Effective risk management takes a proactive and preventative stance to risk, aiming to identify and then determine the appropriate response to the business and facilitate better decision-making. Many approaches to risk management focus on risk reduction, but it’s important to remember that risk management practices can also be applied to opportunities, assisting the organization with determining if that possibility is right for it.
Risk management as a discipline has evolved to the point that there are now common subsets and branches of risk management programs, from enterprise risk management (ERM), to cybersecurity risk management, to operational risk management (ORM), to supply chain risk management (SCRM). With this evolution, standards organizations around the world, like the US’s National Institute of Standards and Technology (NIST) and the International Standards Organization (ISO) have developed and released their own best practice frameworks and guidance for businesses to apply to their risk management plan.
Companies that adopt and continuously improve their risk management programs can reap the benefits of improved decision-making, a higher probability of reaching goals and business objectives, and an augmented security posture. But, with risks proliferating and the many types of risks that face businesses today, how can an organization establish and optimize its risk management processes? This article will walk you through the fundamentals of risk management and offer some thoughts on how you can apply it to your organization.
What Are Risks?
We’ve been talking about risk management and how it has evolved, but it’s important to clearly define the concept of risk. Simply put, risks are the things that could go wrong with a given initiative, function, process, project, and so on. There are potential risks everywhere — when you get out of bed, there’s a risk that you’ll stub your toe and fall over, potentially injuring yourself (and your pride). Traveling often involves taking on some risks, like the chance that your plane will be delayed or your car runs out of gas and leave you stranded. Nevertheless, we choose to take on those risks, and may benefit from doing so.
Companies should think about risk in a similar way, not seeking simply to avoid risks, but to integrate risk considerations into day-to-day decision-making.
- What are the opportunities available to us?
- What could be gained from those opportunities?
- What is the business’s risk tolerance or risk appetite – that is, how much risk is the company willing to take on?
- How will this relate to or affect the organization’s goals and objectives?
- Are these opportunities aligned with business goals and objectives?
With that in mind, conversations about risks can progress by asking, “What could go wrong?” or “What if?” Within the business environment, identifying risks starts with key stakeholders and management, who first define the organization’s objectives. Then, with a risk management program in place, those objectives can be scrutinized for the risks associated with achieving them. Although many organizations focus their risk analysis around financial risks and risks that can affect a business’s bottom line, there are many types of risks that can affect an organization’s operations, reputation, or other areas.
Remember that risks are hypotheticals — they haven’t occurred or been “realized” yet. When we talk about the impact of risks, we’re always discussing the potential impact. Once a risk has been realized, it usually turns into an incident, problem, or issue that the company must address through their contingency plans and policies. Therefore, many risk management activities focus on risk avoidance, risk mitigation, or risk prevention.
What Different Types of Risks Are There?
There’s a vast landscape of potential risks that face modern organizations. Targeted risk management practices like ORM and SCRM have risen to address emerging areas of risk, with those disciplines focused on mitigating risks associated with operations and the supply chain. Specific risk management strategies designed to address new risks and existing risks have emerged from these facets of risk management, providing organizations and risk professionals with action plans and contingency plans tailored to unique problems and issues.
Common types of risks include: strategic, compliance, financial, operational, reputational, security, and quality risks.
Strategic Risk
Strategic risks are those risks that could have a potential impact on a company’s strategic objectives, business plan, and/or strategy. Adjustments to business objectives and strategy have a trickle-down effect to almost every function in the organization. Some events that could cause strategic risks to be realized are: major technological changes in the company, like switching to a new tech stack; large layoffs or reductions-in-force (RIFs); changes in leadership; competitive pressure; and legal changes.
Compliance Risk
Compliance risks materialize from regulatory and compliance requirements that businesses are subject to, like Sarbanes-Oxley for publicly-traded US companies, or GDPR for companies that handle personal information from the EU. The consequence or impact of noncompliance is generally a fine from the governing body of that regulation. These types of risks are realized when the organization does not maintain compliance with regulatory requirements, whether those requirements are environmental, financial, security-specific, or related to labor and civil laws.
Financial Risk
Financial risks are fairly self-explanatory — they have the possibility of affecting an organization’s profits. These types of risks often receive significant attention due to the potential impact on a company’s bottom line. Financial risks can be realized in many circumstances, like performing a financial transaction, compiling financial statements, developing new partnerships, or making new deals.
