Risk Management 101

A Brief Introduction To Professional Risk Management

Introduction

If you’re in a leadership or management role in business but are unfamiliar with how business risk management works, don’t worry; you’re far from alone.

Companies tend to focus solely on expansion and market share capture as targets for generating enterprise value, because there’s a whole plethora of metrics, statistics and figures with which to measure success or failure. And who doesn’t love a good quantitative measurement? From the perspective of shareholders and Boards of Directors, these represent easy ways to measure the performance of management, justify increased compensation, and so on. This way of thinking, in and of itself, isn’t at all wrong.

The problem is when it dominates boardroom and management discussion spaces to the exclusion of anything else.

Risk management, conceptually, is about ensuring the resilience of growth and profitability. Put another way, it’s about increasing the probabilistic likelihood of growth and profitability reoccurring, over and over and onwards into a company’s future.

The “how,” at a high level, is about anticipating and pre-emptively counteracting, to the extent possible, anything that would pose a threat to that growth and profitability. And, likewise, it’s about planning for and executing in situations where such threats nevertheless materialize.

There’s a natural aversion to doing this in business. It’s the same as the natural human aversion to talking about problems. But if there’s anything that recent history has taught us, it’s that we ignore looming threats to value at our own peril, both as a society, and as individual people and businesses.

We’re here to change that. And it’s in that spirit that we present to you our “Risk Management 101,” as a means of quickly and efficiently training up business leaders and managers on the fundamentals of professional risk management in business.

What is business risk management?

Titan Grey Business Startups Risk Management 1

Let’s start with something we know: what is risk management? In the course of our everyday lives, risk management is something we do constantly. It’s that touch over our pocket to make sure we didn’t forget our wallet. It’s looking both ways before crossing the street. It’s that call to a loved one to make sure they got home safely. In the day-to-day, we’re all managers of risk.

When it comes to business, things get a little bit more complicated. 

Business risk management is the process of identifying and rating the scope of risks to which a business / its operations are exposed, assessing the control environment within that business for each identified risk, and conducting remediation efforts on the control environment, in order of criticality, for open risks for which controls are inadequate or lacking entirely.

Finding yourself thoroughly confused? Don’t worry; keep reading.

How do businesses deploy risk management within their organizations?

Titan Grey Business Startups Risk Management 2

The process and “work” of professional business risk management is generally performed by a dedicated and centralized risk management function or business unit. The composition of such a unit varies depending on the size, scope, and capabilities of the underlying business.

For instance, at a large public company, we’d expect to see a dedicated risk management function helmed by a Chief Risk Officer (“CRO”), with significant headcount broken down into generalists and specialists in various areas of risk and the deployment of state-of-the-art technological resources aimed at augmenting the organization’s risk detection and monitoring capabilities.

For companies at smaller scales and scopes of operation, the above resource deployment might be out of reach. However, instead of defaulting to zero, risk-smart organizations find ways to activate similar competencies on a resource-light basis. For startups, this should be particularly true, as, after all, this is precisely what startups do.

In startups and smaller companies, we tend to find CEOs or COOs taking on the mantle of interim-CRO. Instead of dedicated risk management staffing, line-level managers of the company’s various business units take on primary risk management responsibilities for various areas of risk, tending to generally correspond with their ordinary roles and responsibilities within the business. For instance, CTOs generally become the lead on cybersecurity-related risks, heads of human resource departments get tasked with managing workplace-related risks, and so on.

In terms of oversight and management, a CRO typically reports in to either the General Counsel or CEO in the context of a large organization. As discussed, with respect to smaller organizations, the CRO might well be the CEO until the organization grows in size and scope. Nevertheless, in either case, for organizations large and small, it is vital that the title in charge of the organization’s risk management (whether CRO, CEO, or otherwise) have a direct reporting line into either the company’s Board of Directors or an official Board Committee thereof specifically formed for the purpose of overseeing the company’s management of business risk.

How does a business risk management function actually work?

Titan Grey Business Startups Risk Management 3

At the core of a successful business risk management function is its ability to accurately capture and assess a business’s risk exposure on as comprehensive a basis as possible and practicable. From employee litigation to cybersecurity, regulatory compliance to fraud prevention, the risks posed to companies in the ordinary course of business seems entirely too big to manage. (Hint: it isn’t.) It’s this sort of thinking, however, that leads businesses to ignore the deployment of professional risk management and instead “deal with it as it comes up.” If that doesn’t sound like an actual business strategy, here’s another hint for you: it isn’t.

