What are the biggest issues in risk management today? How do you expect them to evolve in the future?
There are a couple of issues in terms of risk management we see most often.
1. A lack of risk decision making structure and lack of accountability for risk decisions in an organization. Almost every business executive is comfortable with risk decision making, however, in many cases the right people aren’t making those decisions. In many cases, big risk decisions are being made too low in organizations, with people who aren’t incentivized to make the right decisions for the organization. For example, a project manager may accept a large information security risk that can lead to compliance and reputational issues simply because they only thing they get incentivized on is getting the new product out the door. However, the executive in charge of the business unit, accountable for sustained results may make a very different decision.
Organizations need to develop a structure so that the important risk-based decisions are made by the right people, those who are accountable for the impacts – good or bad. This typically means some kind of risk governance structure that defines what decision making powers each level of the organization has and an oversight structure and escalation path for those risks that need monitored or managed higher up in the food chain.
2. The lack of meaningful risk assessment process. There are organizations that consider risk management something they have to do from a compliance standpoint who conduct superficial risk assessments. Others just don’t have the right skills to develop a meaningful risk assessment process. A meaningful process enables the identification of risks based on the goals of the organization and describes those risks in business terms either qualitatively or qualitatively through a common risk taxonomy. Enabling risks to be compared as apples-to-apples is extremely important for decision makers who need to be able to allocate resources across complex organizations. In terms of risk assessment effectiveness, organizations who take a control based approach to risk assessment are often missing the business context required to make the right decisions.
There’s a common approach of “I’ve compared myself to a best practices list and anything I am missing must not be a risk” which misses the point. The best practices should be adopted as controls to manage the risks you’ve identified. Taking a list and just applying it wholesale means you’re likely not going to be spending your money in the controls you need to manage your real top enterprise risks and overspending in areas for small gains in risk mitigation. A true, goals-based risk management strategy facilitates a more effective allocation or risk mitigation resources and sometimes even saves money!
3. A lack of an open, risk -ware culture. In order to build a culture where business managers are willing to be transparent to their executives, the executives have to be careful to craft the kind of culture that fosters this transparency. Open dialogs about concerns, risks, and trade-offs necessary without “shooting the messenger” are often missing in organizations that lack effective risk management.
What are the first steps in figuring out how to develop a risk management plan for a medium-sized organization?
The obvious, and very true, answer to this is to perform a real, goals-based risk assessment where the organization looks at its long term strategies and goals as well as operational necessities and identifies those threats which may cause uncertainty.