Operational Risk
Risks to operations, or operational risks, have the potential to disrupt daily operations involved with running a business. Needless to say, this can be a problematic scenario for organizations with employees unable to do their jobs, and with product delivery possibly delayed. Operational risks can materialize from internal or external sources — employee conduct, retention, technology failures, natural disasters, supply chain breakdowns — and many more.
Reputational Risk
Reputational risks are an interesting category. These risks look at a company’s standing in the public and in the media and identify what could impact its reputation. The advent of social media changed the reputation game quite a bit, giving consumers direct access to brands and businesses. Consumers and investors too are becoming more conscious about the companies they do business with and their impact on the environment, society, and civil rights. Reputational risks are realized when a company receives bad press or experiences a successful cyber attack or security breach; or any situation that causes the public to lose trust in an organization.
Security Risk
Security risks have to do with possible threats to your organization’s physical premises, as well as information systems security. Security breaches, data leaks, and other successful types of cyber attacks threaten the majority of businesses operating today. Security risks have become an area of risk that companies can’t ignore, and must safeguard against.
Quality Risk
Quality risks are specifically associated with the products or services that a company provides. Producing low-quality goods or services can cause an organization to lose customers, ultimately affecting revenue. These risks are realized when product quality drops for any reason — whether that’s technology changes, outages, employee errors, or supply chain disruptions.
Steps in the Risk Management Process
The six risk management process steps that we’ve outlined below will give you and your organization a starting point to implement or improve your risk management practices. In order, the risk management steps are:
- Risk identification
- Risk analysis or assessment
- Controls implementation
- Resource and budget allocation
- Risk mitigation
- Risk monitoring, reviewing, and reporting
If this is your organization’s first time setting up a risk management program, consider having a formal risk assessment completed by an experienced third party, with the goal of producing a risk register and prioritized recommendations on what activities to focus on first. Annual (or more frequent) risk assessments are usually required when pursuing compliance and security certifications, making them a valuable investment.
Step 1: Risk Identification
The first step in the risk management process is risk identification. This step takes into account the organization’s overarching goals and objectives, ideally through conversations with management and leadership. Identifying risks to company goals involves asking, “What could go wrong?” with the plans and activities aimed at meeting those goals. As an organization moves from macro-level risks to more specific function and process-related risks, risk teams should collaborate with critical stakeholders and process owners, gaining their insight into the risks that they foresee.
As risks are identified, they should be captured in formal documentation — most organizations do this through a risk register, which is a database of risks, risk owners, mitigation plans, and risk scores.
Step 2: Risk Analysis or Assessment
Analyzing risks, or assessing risks, involves looking at the likelihood that a risk will be realized, and the potential impact that risk would have on the organization if that risk were realized. By quantifying these on a three- or five-point scale, risk prioritization becomes simpler. Multiplying the risk’s likelihood score with the risk’s impact score generates the risk’s overall risk score. This value can then be compared to other risks for prioritization purposes.
Likelihood
The likelihood that a risk will be realized asks the risk assessor to consider how probable it would be for a risk to actually occur. Lower scores indicate less chances that the risk will materialize. Higher scores indicate more chances that the risk will occur.
Likelihood, on a 5×5 risk matrix, is broken out into:
- Highly Unlikely
- Unlikely
- Possible
- Likely
- Highly Likely
Impact
The potential impact of a risk, should it be realized, asks the risk assessor to consider how the business would be affected if that risk occurred. Lower scores signal less impact to the organization, while higher scores indicate more significant impacts to the company.
Impact, on a 5×5 risk matrix, is broken out into:
- Negligible Impact
- Low Impact
- Moderate Impact
- High Impact
- Catastrophic Impact
Risk assessment matrices help visualize the relationship between likelihood and impact, serving as a valuable tool in risk professionals’ arsenals.
Organizations can choose whether to employ a 5×5 risk matrix, as shown above, or a 3×3 risk matrix, which breaks likelihood, impact, and aggregate risk scores into low, moderate, and high categories.
