From the corporate scandals that spawned the Sarbanes-Oxley Act of 2002 to the financial crisis of 2008 to last year’s Hurricane Sandy, companies of all sizes have had plenty of incentive to enhance their risk-management capabilities. Some have adopted formal methodologies, such as Enterprise Risk Management (ERM), and hired Chief Risk Officers to develop and oversee comprehensive risk-management programs.
But often these companies tend to be, as North Carolina State University business professors Donald Pagach and Richard Warr have found, large firms, often in industries characterized by variable cash flows and stock returns.
For many other companies, a less centralized, less resource-intensive approach to risk management may make more sense. Risk can be as hard to manage as it is to define: what facet of business, after all, doesn’t pose some kind of risk, from the actions (or inactions) of employees to rapidly changing technologies to macroeconomic forces to changing regulatory requirements to the weather?
Why Every Employee is a Risk Manager
Because risk can manifest itself in these and many other forms, experts recommend that companies take steps to make risk management a part of everyone’s job. Even when an executive is put in charge of the risk function, “A risk manager can’t know all the risks that a forklift operator or an engineer faces in their job every day,” says Chris Moss, a risk-management consultant who has helped many midsized companies teach their leadership teams how to address risk management as a core part of their duties. “You need to train everyone, from the CEO to entry-level employees, on how to identify the risks they see from their vantage points and how to suggest ways to mitigate them.”
This team-oriented approach can help with even the most basic tasks of risk management, such as buying insurance. Jim Mahurin, a risk-management consultant based in Tennessee, has clients prepare a list of all corporate properties and associated insurance policies. He then has them send that list to every employee for double-checking. Employees typically identify additional, uninsured facilities equal to about 20 percent of the original list. Often these properties aren’t obscure warehouses or underused facilities but core assets that would be very costly to replace if not covered by insurance. “The team concept works very, very well compared to having a sole individual who has full responsibility,” Mahurin says.
Companies can’t, however, expect every employee to weigh in on every facet of risk management. Instead, a viable way to apply the team concept is to form an intra-company risk committee. Such committees, which typically include a representative from every business unit as well as top finance and legal staff, allow an organization to cast the widest possible net in terms of identifying risks and achieve the necessary communication when it comes to developing solid plans to address them.
For some companies, risk committees can be a stepping stone to deploying a more rigorous ERM system. For others, they may be a reliable long-term method for efficiently assessing and prioritizing the risks the organization should focus on most carefully. Either way, they provide what many experts consider the single most important facet of risk management: creating a mechanism to identify and discuss all the risks a company may face.
“Risk awareness is 90 percent of the battle,” says John Varvaris, a former risk-management consultant who is now president of Best Doctors, a $150 million expert network of doctors who offer second opinions to individual and insurance companies. “I’ve seen over and over again that if you don’t come to a meeting prepared to talk about risk, you’re not going to give it the right amount of attention.” Too often the executive team will talk about staffing needs or impending deals or any number of other operational issues, he says, but they also “need to put their risk hats on” and discuss potential risks that are often overlooked, such as the impact of losing a large customer.
Varvaris created a standing risk committee of approximately 12 people soon after joining Best Doctors. To jumpstart the team, he acquainted it with some basic risk concepts, like how to measure various risks and develop a sense of the firm’s overall risk appetite.
That sort of educational component is key, say experts. “If you ask smart people in any industry, they can cite the risks they face,” says risk consultant Michael Cohen. “But what is very, very difficult is to figure out how bad a given risk could be, how to measure it, and determining whether you are, in fact, good at measuring it.”
From Identification to Mitigation
Briefed on the basics, each member of Best Doctor’s risk committee now arrives at the quarterly risk meeting with a list of the top five to 10 risks their unit faces, and a description of how they’re prepared to deal with them. The group then challenges each member as to whether or not they’ve captured the right ones. “We have a lot of “A-ha!” moments in these meetings, but you have to check your ego at the door,” says Varvaris.
Once vetted, risks are plotted on a grid according to their potential severity and likelihood, which enables the committee to winnow many dozens of risks to a list of the top 10 for the corporation as a whole. Part of this process might entail a broad categorization of risks, (for example, separating discussion of operational risks from those focused on credit risks or competitive risks) so that each category can be analyzed in an appropriate context.
The proper response to a given risk will vary greatly by company. Jacob Morgan, author of The Collaborative Organization, suggests that there are two key questions to ask: What is the potential harm? And, how important is it that this not happen? Such questions determine the overall severity of a risk. Map that to the probability of occurrence and probability of early detection, and the team can create a simple scorecard that results in a “priority index” ranking for each risk. The risk posed by negative customer feedback might earn a low score for a large retail chain, for whom a certain volume of complaints are inevitable. But it might earn a far higher score for the maker of a new electronic gadget, since such complaints can go viral and influence a large percentage of would-be buyers.
The value of a team approach to risk management depends on a continual infusion of fresh perspectives. Core members should invite staffers from their departments to sit in occasionally, which is a very useful form of mentoring in that the junior staff member not only develops a keener appreciation for risk management but also becomes a risk leader in their zone of influence, helping other employees adopt a risk mindset.
Beyond Damage Control
Indeed, consultant Moss says that a “nice side effect of rolling out risk-management training broadly is that employees feel like they’re more important to the organization.” It’s incumbent upon senior management, experts say, to create processes for soliciting and reviewing employees’ views on risks, be it surveys, dedicated email inboxes, or other mechanisms. It’s also important that they respond to any ideas or concerns raised by employees, even if only to explain why they have decided not to act on a given suggestion. On the flip side, rewarding employees who identify or mitigate risks is also important. Whether simply acknowledged or tangibly rewarded, providing employees with feedback that keeps them engaged in the process is a critical part of building risk management into the corporate culture.
When that happens, it not only leads to better outcomes in terms of avoiding catastrophes and mistakes but can actually drive innovation, (e.g., insurer FM Global has found that companies with more sophisticated risk-management processes actually have fewer and less damaging fires). A recent study by Accenture found that effective risk management creates a bridge between traditionally risk-averse functions within the company, such as finance, and the product groups charged with developing new products or services. Put another way, when everyone shares responsibility for risk a company can pursue innovation and new ideas because it has defined the parameters within which such risk-taking can occur.
BUILDING THE STRATEGIC CFO
Chapters in the CFO action series presented by Build and GE Capital:
Chapter 1: Own the Big Picture
Chapter 2: Create More Time
Chapter 3: Build a Better Team
Chapter 4: The Great Communicator
Chapter 5: Big Data, Big Results
Chapter 6: Think and Act Sustainably
Chapter 7: The Leading Edge
Chapter 8: Think Global, Whether You Are or Not
Chapter 9: Building a Risk-Intelligent Culture
Chapter 10: How to Win the War for Talent
Chapter 11: Technology & You
Chapter 12: The Art of Strategic Influence
Chapter 13: Building the Customer-Centric Organization