Here’s an example of how you might already be practicing risk management at home:
Here’s an example of how a business risk might be managed:
Step 1: Identifying Risk
Risk is anything and everything that can harm the value of a business.
From floods to firewall breaches, it is crucial to cast as wide a net as possible when creating an inventory of all of the ways in which a business can be harmed.
To bring order to this daunting and unwieldy task, risk management professionals use databases and tools designed to help capture the broadest set of potential risks.
This data set is then qualified with respect to the underlying business on the basis of likelihood, damage potential, and a variety of other characteristics.
The qualification process is perhaps the most crucial step in the workflow, and outcome value is driven by the qualifier’s understanding of the underlying business, experience in managing risk, and overall business judgment.
Step 2: Developing Controls
Once an inventory of relevant risks has been established, the next step in risk management is to develop controls for the identified risks.
Controls, simply put, are resources, processes and protocols which businesses can use to mitigate risk.
Risk controls can vary in several ways, including, but not limited to, cost, complexity and resource requirements.
Developing effective risk controls is an intricate and highly customized process. What may be an effective risk control for one business may prove unfeasible, and therefore ineffective, for another.
A risk management practitioner must have intimate knowledge of the underlying business, particularly with respect to its capabilities and constraints. Likewise, the practitioner must have significant experience and sound judgment in order to develop controls which are actionable by the underlying business.
Step 3: Building A Program
Once risks have been identified and controls have been developed, it is incumbent upon a business to systematize the separate risk-and-control fragments into an overarching infrastructure, also known as a risk management program.
A successful program will involve the deployment of both human capital and IT resources to ensure that the business successfully manages risk on an ongoing basis.
A successful program can be flexible around the needs and constraints of the underlying business. Success does not always require the acquisition of new human capital and / or IT resources for the sole purpose of managing risk. While these, concurrent with the establishment of a standalone risk management unit, are often the solution for larger enterprises, smaller businesses may successfully build effective risk management programs leveraging their existing resources and business units.
A successful program, however, must have management buy-in and sponsorship, regardless of the size or type of the underlying business. Success for a risk management program hinges upon whether the principles and processes of the risk management program are espoused by functional units throughout the business. Without the visible and enduring support of top-level leadership, commonly referred to as “tone from the top,” it is impossible for risk management to become a part of any company’s culture. The only successful risk management programs are those which are embraced by staff at all levels of the underlying business.
A competent risk management practitioner must not only be able to design and deliver human capital and IT resource plans, but also be able to secure support among senior leaders for the development and deployment of a risk management program within their business.