Mitigate Enterprise Risk & Identify Opportunities
by Rudi Scheiber-Kurtz, CEO of Next Stage Solutions, Inc.
Lots of literature is available out there discussing the management of Enterprise Risk, the process and the quality of Enterprise Risk Management (ERM) programs. We also know that there is a direct correlation between mitigating risks in a systematic way and increasing the value of your business as your market value is based on replacement cost.
Our RudiTuesday topic this month is Enterprise Risk and the two kinds of risks:
External Risks and Internal Risks.
An important caveat is to view risk as a comprehensive, cross-functional exercise. Typically your CFO is your risk manager in a midmarket business and can lead the integration of an ERM program and tie it to your strategic activities. The risk information is provided through financial metrics and through a process which manages, measures, monitors and reports risks in a holistic view across the organization. Software for the management of risk is available; however it should be considered a tool and not a solution.
Start with a structured Risk Assessment and demand transparency across the organization. Business decisions tied to business strategies reduce surprises and the upside to Enterprise Risk will be that the process will inevitably identify opportunities. Determine your appetite and tolerance for risk which varies from business to business. Your CFO should operate as Risk Advisor rather than as the Risk Compliance Police to focus on changing the mindset from mitigating risk to identifying opportunities. A proactive risk management will reduce your financial losses. The important lesson is to find a balance between taking too much risk and not enough risk. Not taking enough risk means losing opportunities and your competitive edge. For example, what is an acceptable Employee Turnover Rate? Establish this rate and act on it when you divert from the acceptable level. Risks are typically measured in terms of Impact.
The metrics typically used are Leading Indicators, Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs). In all three metrics, identify both external and internal risks and incorporate them onto your dashboard. Quantify all identified activities by tracking the risk losses and avoided losses. This will enable you to better and more accurately estimate future risks. Understanding leading indicators gives you the ability to anticipate risk before it happens. Always ask: How big is the risk? How often will it apply? Quantifiable measures are more accurate than an intuitive guess.
Consider mapping out your event categories in terms of risks. External Risks to your business are economic, natural disasters and political whereas Internal Risks are infrastructure, personnel, process and technology. Take these event categories and map them by level of risks:
unlikely, likely or certain.
Then add the level of impact of each event:
minimal, moderate and critical.
This creates a portfolio view of risks for current and future decision-making. Look for a concentration of risks and put in place adequate responses and actionable steps to mitigate or eliminate these risks. This important diligence work will also inform you the effect each single event can have on your business. Do you have the right controls in place? Do you have adequate transparency of the opportunities and pitfalls?
Anticipate all new risks with strong leadership around the risk assessment process. The business world is always changing and uncertainties are here to stay. At minimum, concentrate on what you have the power to change internally and then have a Risk Assessment Program to manage the external risks.
The cross functional approach and transparency are two key factors in creating a meaningful Risk Assessment Program. Business objectives need to be tied to key value drivers to ensure relevance. Work it like a SWOT analysis. Be aware of the hidden internal risks.
Check out the RudiTuesday Video that focuses on key hidden internal risks and how to avoid them. They pose a real threat
to the overall health and competitiveness of your business if not identified regularly. Ask yourself: What are the risks of NOT having an ERM process?