But spending what’s surely a massive amount of time itemizing a business’s risk exposure generally doesn’t seem like a good use of time in the minds of business leaders and managers. After all, risk scoping, when done properly, is a highly detailed, laborious, and time-consuming process. At most companies—and particularly at startups—leadership and management teams simply don’t have the bandwidth to do it all on their own. But the often missing—and in our minds, critical—next step is to figure out how to get it done on a time-efficient, and cost-effective, basis.

That’s where our industry comes in. Consulting firms operating in the field of business risk management have been working with companies for decades, helping them to assess their various exposures to risk and creating comprehensive catalogues of the same. From a time perspective, this works great for business leaders and managers. From a cost perspective, however, it so often does not. Consulting firms, particularly large ones, are expensive.

And this, folks, is specifically where we come in. Titan Grey was founded as a startup in the risk management consulting space specifically to take the business of professional risk management consulting and offer it to clients at a fraction of the cost of engaging a large consulting firm.

Our reasoning is pretty simple: the companies that need risk management the most are precisely the companies who, typically, can’t afford it. These companies? Startups, and other high-growth / innovation-focused companies. With business operations often running on a knife’s edge, with success or failure of the entire company as a whole hinging on the next weeks, months and quarters of stable operation, these companies specifically cannot afford to stomach a disruptive risk event. And without cost-effective risk management solutions, the fate of these companies is to shut their eyes and pray that nothing bad happens.

Sounds familiar? Sounds terrible? We agree. And that’s why we’re here.

But more on that later. For now, let’s return to how professional business risk management works…

What is a risk management dashboard?

Titan Grey Business Startups Risk Management 4

So, once a business has captured and documented all of the various ways in which it’s exposed to risk, is that it? Is risk management done? No. All that is, is just a big scary list. The management aspect of risk management is what comes next, namely, what to do with that list.

Once a risk set has been captured, the next step is to create a rigorous (and quantitative, when possible) scoring system to evaluate both the likelihood of a risk event occurring, and the severity of harm to which the business would be exposed should that risk event occur. In our industry, we refer to this as a “criticality matrix.” And it’s based on that matrix that we prioritize efforts to create or augment risk controls.

What is a risk control?

Titan Grey Business Startups Risk Management 5

In its simplest form, a risk control is something that deters or attempts to prevent a risk from occurring, and, in many cases, also mitigates the potential harm posed by that risk.

For instance, with respect to, say, the risk of employee litigation arising out of workplace sexual harassment, having a written policy on sexual harassment would be an example of a control. The effectiveness of the control can also vary. How good is the policy? Is it customized for the needs of the business or is it something “off the shelf” and not at all specific? Furthermore, are employees required to read it? How about attest to having read it? Are those attestations captured and stored somewhere? And who audits those records to make sure there’s nothing missing? And what about actual prevention training for employees? And potential legal requirements to have it?

That might seem like a lot to manage, and that’s just one risk. Turning all of that into a workable framework, and applying it to the entire risk set, is the primary objective of professional business risk management. And after decades spent at the task, the risk management industry has various standards, frameworks, and methodologies for doing just that.

How are risk controls documented and monitored?

Titan Grey Business Startups Risk Management 6

Congratulations. You’ve now arrived at the core of what business risk management is. When developed and deployed by professionals, a business risk management program will involve an assessment, augmentation, documentation, and monitoring framework that’s customized specifically to fit the needs and capabilities of the underlying business organization. Is it complicated? Sure. Overwhelming? Doesn’t have to be. We work with clients to craft risk management solutions designed to fit their stage of growth, staffing and operational capabilities. For organizations at varying stages of development, the design of a workable and effective risk management program will vary significantly. When seeking to establish a risk management program within your organization, it’s extremely important to ensure that, no matter what, the program is going to mesh well within the day-to-day ways in which the organization conducts business. Risk management programs succeed or fail depending on the effectiveness with which they’re deployed within a business, and ensuring that a program is closely tailored to a client’s business operations is of highest propriety in our work.

