How much risk is too much risk? That’s a central question for risk managers and their bosses in the C-suite. It’s also the question that underpins the practice of risk management, which is all about identifying, evaluating, and determining the risks your company is exposed to and coming up with the policies, processes, and procedures to manage those identified threats.
But what if you can’t? It’s well-nigh impossible to run a company with no risk. Plus, by most objective metrics, the wider business environment is getting more, not less volatile, especially with the emergence of new risks types, like cyber data risk, greater focus on reputational risk, and regulatory changes in occupational health and safety.
For their part, risk scholars Howard Kunreither and Michael Useem point to a number of important, cross-industry trends exacerbating business risk across the globe: growing interdependency, shorter-term (management) thinking, increased regulation, greater geographical clustering, higher probability of systemic shock, and new calls for transparency, spurred on by advances in information and communications technology.
Macro factors aside, even if you could identify every single risk, controlling (let alone eliminating) all of them would be cost- and resource-prohibitive, a cost-benefit ratio too heavily tilted toward cost.
Nor are limited resources for controlling risks the only risk management challenge. Just the sheer pace and volume of change are overwhelming risk teams. And if their systems and processes were disjointed, disconnected, and predominately manual to begin with (and many were), you can bet that now they’re thoroughly incapable of preventing risks from turning into major incidents. The result: a lack of a comprehensive, integrated approach to risk management.
How does it play out? For starters, teams often don’t have the internal (communications) tools they need to properly integrate a knowledge base of risk into their systems for managing risk. Managers, then, don’t get full visibility into companywide risk. Instead, they are limited to a fragmented view of (section-specific) risk. A lack of a consolidated view into companywide risk that yields the following consequences:
- Proliferation of team-specific processes to identify, assess, manage, monitor, and report on risk, despite high probability of contagion between business lines.
- Teams are less able to identify priorities that will help them stay ahead of risk.
- Ultimately, processes become even more reactive and less effective.
Another risk management challenge that even bedevils risk teams who deploy best-practice processes: the fact that the surfeit of emerging risks usually magnifies major skills and capabilities gaps within enterprise.
We highlight these roadblocks to risk management because the cost of ineffective risk management is high, usually too high for businesses to pay. Get risk management wrong, for instance, and your business might suffer from workplace injuries and accidents, productivity loss, damaged assets and products, even significant financial penalty. Just the cost of an on-the-job accident can add up quickly, as companies then have to pay to train replacements, repair equipment, incur higher insurance premiums, while also losing time, prestige, and sacrificing employee morale. Want to surmount these common risk management challenges? Download our introductory guide to find out how.
Edward Cho, Exploring Barriers to Effective Risk Management Through a Proposed Risk Governance Framework
Howard Kunreuther and Michael Useem, Mastering Catastrophic Shock: How Companies Are Coping with Disruption
Occupational Health & Safety Magazine, Risk Management in the Workplace: What You Should Know
For additional content on risk management and more, follow @teamnoggin on Twitter