Step 3: Controls Assessment and Implementation
Once risks have been identified and analyzed, controls that address or partially address those risks should be mapped. Any risks that don’t have associated controls, or that have controls that are inadequate to mitigate the risk, should have controls designed and implemented to do so.
Step 4: Resource and Budget Allocation
This step, the resource and budget allocation step, doesn’t get included in a lot of content about risk management. However, many businesses find themselves in a position where they have limited resources and funds to dedicate to risk management and remediation. Developing and implementing new controls and control processes is timely and costly; there’s usually a learning curve for employees to get used to changes in their workflow.
Using the risk register and corresponding risk scores, management can more easily allocate resources and budget to priority areas, with cost-effectiveness in mind. Each year, leadership should re-evaluate their resource allocation as part of annual risk lifecycle practices.
Step 5: Risk Mitigation
The risk mitigation step of risk management involves both coming up with the action plan for handling open risks, and then executing on that action plan. Mitigating risks successfully takes buy-in from various stakeholders. Due to the various types of risks that exist, each action plan may look vastly different between risks.
For example, vulnerabilities present in information systems pose a risk to data security and could result in a data breach. The action plan for mitigating this risk might involve automatically installing security patches for IT systems as soon as they are released and approved by the IT infrastructure manager. Another identified risk could be the possibility of cyber attacks resulting in data exfiltration or a security breach. The organization might decide that establishing security controls is not enough to mitigate that threat, and thus contract with an insurance company to cover off on cyber incidents. Two related security risks; two very different mitigation strategies.
One more note on risk mitigation — there are four generally accepted “treatment” strategies for risks. These four treatments are:
- Risk Acceptance: Risk thresholds are within acceptable tolerance, and the organization chooses to accept this risk.
- Risk Transfer: The organization chooses to transfer the risk or part of the risk to a third party provider or insurance company.
- Risk Avoidance: The organization chooses not to move forward with that risk and avoids incurring it.
- Risk Mitigation: The organization establishes an action plan for reducing or limiting risk to acceptable levels.
If an organization is not opting to mitigate a risk, and instead chooses to accept, transfer, or avoid the risk, these details should still be captured in the risk register, as they may need to be revisited in future risk management cycles.
Step 6: Risk Monitoring, Reviewing, and Reporting
The last step in the risk management lifecycle is monitoring risks, reviewing the organization’s risk posture, and reporting on risk management activities. Risks should be monitored on a regular basis to detect any changes to risk scoring, mitigation plans, or owners. Regular risk assessments can help organizations continue to monitor their risk posture. Having a risk committee or similar committee meet on a regular basis, such as quarterly, integrates risk management activities into scheduled operations, and ensures that risks undergo continuous monitoring. These committee meetings also provide a mechanism for reporting risk management matters to senior management and the board, as well as affected stakeholders.
As an organization reviews and monitors its risks and mitigation efforts, it should apply any lessons learned and use past experiences to improve future risk management plans.
Examples of Risk Management Strategies
Depending on your company’s industry, the types of risks it faces, and its objectives, you may need to employ many different risk management strategies to adequately handle the possibilities that your organization encounters.
Some examples of risk management strategies include leveraging existing frameworks and best practices, minimum viable product (MVP) development, contingency planning, root cause analysis and lessons learned, built-in buffers, risk-reward analysis, and third-party risk assessments.
Leverage Existing Frameworks and Best Practices
Risk management professionals need not go it alone. There are several standards organizations and committees that have developed risk management frameworks, guidance, and approaches that business teams can leverage and adapt for their own company.
Some of the more popular risk management frameworks out there include:
- ISO 31000 Family: The International Standards Organization’s guidance on risk management.
- NIST Risk Management Framework (RMF): The National Institute of Standards and Technology has released risk management guidance compatible with their Cybersecurity Framework (CSF).
- COSO Enterprise Risk Management (ERM): The Committee of Sponsoring Organizations’ enterprise risk management guidance.
Minimum Viable Product (MVP) Development
This approach to product development involves developing core features and delivering those to the customer, then assessing response and adjusting development accordingly. Taking an MVP path reduces the likelihood of financial and project risks, like excessive spend or project delays by simplifying the product and decreasing development time.
Contingency Planning
Developing contingency plans for significant incidents and disaster events are a great way for businesses to prepare for worst-case scenarios. These plans should account for response and recovery. Contingency plans specific to physical sites or systems help mitigate the risk of employee injury and outages.
