Typically, the enterprise-level risks that create the significant impacts for organizations are like icebergs are to large ships, very visible for a considerable time before they hit, with the majority of the risk not visible above the surface.
Whereas modern, large ships have generally developed substantial protective countermeasures to avoid icebergs, modern, large organizations seem to gravitate towards substantial enterprise-level risks with a frequency that suggests that nobody is on lookout.
In reality, the lookout tower of a typical organization is probably so full of lookouts that the problem is not so much detecting risk, as trying to decipher from the different lookouts what the overall value and meaning of each risk situation really is.
If you think about your own organization, what types of risk get tracked?
- Operational
- Strategic
- Regulatory
- Capital
- Audit
- Safety
- Insurance
- ...
Because each one of these tends to rely on different expertise, they are often managed in isolated silos.
If your organization manages risk in silos, imagine this scenario; on the ship, one lookout is talking about a nice seal he saw sitting on a large iceberg, another is talking about the chance of food poisoning in the crew canteen, a third is discussing a storm that may be encountered in the next few days, whilst another has noticed a pressure gauge has moved.
Without a common framework or measurement to interpret the lookout information, the news of the iceberg is confused with a heart-lifting story about a seal and the focus turns towards the relative danger of the onboard chef having selected blowfish as the main course in the canteen.
Part of the extended problem is that your various risk managers are seldom (if ever) required to communicate around a common framework. This is often further compounded by the absence of a list of the data you want to collect about the risk. Items like:
- What do we know about the risk?
- What will it cost if it hits?
- Can we take action to avoid or mitigate it?
- How much would the countermeasures cost?
- ...
Some of your individual risk silos may collect data like this but the communication is in different formats and, frequently, in different meetings. Just to add further confusion sometimes a different side of the same risk gets reported from different silos.
There is an easy and profitable solution to get your risk experts talking to each other. If all risks have to gather similar data and can be made available in a single common framework – suddenly, the risks of significance are free to rise to the top and the relative investment priorities become apparent.
Enterprise Risk Management collaboration and reporting tools can provide this single framework, and pave the way in adding value, yet rarely do organizations opt to step away from the spreadsheet approach.
Why?
If you think about what most organizations do after a major risk hits – they spend a lot of money on countermeasures to the risk, rather than on improving their risk management capabilities. As a consequence, the original risk is resolved but the next major risk can mature quite nicely.
Although some people would argue that this is a truism (If you could manage your risk, you would be better off!) – The fact is that even major organizations often require statistical evidence to support the need to invest in risk management.
A collaborative enterprise risk management approach supports the collection and sharing of data about risk. This can be used to navigate risks, support better portfolio investments and also deliver the (tangible) demonstration of the savings created. The only challenge is that they won’t let you have an effective Enterprise Risk Management tool until you prove its value!
A capable Enterprise Risk Manager (ERM) application (such as our own Adaptive GRC ERM solution), can help to quickly demonstrate the profit and advantages that are created through an enterprise-wide risk management technique.
No longer are potential key risks permitted to remain nebulous and under- defined. Risks become tangible and improved data records demonstrate the financial value of the risk management approach. So, if you want to have a more effective organization, you need an effective enterprise risk management tool to help achieve opportunity and reward, by being better able to tackle downside and danger.