Risk management encompasses a strategic process through which an organization identifies, evaluates, and exerts control over potential threats that could impact its financial assets and earnings. These risks emanate from diverse origins, including uncertainties in finances, legal obligations, technological challenges, missteps in strategic planning, unexpected incidents, and forces of nature.
The significance of a robust risk management program lies in its ability to equip an organization with the means to comprehensively grasp the array of risks it confronts. Additionally, it delves into the intricate relationship between these risks and their potential far-reaching consequences, capable of influencing an organization’s overarching strategic objectives.
This comprehensive approach to risk management often goes by the name of enterprise risk management (ERM), due to its focus on proactively identifying and understanding risks across the entire organizational landscape. In addition to addressing both internal and external threats, ERM goes a step further by recognizing the importance of managing positive risks. Positive risks represent opportunities that can augment the value of a business, but if neglected, they could also lead to detrimental outcomes. It is important to recognize that the core aim of any risk management initiative is not the total elimination of risk, but rather the preservation and augmentation of enterprise value by making informed and astute risk-related decisions.
Forrester Research’s esteemed senior analyst, Alla Valente, who specializes in governance, risk, and compliance, aptly stated, “We don’t manage risks so we can have no risk. We manage risks so we know which risks are worth taking, which ones will get us to our goal, which ones have enough of a payout to even take them.”
In essence, a risk management program should be intricately interwoven with an organization’s overarching strategy. To establish this connection, leaders in risk management must first establish the organization’s risk appetite – that is, the extent to which the organization is willing to tolerate risk in order to achieve its strategic aims.
The subsequent challenging endeavor involves the determination of “which risks align with the organization’s risk appetite and which necessitate additional safeguards and measures before they can be deemed acceptable,” as elucidated by Mike Chapple, a distinguished professor at Notre Dame University specializing in IT, analytics, and operations. Some risks may be accepted without the need for further intervention, while others may be mitigated, shared with external parties, transferred, or even avoided altogether.
Every organization faces the inherent threat of unforeseen adversities that can lead to financial losses or even business closure. However, refraining from undertaking risks can also pose its own set of challenges, as evidenced by the disruption faced by traditional enterprises in the wake of digital giants like Amazon and Netflix. This comprehensive guide to risk management offers a panoramic view of the fundamental concepts, prerequisites, methodologies, trends, and ongoing discussions that shape this dynamic domain. Throughout the guide, embedded hyperlinks direct readers to additional TechTarget articles, which delve deeper into the intricacies of the subjects touched upon here, making it imperative for readers to explore these resources for a more profound understanding.
The Significance of Risk Management in Modern Times
The importance of risk management has never been more pronounced than it is in the current landscape. The complexities of risks that modern organizations encounter have been amplified by the rapid global interconnectedness. Emerging risks continuously surface, often intertwined with and propelled by the widespread adoption of digital technology. Risk experts have labeled climate change as a “threat multiplier,” intensifying the challenges businesses face.
A recent example of an external risk, demonstrated by the supply chain disruptions in various companies, is the COVID-19 pandemic. This crisis swiftly transformed into an existential threat, impacting not only the physical well-being of employees but also the very foundations of conducting business, customer interactions, and corporate reputations.
Swift adaptations were made by businesses to address the pandemic’s threats. However, looking ahead, novel risks present themselves, such as decisions regarding employees’ return to physical offices, fortifying supply chains against vulnerabilities, the specter of economic downturns, and geopolitical tensions like the conflict in Ukraine.
Amidst these ongoing challenges, organizations and their boards of directors are revisiting their risk management strategies. They are reevaluating their exposure to risks and scrutinizing their risk mitigation processes. The scope of who participates in risk management is being reconsidered. Enterprises that previously adopted a reactive stance towards risk management – countering historical risks and altering practices post-harm caused by new risks – are now contemplating the competitive advantages of a proactive approach. A heightened emphasis is being placed on fostering sustainability, resilience, and enterprise adaptability. Organizations are also exploring the potential of artificial intelligence technologies and sophisticated governance, risk, and compliance (GRC) platforms to enhance risk management effectiveness.
Distinguishing between Financial and Non-Financial Sectors. When discussing risk management, experts often highlight that in industries with heavy regulations and where risk is an intrinsic part of the business, risk management takes on a formal role.
