All business in a competitive market is risk-based, whether or not enterprises admit it. Positive risk indicates opportunities. Negative risk points to the need to take measures to avoid, transfer or mitigate that risk. Banks are a case in point, with risk analysis at the heart of their daily activities as they continually calculate the probabilities of profitability in investments and loans. For enterprises in other sectors, risk may be less in the spotlight, but no less important. All companies need good disaster recovery and business continuity management for instance. Both depend on properly assessing risks and their impact. So how can you tell if senior management is taking risk management seriously?
Actions speak louder than words. While statements of intent may be encouraging, it’s the commitment behind actions that counts. It may be a matter of implementing purpose-built software applications to manage risk or readjusting business priorities to the chances of profit or loss. In any cases, it’s a change of state or a different way of doing things. Another way for a company to show it is taking the matter seriously is to invest in a management position specifically for risk management or a closely related role, such as business continuity.
Yet real high-level involvement in risk management must also go further than funding new technology or authorising new hires. Airmic, the UK association for professionals with responsibility for risk management and insurance, points to a recent survey it conducted that found that over half UK boards don’t sign off their company’s enterprise risk management programmes. The decision is devolved to an audit committee or else sign-off doesn’t happen. This is a strange state of affairs for something that can so vitally affect the fortunes, positive or negative, of a firm. Risk and business continuity professionals of the world; be prepared to educate your board accordingly!