ARTICLE
Guide to executing a winning risk management plan
Risk is a fact of life for any organization. What’s more, risk isn’t always a potential threat. For successful businesses, taking risks is crucial to growth and sustaining profitability. Those risks can include new products and markets, investments, and acquisitions, among others. They’re risks because they might not succeed, or they might bring about unanticipated consequences.
But whether the organization is a business, a nonprofit, or a government agency, risks are more likely to have negative impacts. If it doesn’t plan for those impacts, a risk event can disrupt its workflows, cost the organization millions of dollars, and perhaps even cause it to shut down.
To protect itself from potential disaster, every organization should establish a risk management plan that sets the specific ways to handle any possible risk. To succeed, such a plan needs to be carefully and strategically designed while being flexible enough to accommodate any new hazards that might arise.
Risk management is more than a way to help ensure an organization’s continuity. Many businesses must have risk management protocols in place to meet industry laws, regulations, or compliance requirements. That’s particularly true regarding cybersecurity and the need to protect sensitive information.
All that said, a risk management plan doesn’t eliminate all risks. Instead, it determines the best course of action to strike a cost-benefit balance between risk reduction and the use of corporate resources. A risk management plan documents potential risks to an organization and the steps employees should take to keep those risks at acceptable levels. In addition, an organization may need different risk management plans to address additional risks.
Setting risk management goals
Risk management includes developing procedures for uncertain events. In crafting a risk management plan, an organization identifies potential risks, evaluates their likelihood and potential impact, and develops strategies for either avoiding them or mitigating their effects if avoidance is unfeasible. Risk assessment is a part of this process, focusing on detecting potential hazards and analyzing conceivable risks in an organization’s immediate workplace. Risk assessment also identifies risks related to fraud and (for many organizations) compliance.
Risks are typically described as either operational or enterprise. Operational risks, which are associated with the execution of an organization’s operations, can originate from various sources, including human error, third parties, cybersecurity threats such as data breaches or ransomware attacks, external events such as natural disasters, and government regulations. Enterprise or strategic risks are those risks that could be beneficial to a business — big changes that could bring in new customers or lead to the development of new product lines, for instance.
In crafting a plan, the organization must determine its risk management goals. What dangers does it wish to avoid? What opportunities might a risk offer? How might a risk derail an organization from its mission? Once it answers questions like these, it can develop a risk management plan that aligns with those goals.
With all this in mind, let’s look at the chief steps any organization should follow to set up a risk management plan.
Risk assessment
This step focuses on identifying and analyzing potential hazards before they can cause disruption — or identifying disruptive events that could lead to beneficial results. Risk assessment helps organizations understand the nature and extent of any risks they might face and with informed decision making about risk management, including what level of risk organizations are willing and able to tolerate. It also helps them uncover events that might seem unlikely but could suddenly and disastrously occur.
One of the most valuable tools in this process is a risk assessment matrix, used to visualize potential risk impacts. A risk assessment matrix measures the likelihood from low to high on one axis and the severity from low to high on the other. The organization can then prioritize risks with higher “scores” for risk prevention or reduction.
Risk tolerance
Risk tolerance is the amount of risk an organization is willing to bear within a specific project, activity, or timeframe. Measuring risk tolerance helps determine the acceptable range of risk exposure for particular initiatives and align risk management efforts with its resources. A low-risk tolerance will most likely require additional funding to protect the organization from a disruptive event.
Determining risk tolerance also helps an organization balance potential risks and the costs of managing them. In some cases, the organization may decide that potential losses or risk events wouldn’t significantly hinder its operations.
Desired outcomes
What an organization hopes to achieve goes back to its goals or mission. How might certain risks sidetrack those outcomes? What does the organization need to do to minimize negative impacts?
Risk management strategies
A risk management plan includes the strategies an organization needs to take to prevent a risk event — a risk that fulfills its potential and causes disruption. The plan should also include what the organization needs to do if a risk event occurs.
In developing a risk management strategy, an organization needs to identify vulnerabilities and potential threats, how likely they are to occur, how damaging they could be to the organization, and what forms of mitigation would be needed should they happen.
For many businesses, a major source of risk is their supply chain. This risk became all too clear during the pandemic when lumber, steel, and semiconductors became difficult — and costly — to obtain. This situation proved to many businesses that they needed to have contingency plans should their supply chains become snarled again in the future.
There are some dangerous risks, of course, that an organization will want to prevent from happening. Whether the organization is a business, a nonprofit, or a government agency, it will want to stop fraudulent activity before it happens and seek to establish actions and strategies to prevent it. For businesses, that activity could originate from vendors, customers, and subcontractors, not to mention cybercriminals.
For nonprofits and government agencies, fraudsters may include people seeking to get public benefits under false pretenses. The organization can implement processes and protocols to reduce the chances of an unwanted risk event, such as heightened cybersecurity to protect sensitive data. Where feasible, the organization may be able to buy insurance to cover the costs of a potential risk event — this is called risk transfer or risk outsourcing.
Whatever the organization, it should consider the following strategies as part of its risk management plan.
Using key risk indicators
A key risk indicator (KRI) is a metric that measures not only how likely a particular risk event could be but also how seriously it could impact the organization’s operations. KRIs typically fall under the categories of people, processes, and technologies.
In the people category, examples of KRIs include measurements of the effect that the loss of key employees could have on operations. They can also measure similar effects for fraudulent activity by outside parties such as vendors and clients. Process KRIs can measure operational objectives such as production and sales levels — and the factors that might disrupt them, such as supply chain snarls. KRIs for technology can focus on cybersecurity objectives and other data protection measures, identifying when these protective measures fall below safe optimums.