At large financial services organizations, for instance, one would expect to find risk controls organized into typically three lines of defense (“LoDs”). In such a system, the 1st LoD would be the front-line business unit, utilizing desktop policies and procedures to govern employee conduct and overseen by the manager or leader of that business unit. The 2nd LoD would be a compliance department function or group tasked with overseeing the business unit’s compliance with the policies and procedures, as well as augmentation / remediation of those documents on an as-needed basis. The 2nd LoD would also be tasked with developing and deploying training for front-line employees, and capturing attestations regarding having received the same. The 3rd LoD would be an internal audit function tasked with assessing the effectiveness of and adherence to the systems deployed in the 1st and 2nd LoDs and preparing reports regarding the same. And, it should go without saying, this is a high-level simplification of what should be, at each stage, a rigorous and often complex process. Nevertheless, even at a high level of abstraction, this framework doesn’t always work for organizations operating at smaller scales and/or in other industries. And that’s perfectly okay.

In working with smaller organizations—particularly startups—we at Titan Grey tend to focus first on four facets of which any particular risk control may be comprised. These are: people, processes, documents and technologies.

For any given risk, there are controls that may involve an organization’s people, its day-to-day business processes, its documentation (such as its policies and procedures), and the availability of technological solutions. Assessing controls based on these facets is an essential first step in establishing a comprehensive control-state assessment (or “CSA”) of the business.

Over a series of meetings and collaborative discussion with an organization’s leaders and management, we’re able to present a CSA, identify critical areas of risk, establish augmentation priorities and planning, and deliver an oversight dashboard that is both comprehensive and manageable given the organization’s specific staffing and capabilities.

Conclusion

When it comes to risk management, we aim to see a world in which businesses of all sizes and scopes can operate more successfully, with increased stability and long-term viability across the board. These are broad ambitions, we know.

For us, our focus is on our clients. Helping the organizations we’re privileged to work with become better managed, more risk-aware, and safer is our reason for doing what we do, day in and day out.

We look forward to connecting with you and your business, and to exploring together the ways in which we might be able to help.

Sections

Sections

Introduction

If you’re in a leadership or management role in business but are unfamiliar with how business risk management works, don’t worry; you’re far from alone.

Companies tend to focus solely on expansion and market share capture as targets for generating enterprise value, because there’s a whole plethora of metrics, statistics and figures with which to measure success or failure. And who doesn’t love a good quantitative measurement? From the perspective of shareholders and Boards of Directors, these represent easy ways to measure the performance of management, justify increased compensation, and so on. This way of thinking, in and of itself, isn’t at all wrong.

The problem is when it dominates boardroom and management discussion spaces to the exclusion of anything else.

Risk management, conceptually, is about ensuring the resilience of growth and profitability. Put another way, it’s about increasing the probabilistic likelihood of growth and profitability reoccurring, over and over and onwards into a company’s future.

The “how,” at a high level, is about anticipating and pre-emptively counteracting, to the extent possible, anything that would pose a threat to that growth and profitability. And, likewise, it’s about planning for and executing in situations where such threats nevertheless materialize.

There’s a natural aversion to doing this in business. It’s the same as the natural human aversion to talking about problems. But if there’s anything that recent history has taught us, it’s that we ignore looming threats to value at our own peril, both as a society, and as individual people and businesses.

We’re here to change that. And it’s in that spirit that we present to you our “Risk Management 101,” as a means of quickly and efficiently training up business leaders and managers on the fundamentals of professional risk management in business.

What is business risk management?

Titan Grey Business Startups Risk Management 1

 

Let’s start with something we know: what is risk management? In the course of our everyday lives, risk management is something we do constantly. It’s that touch over our pocket to make sure we didn’t forget our wallet. It’s looking both ways before crossing the street. It’s that call to a loved one to make sure they got home safely. In the day-to-day, we’re all managers of risk.

When it comes to business, things get a little bit more complicated. 

Business risk management is the process of identifying and rating the scope of risks to which a business / its operations are exposed, assessing the control environment within that business for each identified risk, and conducting remediation efforts on the control environment, in order of criticality, for open risks for which controls are inadequate or lacking entirely.

Finding yourself thoroughly confused? Don’t worry; keep reading.

How do businesses deploy risk management within their organizations?