Root Cause Analysis and Lessons Learned
Sometimes, experience is the best teacher. When an incident occurs or a risk is realized, risk management processes should include some kind of root cause analysis that provides insights into what can be done better next time. These lessons learned, integrated with risk management practices, can streamline and optimize response to similar risks or incidents.
Built-In Buffers
Applicable to discrete projects, building in buffers in the form of time, resources, and funds can be another viable strategy to mitigate risks. As you may know, projects can get derailed very easily, going out of scope, over budget, or past the timeline. Whether a project team can successfully navigate project risks spells the success or failure of the project. By building in some buffers, project teams can set expectations appropriately and account for the possibility that project risks may come to fruition.
Risk-Reward Analysis
In a risk-reward analysis, companies and project teams weigh the possibility of something going wrong with the potential benefits of an opportunity or initiative. This analysis can be done by looking at historical data, doing research about the opportunity, and drawing on lessons learned. Sometimes the risk of an initiative outweighs the reward; sometimes the potential reward outweighs the risk. At other times, it’s unclear whether the risk is worth the potential reward or not. Still, a simple risk-reward analysis can keep organizations from bad investments and bad deals.
Third-Party Risk Assessments
Another strategy teams can employ as part of their risk management plan is to conduct periodic third-party risk assessments. In this method, a company would contract with a third party experienced in conducting risk assessments, and have them perform one (or more) for the organization. Third-party risk assessments can be immensely helpful for the new risk management team or for a mature risk management team that wants a new perspective on their program.
Generally, third-party risk assessments result in a report of risks, findings, and recommendations. In some cases, a third-party provider may also be able to help draft or provide input into your risk register. As external resources, third-party risk assessors can bring their experience and opinions to your organization, leading to insights and discoveries that may not have been found without an independent set of eyes.
Components of an Effective Risk Management Plan
An effective risk management plan has buy-in from leadership and key stakeholders; applies the risk management steps; has good documentation; and is actionable. Buy-in from management often determines whether a risk management function is successful or not, since risk management requires resources to conduct risk assessments, risk identification, risk mitigation, and so on. Without leadership buy-in, risk management teams may end up just going through the motions without the ability to make an impact. Risk management plans should be integrated into organizational strategy, and without stakeholder buy-in, that typically does not happen.
Applying the risk management methodology is another key component of an effective plan. That means following the six steps outlined above should be incorporated into a company’s risk management lifecycle. Identifying and analyzing risks, establishing controls, allocating resources, conducting mitigation, and monitoring and reporting on findings form the foundations of good risk management.
Good documentation is another cornerstone of effective risk management. Without a risk register recording all of a company’s identified risks and accompanying scores and mitigation strategies, there would be little for a risk team to act on. Maintaining and updating the risk register should be a priority for the risk team — risk management software can help here, providing users with a dashboard and collaboration mechanism.
Last but not least, an effective risk management plan needs to be actionable. Any activities that need to be completed for mitigating risks or establishing controls, should be feasible for the organization and allocated resources. An organization can come up with the best possible, best practice risk management plan, but find it completely unactionable because they don’t have the capabilities, technology, funds, and/or personnel to do so. It’s all well and good to recommend that cybersecurity risks be mitigated by setting up a 24/7 continuous monitoring Security Operations Center (SOC), but if your company only has one IT person on staff, that may not be a feasible action plan.
Executing on an effective risk management plan necessitates having the right people, processes, and technology in place. Sometimes the challenges involved with running a good risk management program are mundane — such as disconnects in communication, poor version control, and multiple risk registers floating around. Risk management software can provide your organization with a unified view of the company’s risks, a repository for storing and updating key documentation like a risk register, and a space to collaborate virtually with colleagues to check on risk mitigation efforts or coordinate on risk assessments. Get started building your ideal risk management plan today!
Emily Villanueva, MBA, is a Senior Manager of Product Solutions at AuditBoard. Emily joined AuditBoard from Grant Thornton, where she provided consulting services specializing in SOX compliance, internal audit, and risk management. She also spent 5 years in the insurance industry specializing in SOX/ICFR, internal audits, and operational compliance. Connect with Emily on LinkedIn.