Risk management is the responsibility of everyone in an organization, not just that of the owner or senior executives. And savvy leaders take a holistic approach to managing risk, involving employees and thinking in a cause-and-effect manner about how actions in one business line can affect security in another area of the company.
Enterprise risk management is a way of capturing risk from every angle and managing it proactively with a comprehensive plan. And in today’s economy, thinking about risk in a broader sense is critical, says Rod Sloan, chief risk officer for Old Second National Bank, Aurora, Ill.
“Economic conditions expose companies to a variety of risks,” says Sloan, noting that businesses should approach their operations with a heightened awareness of the potential risks across all areas, as “the Internet and all of the electronic business we do today creates additional risk characteristics.”
But instead of being proactive, many organizations wait to implement an enterprise risk management plan until after an incident compromises the company’s security or reputation.
Smart Business spoke with Sloan about what is involved in enterprise risk management and how a business can design and implement an effective plan.
How has risk management evolved?
With all of the post-mortem occurring in the financial industry, businesses in all sectors are taking a serious look at the viability of their plan and what leaks exist in it. This leads to the concept of enterprise risk management — understanding risk on a cross-dimensional basis. Your definition of risk must extend beyond firewalls and financial security to address every single aspect of the business, down to a company’s social media presence.
What is the first step to implementing a holistic risk management plan?
First comes risk awareness within specific business units. Then, leaders at the company must get those business units to talk to each other. The typical business unit manager is focused on daily, departmental tasks. A sales manager concentrates on meeting sales objectives and networking with prospective clients. But it’s important for a sales manager to understand pertinent risks to his or her line of business, and the risks that affect other areas of the organization.
If commissioned salespeople use social networking opportunities to generate leads, how does that affect the entire company? To embrace the enterprise risk management philosophy, those business unit managers must connect with one another and start a dialogue on the cause-and-effect relationship between the risks that each department faces.
How does a business identify what type of risk to address in a plan?
A company may perform a formal risk assessment by bringing in a third-party expert to evaluate every aspect of the business for risk susceptibility. The comprehensive reports produced from rigorous assessments like this are extremely valuable to managers and serve as conversation starters.
But businesses can conduct a less rigid risk evaluation by asking key managers what top five issues worry them the most. From there, dig deeper and consider how someone might perpetrate fraud against the company in those five areas. Then, determine whether there are controls in place to stop fraud and/or minimize risk. Put numbers around those risks; will it cost the company a large dollar amount from a single, spontaneous event, or will it cost small dollar amounts but eventually result in a big event that could cost the company its reputation? Finally, discuss what else could be done to protect the company. This dialogue becomes the basis of an enterprise risk management plan.
