With the global economy in a constant state of flux and cybercrime on the rise, enterprise businesses have to contend with more risk than ever before. And yet, many businesses don’t have a clearly defined process in place to deal with that risk across the entire organization. Sure, individual teams might have risk management tactics in place: your developers might have a robust testing strategy, and your IT staff might be performing continuous monitoring on your infrastructure to prevent downtime, but there may not be anything tying those distinct strategies together. That means that threats that aren’t managed effectively within their own silos can blindside the company as a whole, leading to lost revenue and the potential for long term disruptions.
Given all the above, most companies would probably raise their hands if we took a poll of how many people think risk management is important—and those hands would probably stay up if we asked whether that risk management strategy should cover the entire enterprise. This is where enterprise risk management (ERM) comes in. The question is: how should you integrate all of your existing risk-mitigating tactics into an operational process that covers your entire business?
What Is Enterprise Risk Management?
Before we dive too deep into the nitty-gritty, let’s take a second to define our terms. Enterprise risk management (as opposed to just “risk management”) is defined by the Casualty Actuarial Society as “the discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organization's short- and long-term value to its stakeholders." This is one of the more straightforward definitions of the term, and it might not seem like anything groundbreaking, but already it alerts us to the importance of aligning risk management with all of your enterprise’s various stakeholders. This means that considering the voices of your customers and personnel, in addition to management and shareholders, when you consider the best ways to align corporate strategy with risk mitigation.
By taking a comprehensive view of the risks that inhere to every touchpoint on your value chain—from individual departments to different customer or client segments—and considering them alongside your upcoming goals, you can begin to create an overarching risk management strategy that prevents silos and allows for greater transparency and collaboration. At the end of the day, it’s this transparency that will separate successful risk mitigation processes from unsuccessful ones. Why? Because if no one in your operation knows what to do when a risk event occurs, then you’re essentially doomed to a slow, confusing, and inefficient response.
Common Sources of Risk
When you sit down to establish an enterprise risk management strategy, the first thing you need to do is gain an understanding of the risks that are actually likely to face your business. Here, it’s useful to have a sense of what the most common risk factors are for enterprise businesses. These tend to vary somewhat by region, but there are some general sources of risk that apply universally.
When people think of risks, they’re often worrying about big ticket external risks, like economic crashes, market disruptions, and the like. But in point of fact, most risk begins at home, with internal risks that crop up within your operation, e.g.:
- Strategic errors can produce risk when there’s a mismatch between your corporate strategy and actual market or operational conditions. If, for instance, you’re pivoting into a new market that isn’t actually ready for your product, you stand to increase your risk.
- Reporting errors are common source of internal risk. They can crop up as a result of poor IT integration, lack of digitization, or good old fashioned human error—but the result is much the same: you can’t get an accurate picture of the current state of your strategic initiatives, and you’re basically flying blind as a result.
- Lack of big data integration is becoming increasingly problematic for enterprises in the digital era. If you’re not leveraging the data you collect into meaningful insights, you run the risk of losing competitive advantages and missing cost-saving opportunities.
- Talent acquisition and people management can be especially difficult if your company does a lot of development work. At the same time, a position that goes unfilled for too long can lead to significant technical debt, resulting in issues in your software that can cause problems later on. By the same token, if you’re failing to create a company culture that aligns with your larger goals, you might have issues with turnover and churn that result in problematic capacity restrictions.
- “Whitespace” risks crop up when there’s misalignment between the risk management tactics and best practices—or the risk appetite (more on that later)—across different teams or touchpoints. DevOps and SecOps, for instance, might both have their own levels of acceptable risk and their own tactics for managing it—both of which would work perfectly well on their own. But if they’re not aligned with one another, when there’s a handover between the two teams things can become problematic. These risks are easy to overlook, since on a department-by-department basis it seems like there are appropriate risk mitigation measures in place.
Of course, external risks are also worthy of thought and preparation. Though they’re sometimes hard to predict in advance, it’s important to be prepared for certain kinds of risk events:
- Macroeconomic conditions like huge market downturns or disruptions from competitors can potentially imperil your ability to grow your customer base and turn a profit.
- Cybersecurity threats like phishing scams, business email compromise, CEO fraud, and others all pose significant risk, even to businesses that take cybersecurity training seriously. If hackers are able to breach your private information, you stand to suffer not just monetarily but in terms of public image.