Institutions such as banks and insurance companies have long maintained extensive risk departments, often overseen by a Chief Risk Officer (CRO) – a title still relatively uncommon beyond the financial realm. Furthermore, the risks these financial entities confront are often quantifiable, rooted in numerical data, and amenable to analysis using established technologies and methods. Financial risk scenarios can be modeled with a degree of precision.
Contrasting Traditional Risk Management with Enterprise Risk Management
In the current discourse, traditional risk management often finds itself overshadowed by the more comprehensive approach of enterprise risk management (ERM). Both methodologies share the objective of mitigating risks that could potentially harm organizations. They both utilize insurance to shield against an array of risks, spanning from fire and theft to cyber liabilities. Moreover, they adhere to the guidance laid out by prominent standards bodies. However, critics argue that traditional risk management lacks the mindset and mechanisms necessary to perceive risk as an integral facet of enterprise strategy and performance.
For many enterprises, the term “risk” carries a negative connotation, which is regrettable, as noted by Forrester’s Valente. She highlights that in ERM, risk is viewed as a strategic catalyst rather than merely a cost associated with business operations.
One significant distinction between the two approaches lies in their nature of implementation: “siloed” versus holistic. In traditional risk management programs, the responsibility for managing risk typically rests with the leaders of individual business units where the risk originates. For instance, IT risk is overseen by the CIO or CTO, financial risk by the CFO, and operational risk by the COO. Although these business units might employ sophisticated systems to manage specific risk types, they can still face challenges by failing to recognize the interconnectedness among risks or their cumulative impact on overall operations. Additionally, traditional risk management leans towards a reactive stance rather than a proactive one.
Gartner’s Shinkman cites the pandemic as a prime example of a risk issue that might be disregarded without a holistic, forward-thinking perspective on potential risks. He emphasizes, “A lot of companies will look back and say, ‘You know, we should have known about this, or at least thought about the financial implications of something like this before it happened.'”
Understanding Risk Exposure and Its Significance
In the realm of enterprise risk management, addressing risk is a collaborative, cross-functional endeavor with a broad outlook. An ERM team, which could consist of a small group as small as five members, collaborates with business unit leaders and staff to assess risks, employing suitable tools to comprehend them thoroughly. The collected information is then compiled and presented to the organization’s executive leadership and board. Establishing credibility across the enterprise is essential for leaders in this field.
This new breed of risk management specialists often stems from consulting backgrounds or embodies a “consulting mindset.” They possess an intricate understanding of business mechanics. A departure from the traditional risk management structure is evident in the reporting hierarchy. While traditional risk management typically has the head of risk reporting to the CFO, in ERM, leaders, whether bearing the title of Chief Risk Officer or another designation, report to the CEO. This recognition underscores the integration of risk within overall business strategy.
Forrester Research discerns between “transactional CROs” associated with traditional risk management and “transformational CROs” embracing an ERM approach. The former operate in companies that perceive risk as an expense center and risk management as an insurance policy. Transformational CROs, however, adopt a “customer-obsessed” outlook. They prioritize brand reputation, grasp the comprehensive nature of risk, and define ERM as the “optimal amount of risk necessary for growth.”
While conventional risk management often tends to be risk-averse, Valente points out that companies self-identifying as risk-averse with low risk appetites might inaccurately gauge their risk assessment. She emphasizes that organizations aiming for growth, launching new products, and valuing innovation inherently engage in growth strategies that entail risks.
For an exploration of further distinctions between the two approaches, readers can refer to technology writer Lisa Morgan’s article “Traditional risk management vs. enterprise risk management: How do they differ?” Additionally, her piece on risk management teams offers a comprehensive breakdown of roles and responsibilities.
The Process of Risk Management
The realm of risk management encompasses various frameworks that outline the steps organizations must undertake to effectively manage risk. Among these frameworks, the ISO 31000 standard stands out as a prominent source. Developed by the International Organization for Standardization (ISO), this standard, titled “Risk management — Guidelines,” presents a five-step risk management process suitable for any type of organization:
- Identify the Risks: Begin by identifying potential risks.
- Analyze Likelihood and Impact: Evaluate the likelihood and potential impact of each identified risk.
