Managers in every organization are responsible for achieving the objectives identified in their organizations’ strategic plan. We commonly think of these as positive outcomes, such as increasing sales, maximizing profits, expanding market share, and the like.
But outstanding leaders know that there are threats as well as opportunities in the environment, and they work to manage these risks just as actively as they seek to maximize gains. For industry-leading organizations, avoiding or minimizing the costs of foreseeable risks is an integral part of the total performance of the organization. Maximizing gain and minimizing risk are two sides of the same coin.
The risk management practices of industry leaders deserve attention. Here are some of the top practices:
1. Risk Management is Integral to the Strategic Plan
The most important thing effective leaders do to manage risks is to make it an explicit part of the strategic plan, and demand buy in from all levels of the organization. Risk management becomes a systematic effort that is pervasive through all operating units, from sales to marketing, supply management to manufacturing, and internal controls. It is given a priority commensurate with its importance, right in line with market expansion or critical support functions. All these functions are explicitly targeted for investment and effort.
To get and retain the visibility it deserves, industry leading organizations assign responsibility for risk management to a C-suite manager, and make it part of that role’s evaluation. In order for the risk management function to matter to an organization, it has to matter to someone whose job is defined by it. This helps to ensure that there is accountability for the performance of risk mitigation tactics and consistency in implementation.
2. Risk Management is a Planned Activity
Good leaders understand that the key to success is channeling the efforts and resources of every unit in the organization to the achievement of its strategic objectives. They use the strategic planning process to define measureable outcomes, but also to communicate organizational priorities to every level. This general approach has to be adapted to the risk management function.
At the highest level, the person in the role responsible for risk management has to initiate the process of defining risk mitigation objectives. This is based on a thorough, objective risk assessment process that occurs in every operating unit. Although the details will vary depending on the organization, there are some basic concepts that are common to all organizations:
Internal controls have to be reviewed for their risk exposure and ability to mitigate those risks. Obvious places for control reviews are in financial, accounting, and IT functions, but these functions permeate the organization from sales to C-suite.
Role-related risks are found in every job. Part of the HR function is to identify these risks, and institute policies to avoid or mitigate them in ways consistent with fair hiring standards. Risks may include exposure to negligence in hiring and retention, discrimination lawsuits, organizational fraud, and poor performance due to hiring people not qualified for a job. In general, the higher the role, the more it can expose the organization to risk.
External relationships impose a wide variety of risks on an organization. Supply chain partners may have access to critical parts of the IT network or to intellectual property. Partners, contractors and vendors may operate—or claim to operate—on behalf of the organization, making the organization liable for activities it does not control. Obviously, customers can be threats if product quality fails, or seems to fail.
Based on the risk assessment, an effective leader will create a comprehensive risk management plan that can be disseminated to unit managers. The next step in the process is to turn the plan into action.
3. Risk is Measured and Managed
Based on the plan approved by the leadership, managers at every level are made responsible for implementing tactics that will aggregate into a risk mitigation strategy. Further, they will define and collect relevant performance data to demonstrate that their actions are connected with desirable outcomes, or not.
Leaders want to review the plan regularly, at least annually, and make adjustments as needed. Organizations’ environments are changing rapidly, and the kinds and levels of risk will change at the same rate. Every internal change—including promoting a person from one role to another with a different risk profile—may be a reason for a revision in that part of the overall risk management plan.
Industry leading organizations know that risk management can never be perfect—risk mitigation means controlling or minimizing risks in the context of appropriate opportunity costs, not totally eliminating them. But they also know that failing to implement systematic risk management plans exposes them to very dangerous threats whose costs can be catastrophic. The smart leader manages threats as well as opportunities.