- Regulations aren’t a huge factor in many industries, but in the industries where they matter it’s important to keep them front and center. It would be disastrous if an automaker, for instance, were planning to roll out a new product only to find that new fuel economy regulations meant that they had to go back to the design stage.
- Supply chain issues are becoming especially apparent in the COVID-19 era, and most companies struggle with a lack of resiliency in this regard. To combat this, companies need to understand risks not just for themselves but for their suppliers.
How to Implement Risk Management
Once you have a handle on the different forms that risk can take, it’s time to actually set up an enterprise risk management process. This typically involves a handful of discrete steps.
- Set Objectives: First and foremost, you need to establish what corporate goals you’re working towards. This gives you the opportunity to figure out how well your goals align with the feelings and opinions of your customers, employees, and other stakeholders. This may mean thinking outside the box and coming up with some goals that aren’t strictly financial (e.g. increased engagement, X number of new hires, etc.)
- Establish Risk Appetite: Once you know what you’re working towards, you can begin to outline how much risk you’re willing to incur in order to achieve those goals. There’s not necessarily a right or wrong answer here—a small startup might be willing to take much bigger risks than an older SME. The trick here is just to make sure that everyone is on the same page: disruptions tend to crop up when, say, developers and the C-suite disagree about what an acceptable level of risk actually is.
- Identify Risk Events: We outlined the risks themselves above, but to really get your ERM framework up and running you need to find the events that trigger those risks. For instance, if you know that your current capacity lets you produce X number of widgets per week, when demand goes above X you could end up with costly outages that require you to scramble to avoid irritating your customers through late delivery. Conversely, if you’re in a highly regulated field like insurance, you might consider what new regulations might lead to issues for your ability to conduct your business efficiently.
- Map Out Whitespace: Like we said above, risk can often crop up in “whitespaces” between different teams—which is why it’s important to take a clear-eyed look at the handovers that take place up and down the value chain to find areas of misalignment. Once you have these events mapped out, you can incorporate them into your understanding of risk on a broader level.
- Assess Risks and Responses: Based on the events you identify, you can start to assess which risks are the most probable and figure out what steps you might take to mitigate each one. This can and should include both preventative measures (e.g., if you’re worried about server capacities for your e-commerce site during a spike in sales, you might make switching to the cloud a priority) and incident response strategies (who takes point on recovery following a data breach, how you pivot if demand for a new product doesn’t materialize after the initial launch, etc.). Here, it’ll be helpful to meet with stakeholders to get their opinions and pick their brains about possible risk mitigation strategies both within and across different departments.
- Communicate and Monitor: Okay, you’ve figured out what your biggest risk factors are, and you’ve come up with responses that might help you to overcome any disruptions or even prevent the disruption from occurring in the first place—what next? This is the step where the rubber meets the road: you need to formalize your strategies, including procedures for what to do when an event is triggered, and you need to put them somewhere accessible to relevant stakeholders. This is your chance to communicate about risk management with the entire enterprise. From there, you’ll have to continually monitor whatever indicators you’re using to measure risk.
Though we’ve distilled it down to four steps, this process can be complex and time consuming. You’ll need the right tools to keep everyone on the same page, plus a clear plan for setting indicators and monitoring them, including well-defined roles and responsibilities for everyone up and down the risk response chain. From there, you’ll want to revisit your documentation every six months to a year to reassess risk factors and make sure you still have the right plans in place.
Do You Need In-House Risk Management Expertise?
Hopefully we haven’t made enterprise risk management seem too daunting. Even if we have, it’s crucial to remember that not every enterprise needs to pull itself up solely by its bootstraps. Though enterprise risk management processes are increasingly mission critical for modern businesses, it's more than possible to go outside your own organization to get insight, expertise, and even scalable incident response help. By partnering with a risk management expert, you can work within a framework that’s already been established and perfected, rather than starting from scratch. In this way you can immediately ramp up your knowledge of best practices, increase the accuracy of your estimates regarding the financial costs of various risks, and fine tune both your proposed responses to risk incidents and your boots-on-the-ground implementation of those responses. Your business almost certainly needs an enterprise risk management process in place, but getting there doesn’t have to mean taking valuable resources away from other areas.
Learn More About Intertec's Project Management:
Intertec offers a wide spectrum of options in infrastructure management. We perform end-to-end outsourcing of specific infrastructure functions and develop strategies to construct and integrate technology architecture. Click here to learn more. Prefer a personal consultation? Go ahead and schedule a meeting with us here!