- Prioritize Risks: Rank risks based on alignment with business objectives.
- Treat or Respond to Risks: Develop strategies to address and mitigate identified risks.
- Monitor and Adjust: Continuously monitor results and adapt strategies as needed.
While these steps appear straightforward, it’s crucial for risk management committees to comprehend the substantial effort required to complete the process. A solid understanding of the organization’s intricacies is essential. The ultimate goal is to establish processes that identify risks, assess their likelihood and impact, relate them to the organization’s risk tolerance, and determine appropriate actions to safeguard and enhance organizational value.
As risk expert Greg Witte emphasizes, envisioning potential pitfalls begins with recognizing what needs to go right. He underlines that impact defines a risk; something only becomes a risk if it has the potential to cause an impact. This notion applies to both negative and positive risk scenarios.
In the pursuit of identifying risk scenarios, a combination of top-down and bottom-up approaches can be valuable. From a top-down perspective, organizational leadership identifies mission-critical processes and collaborates with stakeholders to identify potential disruptions. Conversely, the bottom-up approach focuses on potential threat sources (e.g., cyberattacks, economic downturns) and gauges their impact on critical assets.
Categorizing risks offers further clarity. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) suggests four categories:
- Strategic Risk: Pertaining to reputation, customer relations, and technical innovations.
- Financial and Reporting Risk: Covering market, tax, and credit-related risks.
- Compliance and Governance Risk: Encompassing ethical, regulatory, international trade, and privacy concerns.
- Operational Risk: Addressing IT security, supply chain, labor issues, and natural disasters.
Another categorization approach outlined by compliance expert Paul Kirvan segments risks into four types: people risks, facility risks, process risks, and technology risks.
The risk identification step culminates in recording findings within a risk register. This document serves as a tool to track risks throughout the subsequent steps of the risk management process. A sample risk register can be referenced in the NISTIR 8286A report cited earlier.
Frameworks and Standards in Risk Management
As regulations and compliance requirements have expanded over the past couple of decades, the scrutiny of corporate risk management practices by both regulatory bodies and boards of directors has grown. This has elevated risk analysis, internal audits, risk assessments, and other aspects of risk management to a prominent role within business strategies. To effectively integrate these practices, organizations can turn to the rigorously developed and continuously evolving frameworks within the field of risk management.
Here’s an overview of some of these frameworks, starting with concise descriptions of the two most widely recognized ones. For a more detailed comparison, readers can refer to security expert Michael Cobb’s analysis of ISO 31000 versus COSO, which provides insights into their similarities, differences, and guidance on choosing between them:
- COSO ERM Framework: Introduced in 2004 and updated in 2017 to address the growing complexity of enterprise risk management (ERM), the COSO framework defines fundamental concepts and principles of ERM. It proposes a common language for ERM and offers clear direction for managing risks. Comprising 20 principles organized into five interconnected components:
- Governance and culture
- Strategy and objective-setting
- Performance
- Review and revision
- Information, communication, and reporting
- ISO 31000: Initially released in 2009 and revised in 2018, the ISO standard presents a set of ERM principles, a framework to apply risk management practices to operations, and a structured approach for identifying, evaluating, prioritizing, and mitigating risks. The newer ISO version is more concise and reader-friendly compared to its predecessor, according to Cobb. Developed by ISO’s risk management technical committee in collaboration with ISO national member bodies, the 2018 standard offers enhanced strategic guidance on ERM. It also underscores the pivotal role of senior management in risk management and the integration of risk practices throughout the organization.
In addition to these two recognized frameworks, there are other valuable resources for implementing risk management:
- British Standard (BS) 31100: This risk management code of practice, issued in 2011, outlines a process for implementing concepts described in ISO 31000. It encompasses functions such as identification, assessment, response, reporting, and review.
- The Risk and Insurance Management Society’s Risk Maturity Model (RMM): Recently updated in April 2022, the revised RMM framework enables risk professionals to assess their programs across five categories: alignment with strategy, culture and accountability, risk management capabilities, risk governance, and analytics.
Organizations can also consider crafting frameworks tailored to specific categories of risks. For example, Carnegie Mellon University’s enterprise risk management framework examines potential risks and opportunities across distinct categories such as reputation, life/health safety, financial, mission, operational, and compliance/legal.