If you ask 10 IT business leaders "What is risk management?", you will probably get 10 different answers. If you ask those same 10 IT business leaders "How can aformal risk management program help IT deliver core services and strategic processes?"…well, I hope you get an answer.
I talked with a friend last week that is the CIO for a fortune 500 company and asked those very same questions. We fumbled through the conversation but eventually reached the same conclusions.
A formal risk management program can dramatically enable IT and business operations by providing management teams with a proactive view on potential business issues and provide guidance for dealing with those potential issues before they escalate into full blown problems. When businesses are purposeful and intentional about managing risk, they can improve operational efficiency, save money, and increase chances that project or department objectives deliver on time..
When developing or maturing a risk management program, I equate the effort to trying on a pair of shoes--it needs to fit and be comfortable in order to be effective for your business.
There are critical factors to decideon before constructing or giving your Risk Management program a tune up. Here are five things to think about:
1. Agree upon language for risk and control. Establishing a common language and teaching people to learn this new language is the most important thing you can do. I don't think there are any surprises with this one and it's a pretty simple concept--if communication was not important, then the company Rosetta Stone would not exist.
2. Establish shared contexts. People do this implicitly and the value of this is often overlooked. Networking enables people with shared experiences to communicate about ideas and share opinions. When we bring this back to risk management, talking about goals of a program and shared experiences is a huge business enabler.
3. Evaluate your risks against a defined list of risk classes. Whether a four- or five-tier ranking system is best for classifying the degrees of risk across your program, it is important to clearly establish a taxonomic rank system that everyone will use. To further this one more, it's also important to have a "risk universe" defined and your business risk areas mapped out. Documenting a risk universe will drive consistency and risk mitigation coverage year after year.
4. Establish your functional risk teams. Your functional risk teams are departments such as Internal Audit, HR, SOX, Finance, IT. Every department has a risk-minded individual you can liaise with, or in larger companies, these departments might have a dedicated risk management team in that business function. When all these teams are synergized into a common risk management platform, your business will benefit through cost savings and increased operational efficiency.
5. Risks are scored in a common way. This one is on the same theme as #3, however, it is important to provide some structure as to how risks should fit into risk classifications. Ideally, the residual risks are quantified and mapped to their respective risk classification but there are always the qualitative risks to consider. Providing structure about how those qualitative measured risks fit into your taxonomy will go a long way toward driving consistency.
Formally managing risk is an enormous business enabler. For small business and for publicly traded companiesalike it is critical to deliver shareholder value in a world of cost cuttingand streamlined business operations. Businesses have a limited set of resources to deliver on strategic objectives and a well thought out risk management strategy can help you deliver your strategic objectives on time and on budget.
Over the next six weeks I will be posting the six steps to establishing a risk profile for your company. I will cover the process and provide insight about developing high-level guidelines, walk-through pieces of a risk strategy plan, action planning, and more.
