing the true power of IT for more than 30 years. An Executive and Board-level digital strategist at the intersection of risk and IT, she enhances competitive position through vision and equity with large-scale risk identification, quantification and mitigation in an ever-changing marketplace, generating long-term value for clients. She engages with senior executives and teams, particularly in complex businesses where misalignment is blocking their desired success, to develop and execute practical business strategies and plans. Clients have found her especially helpful when they recognize they must integrate an eagle's eye and worm's eye view in order to identify and remove obstacles. Janice has consistently taken on those challenges that others chose to run from. This typically involves those challenging times when failure is not an option and integrating business, technology and people changes must be accomplished simultaneously. As a result, many of her clients are complex organizations who won't settle for anything less than developing widespread professional competence.

An article I read recently in National Association of Corporate Directors NACD Directorship drew attention to the significance of risk management and its oversight as a pivotal point of concern for directors in the boardroom.

The article cited a recent KPMG survey that found operational risk and risk environment was a concern of a third of participants (after relatively uncontrollable topics like economic, social, and political volatility and government regulation). About half of those surveyed said they are concerned about their risk management program.

Those numbers worry me. Thinking critically about risk and developing a comprehensive plan is one of the most important things an executive can do for their company, and many companies treat the creation of a risk management plan as a check-the-box exercise.

Worse, many companies develop a plan and don't execute it. Even if it's a great plan, if it's poorly executed, it will lead to inadequate risk understanding and may increase the company's liability. In fact, a less-than-perfect plan that's executed is better than a non-executed top-notch plan.

Given top-level concern over risk and risk management, here are some questions executives and directors should be asking:

  • Is the risk management program truly an enterprise wide risk assessment and management program (ERM)? Companies are at high risk when their assessment addresses some, but not all, elements of internal and external risk sources. As I wrote in the April newsletter, sources can emanate from all strategic and operational areas of a company and its environment-they all need to be assessed.
  • Does the risk assessment process routinely challenge underlying assumptions? There are countless examples of assumptions being built into a business plan, choice of supplier, or marketing approach that were not sufficiently challenged as the environment changed. As the business environment evolved, the risk increased substantially-unbeknownst to the leaders.
  • Is there a bias for action across the leadership and the board to address the risks non-emotionally? What evidence do you have to support your response? Highlighting risk is not the end of the process; it's the beginning. Not all risks warrant a plan B and plan C. The team needs to understand the difference between the risks that require multiple levels of risk mitigation and the ones you're willing to live with and then take appropriate and timely action.
  • What do the numbers say? It's important to consider all of the metrics and trends in your business (in addition to financial). Is the team looking at the numbers through the lens of what can happen if the trend continues versus explaining the trends to keep management happy?
  • Are your directors getting the whole story? If not, ask yourself what you can do to create an environment where it is easier to tell the whole story.
  • What committee has risk oversight, and would strengthening that committee with technical and ERM expertise increase its effectiveness?

Execution is critical in all efforts, but particularly so with ERM. ERM is more than an exercise-it can be the tool that enables you to meet commitments to stakeholders, revenue, EBITA, and EPS.