There are so many challenges facing businesses today as we all focus upon sustaining demand, revenue, and operating infrastructure while confronting new paradigms for staff retention, safety, and service delivery. Technologies we may have just begun to touch like mobile device management, cloud-based infrastructure and remote, digital client services, may suddenly be existential realities needed right now, to name a few. So, why add to this demanding burden for management and staff with risk management and cyber security. While there are many arguments to be made by IT, security, and advisory professionals, it’s easy to see their counsel as self-serving to their own continuance.
Skeptical minds might agree. But skeptical minds would be missing the obvious, concealed in plain sight. Risk management isn’t a discreet task, it’s a process, imbedded without conscious attention, and integrated within everything we do.
Consider some obvious behaviors:
- We dress for the weather; managing the risk of being too hot or too cold, or too wet
- We carry umbrellas, (or not); to avoid getting wet if rain is forecast
- We monitor how fast we drive; to avoid a ticket or arrest
- We use a calendar; to keep appointments and prevent over-committing
- We develop interviewing and hiring practices: to minimize costly hiring mistakes
- We have multiple suppliers; in case one fails to deliver critical goods or services
- We make certain suppliers support rather than dilute our security and risk practices
- We exercise; to manage our health, our appearance, and prolong our lives
- We retain some earnings; to fund operations through demand and revenue fluctuations
- …and on and on…
Without risk management our lives, personal and professional, would become completely random and dysfunctional. We make choices throughout our days that are, in part, decisions about managing risk, by compensating, avoiding, preventing, or deferring it, as some of the examples above depict. Many of them just seem to be “common sense”, as our parents and mentors might have explained in the past. Some are “best practices” we follow because they offer constructive paths to outcomes we were planning to achieve. Let’s take a closer look at how risk management plays an inherent role in some of the most important processes business is counting upon now to help transition into new, effective ways of operation and sustainability in a volatile work and living environment.
There’s no doubt everyone is trying to manage change today; specifically, managing to the perpetual amount and substance of changes presenting themselves almost daily. There are libraries full of change management books. There is much common thinking across them. At a core, there are some essentials any change process must embrace:
- Articulate the change to be made clearly
- Define the outcomes to be achieved by the change
- Determine risks and opportunities of stasis and by implementing the change
- Plan the steps needed to implement the change
- Implement the plan
- Evaluate progress
- Measure outcomes and communicate
This is not a particularly linear process, but more of a cyclical one. Your own organization may follow one with many more or different steps, following this sequence or one more tailored to your line of business. Regardless, consideration of the impacts and potential opportunities resulting from making this change, as well as from not making a change, are something inherent to doing anything. Even the thought about whether to make a change in how or what you do in a particular situation has a risk implied by the answer to a “…what if…?” question. If you are asking “what if…?, you are engaging a risk discussion.
Effective operations management reflects adroit risk attention at every turn. Distribution practices incorporate alternate routes, methods, factoring in road and weather conditions. Manufacturing attends to supply chain dependencies and backup vendors. Reliability and quality are measured and monitored. Staff are often cross-trained to assure essential skills and knowledge are present when needed. Call centers have backup power and communications processes. Mechanical machines, technology hardware, application and operating software are all maintained to preserve performance at efficient levels. Financial processes assure transactions are completed successfully or have the means to track errors and remedy to prevent revenue or other financial mishaps. And recently, creating and sustaining a mobile workforce to bolster continuity. All these considerations are actions and processes to address important risk alternatives. Decisions about their direction and refinement are routinely made, often labeled as something other than risk-related, but they incorporate risk components in every case.
Metrics Guide The Way
Steering a vehicle blindfolded is neither effective nor efficient. Well managed companies monitor key indicators of performance across all aspects of their businesses. They don’t guess about their status regarding cash flow, revenue, sales, or expenses. Efficiency measures regarding manufacture, consumption of raw materials, and workforce productivity, to name a few are closely monitored. Successful companies do this to identify problems as well as record successes. Metrics that fail to reach needed or expected values point out areas for scrutiny as potential symptoms of a serious problem before they become artifacts of a crisis. That’s part of risk detection, and to a less predictive extent, risk identification and prevention. For some firms, the frequency of sampling and fineness of measure have been tuned by experience to transform key trailing measures of results into leading indicators of performance. A comprehensive, mature risk management program will incorporate both leading and trailing metrics into the mix of data from risk assessments, audits, and regulatory compliance efforts to complete a full understanding of risk opportunity and presence across an enterprise. You need to know what’s working well and what’s not—metrics are a signal to guide your attention and help focus your decisions and actions. They help you see what you may not in a remote or an onsite operation.