Assembling a list of KRIs can also overlap with developing a risk assessment matrix. Both are valuable tools for identifying and evaluating risks.
Mitigation planning
Most organizations can’t avoid all risks; some are simply unpredictable. For instance, a reliable vendor or customer can suddenly stop delivering services or paying bills. An innovative fraudster might find a way around a seemingly impregnable cybersecurity system.
Unpredictable risk is where mitigation comes in — this is the set of responses intended to reduce the harm of a risk event should it occur. The organization should have a response plan before a risk event occurs. This plan could include business backup plans — in the case of a hurricane or other disaster — media crisis management, and other forms of risk response that will vary depending on the organization’s business or mission.
The organization will also want to determine whether some risks simply aren’t worth preventing, which goes back to the idea of risk tolerance. In some cases, the potential harm of risk is so low that the costs of avoiding it would be too high. In those situations, the damage the event might cause would be less damaging to the organization and its finances.
Ongoing monitoring
Ongoing monitoring is the process of keeping tabs on potential risks. It also involves determining whether prevention and mitigation processes are working the way they’re intended. An organization needs to continually monitor its risk management plan since the sources of risk are ever changing. That’s certainly true in the realms of technology and regulation, but talent pools and processes also change and evolve. Organizations need to prepare themselves for disruptions to their business models and hiring practices, as well as data breaches and natural disasters.
Many organizations also need to monitor media coverage. This is required in order to manage crises and anticipate risk events and — for certain types of businesses — to prevent fraud. For instance, a financial institution will want to avoid doing business with customers or vendors sanctioned by regulators or law enforcement. Advance media screening can help identify these bad actors and thus protect the institution from massive fines and reputation damage.
Risk management policies
An effective policy framework for managing risk includes policies, processes, and procedures designed to reduce or eliminate potentially damaging risks. The content of this framework should be clearly and specifically written, with the duties and responsibilities of those in the organization involved with risk management spelled out. The plan should include regular reports to senior executives — and the board of directors if the organization has one — about how various risks are being managed.
If possible, an organization should establish a dedicated risk response team that oversees all aspects of risk management. An organization can maximize its risk management program’s effectiveness by promoting it throughout all the departments with potential vulnerability to risk. For businesses, this typically includes sales and marketing, finance, IT, and product development; the departments involved should collaborate on risk management strategies. A risk management plan won’t be fully successful unless there is buy-in throughout the organization. Departments must collaborate and share information since risk is rarely “siloed.”
To further strengthen the risk management plan’s effectiveness, the organization should consider engaging all its stakeholders to establish and maintain the plan. Those stakeholders will vary from organization to organization. They might include not only employees but also clients, business partners, and vendors, as well as investors and regulators. Getting stakeholders’ input can be particularly useful in identifying and assessing risk since they can reveal possible threats the organization itself hadn’t considered. They also can help establish effective mitigation strategies.
It’s essential to keep a risk management program flexible. The organization should review its list regularly and establish contingency plans for new and unforeseen risks — once a year is a good rule of thumb, although larger organizations with more exposure to risk should conduct updates more often.
It should also be clear that effective risk management requires time and money resources. Not every organization is in a position to devote these kinds of resources to a risk management plan, but it will need to weigh both costs and benefits. A risk event could cost the organization more than the upfront expense of establishing effective risk management policies.
Compliance, risk, and governance
A growing source of risk for many enterprises involves the areas of governance and compliance. Compliance risk became front and center for many enterprises thanks to the financial crisis of 2008 and 2009. As a result, a risk management plan for governance and compliance has become crucial as government regulations increase and evolve. If an organization isn’t meeting regulations involving its operations, it exposes itself to potentially massive monetary penalties and other sanctions. In addition, investors are demanding greater corporate transparency. The growth of third-party relationships can open an enterprise to new forms of risk.
A compliance and governance risk management plan must track pending legislation, proposed rules, enforcement actions, and public comments from regulators to detect future risks and concerns. The organization then should prepare for what moves it might need to make in response to regulatory changes.
A successful risk management plan is integrative — that is, it crosses several aspects of the enterprise’s operations — which is notably true when it comes to corporate governance. It requires each department, particularly human resources, IT, and finance, to collaborate on information related to risk. It also requires clear and frequent communication with top executives, the board of directors, and investors regarding how risk is being managed.
Utilizing risk management tools
We’ve explored vital techniques and strategies organizations can incorporate in their risk management plans. While human judgment and input remain paramount, the complexity of risk management means that digital technology can play a crucial role in an effective risk management strategy. Technology solutions could also reduce the costs of maintaining a risk management plan.
Most corporate compliance and risk departments are already using software platforms to help them manage governance and regulatory risk. For organizations of all kinds, the digital tools of the future will be incorporating artificial technology (AI). AI’s ability to learn and improve will make it increasingly valuable for managing risks in numerous areas, including fraud, cybersecurity and data protection, governance, and finance, among many others.
For instance, the growing frequency, complexity, and sophistication of cyberthreats make enhanced defense capabilities necessary. AI-powered tools can provide advanced threat detection, predictive analytics, and real-time monitoring. Banks and financial institutions can use AI to analyze large data sets and establish more effective controls to prevent or mitigate the risks that data reveals.
An effective risk management plan is increasingly essential for organizations of all kinds — the organization needs to have a clear picture of all the possible risks it might face. A good plan also needs to anticipate events that might seem unlikely — but still could disrupt the organization, perhaps fatally. It’s an approach that requires the participation of everyone in the organization. As risk management becomes increasingly complex, the organization should explore new tools that can boost the plan’s chances for success.
Turn your strategies into action and protect your organization from fraud and risk with this customizable risk assessment tool