An organisation cannot exist in a sustainable way unless it strikes the right balance between these competing stakeholder interests. This balance is struck through risk versus reward based decision making such as "we will apply 90% of our resources to support the customer value delivery chain processes that will ultimately drive profit and owner return on equity, and 10% in order to maintain sufficient control processes in order to give confidence to our stakeholders such as regulators that we are doing the right thing by our customers, employees and owners and thus keep our moral and legal operating license". A company's failure to support its customer's interests results in lower custom, reduced market share and ultimately lower profits and hence lower return on capital invested by owners ultimately not meeting the owners' interests. Likewise a company's failure to support the interests of its regulators will result in financial sanction or withdrawal of operating licenses, both of which hit the bottom line.
This risk / reward decision making is achieved through the principles and practices of risk management (whether it be market risk management, credit risk management, operational risk management or reputation risk management). Risk management principles include risk appetite, understanding risks (through risk assessments for example) and responding to risks (e.g. controlling risks, accepting risks or insuring against the consequences of risks materialising). Failure to understand and apply these principles almost invariably leads to adverse outcomes for organisations that result in those organisations not being able to support the interests of their respective stakeholders any longer (some notable examples are Enron, Barings Bank and Lehman Brothers to name a few).
So having established that effective risk management is important to the very survival of an organisation, one of the key questions that arises is how do you implement effective risk management in an organisation?
A multitude of regulations, standards, courses, textbooks, guidelines, frameworks, processes and tools exist that seek to answer this question but it boils down to a few key actions:
- Adequately defining and effectively communicating the risk management objectives, principles and practices the organisation is to use in order to understand and manage its risks.
- Putting in place sufficient risk management professionals and systems to assist the organisation in applying these defined and communicated objectives, principles and practices.
- Monitoring how well the defined and communicated risk management objectives, principles and practices are applied in the organisation and course correcting if the risk management objectives are not being met
There are of course finer points, specialisms and subtleties but in the end, effective risk management revolves around these key actions. This is the short version.
PS: This is also published in the IT Risk Practitioner