Titan Grey Business Startups Risk Management 2

 

The process and “work” of professional business risk management is generally performed by a dedicated and centralized risk management function or business unit. The composition of such a unit varies depending on the size, scope, and capabilities of the underlying business.

For instance, at a large public company, we’d expect to see a dedicated risk management function helmed by a Chief Risk Officer (“CRO”), with significant headcount broken down into generalists and specialists in various areas of risk and the deployment of state-of-the-art technological resources aimed at augmenting the organization’s risk detection and monitoring capabilities.

For companies at smaller scales and scopes of operation, the above resource deployment might be out of reach. However, instead of defaulting to zero, risk-smart organizations find ways to activate similar competencies on a resource-light basis. For startups, this should be particularly true, as, after all, this is precisely what startups do.

In startups and smaller companies, we tend to find CEOs or COOs taking on the mantle of interim-CRO. Instead of dedicated risk management staffing, line-level managers of the company’s various business units take on primary risk management responsibilities for various areas of risk, tending to generally correspond with their ordinary roles and responsibilities within the business. For instance, CTOs generally become the lead on cybersecurity-related risks, heads of human resource departments get tasked with managing workplace-related risks, and so on.

In terms of oversight and management, a CRO typically reports in to either the General Counsel or CEO in the context of a large organization. As discussed, with respect to smaller organizations, the CRO might well be the CEO until the organization grows in size and scope. Nevertheless, in either case, for organizations large and small, it is vital that the title in charge of the organization’s risk management (whether CRO, CEO, or otherwise) have a direct reporting line into either the company’s Board of Directors or an official Board Committee thereof specifically formed for the purpose of overseeing the company’s management of business risk.

How does a business risk management function actually work?

Titan Grey Business Startups Risk Management 3

 

At the core of a successful business risk management function is its ability to accurately capture and assess a business’s risk exposure on as comprehensive a basis as possible and practicable. From employee litigation to cybersecurity, regulatory compliance to fraud prevention, the risks posed to companies in the ordinary course of business seems entirely too big to manage. (Hint: it isn’t.) It’s this sort of thinking, however, that leads businesses to ignore the deployment of professional risk management and instead “deal with it as it comes up.” If that doesn’t sound like an actual business strategy, here’s another hint for you: it isn’t.

But spending what’s surely a massive amount of time itemizing a business’s risk exposure generally doesn’t seem like a good use of time in the minds of business leaders and managers. After all, risk scoping, when done properly, is a highly detailed, laborious, and time-consuming process. At most companies—and particularly at startups—leadership and management teams simply don’t have the bandwidth to do it all on their own. But the often missing—and in our minds, critical—next step is to figure out how to get it done on a time-efficient, and cost-effective, basis.

That’s where our industry comes in. Consulting firms operating in the field of business risk management have been working with companies for decades, helping them to assess their various exposures to risk and creating comprehensive catalogues of the same. From a time perspective, this works great for business leaders and managers. From a cost perspective, however, it so often does not. Consulting firms, particularly large ones, are expensive.

And this, folks, is specifically where we come in. Titan Grey was founded as a startup in the risk management consulting space specifically to take the business of professional risk management consulting and offer it to clients at a fraction of the cost of engaging a large consulting firm.

Our reasoning is pretty simple: the companies that need risk management the most are precisely the companies who, typically, can’t afford it. These companies? Startups, and other high-growth / innovation-focused companies. With business operations often running on a knife’s edge, with success or failure of the entire company as a whole hinging on the next weeks, months and quarters of stable operation, these companies specifically cannot afford to stomach a disruptive risk event. And without cost-effective risk management solutions, the fate of these companies is to shut their eyes and pray that nothing bad happens.

Sounds familiar? Sounds terrible? We agree. And that’s why we’re here.

But more on that later. For now, let’s return to how professional business risk management works…

What is a risk management dashboard?

Titan Grey Business Startups Risk Management 4

 

So, once a business has captured and documented all of the various ways in which it’s exposed to risk, is that it? Is risk management done? No. All that is, is just a big scary list. The management aspect of risk management is what comes next, namely, what to do with that list.