Management, Not Magic
Metrics tell you where you are, what you have, what’s working and what’s not. Using that information to decide what to do, what to change, how to change, and where, are the substance of management. It’s what we do and how we do it. Managers at all levels are about directing resources to achieve specific ends. You cannot launch a new program if you lack the finances to promote, service, and support the program. It would fail by default. If you need a service or commodity critical to your function, you don’t rely upon a single supplier, and you monitor the performance, health, and costs associated with those critical suppliers closely. Managers set aside provisions for contingencies, should some foreseen or unexpected event disrupt normal operations. Staff cross train to assure continuity of important skills and knowledge. While growth and revenue are key measures of thriving success, so too are resilience and strength in more challenging markets and environments. The decisions made by managers and executives to direct the actions of a company take all of these into consideration. Working to assure their existence in the future is foundational to growth in revenue, market share, brand presence, and reputation. To do that, managers must take risks. To take risks, one needs to be able to identify and evaluate them. Managing the risks and obstacles that present themselves daily in the dynamics of a fluid environment is inherit to management skill.
Directed vs. Random
Do you know where you are headed? Do you know where you want to go? Are they the same place? If not, why not? How many times in your company or career do you stop to consider these questions and assure you have clear, consistent answers? Captains of vessels large and small confirm their course throughout their journeys to assure they reach their destination. They don’t just point and go. How many of you reading this are working today in fields you entered 5, 10, or 20+ years ago? Are the skills you count upon today the ones you studied in school? What’s changed? Successful companies have a vision at the start. But often times market demands, available resources, and environmental shifts can lead to course changes. Making such course corrections is another expression of risk management, and of opportunity management in certain circumstances. Sometimes the adjustment is to the target, sometimes it’s too the direction, and sometimes, it’s too the means. The realities of the past months have offered many opportunities and examples for each. When an adjustment in your vision, goal, or direction suddenly puts you at a clear advantage over competition, the opportunity to take advantage is constrained only by your ability to manage any accompanying risks along the way. And to do that, you’ll look to each of the practices mentioned above. Risk management is a component of so much we do to manage a company to successful achievement of its goals. It so infuses our thinking and actions on so many levels.
So, Why Bother Now?
Really, to stop managing risk is to stop actively managing your company, business, or life. It’s leaving all to the whim of chance and the actions of others—who will act if you do not. As we’ve seen, risk management is a vital part of active management. Identifying it as a separate discipline is an effort to add specific structure and process to it as a management practice. Aligning metrics, assessment, artifacts from audits, and other actions to help refine and focus the articulation of risk, it’s detection, identification, scope, strength, and the means to address it! It’s one reason you may have introduced GRC tools to help achieve and mature risk management processes.
Cyber risks have added yet another dimension and risk vector to this mix. It’s a complication that impacts many aspects of a company’s overall risk exposure and operating footprint. Cyber risk has the ability to compromise delivery by third party partners and suppliers. Its incidents can drain financial resources, expose intellectual property, confidential, and client data, while inflicting serious damage to brand value and customer confidence. Regulators pay particular attention to how it is addressed during compliance reviews, as do internal and external auditors.
Because risk management is so intertwined with critical corporate management, while growing in diversity and complexity on its own, it no longer is wise to address it without a framework, a set of processes and a strategy to follow. So, why bother now? Because if you do not bother now, you may not have the opportunity to bother in the not-too-distant future. Risk management, as we have discussed, is foundational, essential, and a clear contributor to successful achievement of a company’s vision, mission, and promise to its clients, associates, investors and all its stakeholders. It is already a part of what you do.
Now only one question that remains; Do you manage risk well enough to thrive in the environments presented today, and will you continue to through the challenges of tomorrow?
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.