Once a risk set has been captured, the next step is to create a rigorous (and quantitative, when possible) scoring system to evaluate both the likelihood of a risk event occurring, and the severity of harm to which the business would be exposed should that risk event occur. In our industry, we refer to this as a “criticality matrix.” And it’s based on that matrix that we prioritize efforts to create or augment risk controls.

What is a risk control?

Titan Grey Business Startups Risk Management 5

 

In its simplest form, a risk control is something that deters or attempts to prevent a risk from occurring, and, in many cases, also mitigates the potential harm posed by that risk.

For instance, with respect to, say, the risk of employee litigation arising out of workplace sexual harassment, having a written policy on sexual harassment would be an example of a control. The effectiveness of the control can also vary. How good is the policy? Is it customized for the needs of the business or is it something “off the shelf” and not at all specific? Furthermore, are employees required to read it? How about attest to having read it? Are those attestations captured and stored somewhere? And who audits those records to make sure there’s nothing missing? And what about actual prevention training for employees? And potential legal requirements to have it?

That might seem like a lot to manage, and that’s just one risk. Turning all of that into a workable framework, and applying it to the entire risk set, is the primary objective of professional business risk management. And after decades spent at the task, the risk management industry has various standards, frameworks, and methodologies for doing just that.

How are risk controls documented and monitored?

Titan Grey Business Startups Risk Management 6

 

Congratulations. You’ve now arrived at the core of what business risk management is. When developed and deployed by professionals, a business risk management program will involve an assessment, augmentation, documentation, and monitoring framework that’s customized specifically to fit the needs and capabilities of the underlying business organization. Is it complicated? Sure. Overwhelming? Doesn’t have to be. We work with clients to craft risk management solutions designed to fit their stage of growth, staffing and operational capabilities. For organizations at varying stages of development, the design of a workable and effective risk management program will vary significantly. When seeking to establish a risk management program within your organization, it’s extremely important to ensure that, no matter what, the program is going to mesh well within the day-to-day ways in which the organization conducts business. Risk management programs succeed or fail depending on the effectiveness with which they’re deployed within a business, and ensuring that a program is closely tailored to a client’s business operations is of highest propriety in our work.

At large financial services organizations, for instance, one would expect to find risk controls organized into typically three lines of defense (“LoDs”). In such a system, the 1st LoD would be the front-line business unit, utilizing desktop policies and procedures to govern employee conduct and overseen by the manager or leader of that business unit. The 2nd LoD would be a compliance department function or group tasked with overseeing the business unit’s compliance with the policies and procedures, as well as augmentation / remediation of those documents on an as-needed basis. The 2nd LoD would also be tasked with developing and deploying training for front-line employees, and capturing attestations regarding having received the same. The 3rd LoD would be an internal audit function tasked with assessing the effectiveness of and adherence to the systems deployed in the 1st and 2nd LoDs and preparing reports regarding the same. And, it should go without saying, this is a high-level simplification of what should be, at each stage, a rigorous and often complex process. Nevertheless, even at a high level of abstraction, this framework doesn’t always work for organizations operating at smaller scales and/or in other industries. And that’s perfectly okay.

In working with smaller organizations—particularly startups—we at Titan Grey tend to focus first on four facets of which any particular risk control may be comprised. These are: people, processes, documents and technologies.

For any given risk, there are controls that may involve an organization’s people, its day-to-day business processes, its documentation (such as its policies and procedures), and the availability of technological solutions. Assessing controls based on these facets is an essential first step in establishing a comprehensive control-state assessment (or “CSA”) of the business.

Over a series of meetings and collaborative discussion with an organization’s leaders and management, we’re able to present a CSA, identify critical areas of risk, establish augmentation priorities and planning, and deliver an oversight dashboard that is both comprehensive and manageable given the organization’s specific staffing and capabilities.

Conclusion

When it comes to risk management, we aim to see a world in which businesses of all sizes and scopes can operate more successfully, with increased stability and long-term viability across the board. These are broad ambitions, we know.

For us, our focus is on our clients. Helping the organizations we’re privileged to work with become better managed, more risk-aware, and safer is our reason for doing what we do, day in and day out.

We look forward to connecting with you and your business, and to exploring together the ways in which we might be able to help.

Get our latest thought leadership
delivered straight to your inbox




This site uses cookies to provide you with more responsive and personalized service. By using this site, you agree to our use of cookies.