Five Ideas to Strengthen Risk Management

One could SAY that, in the business world, the concept of risk has lost part of its intimidating power. Today’s organizations acknowledge that the various threats in their environment — like other variables in the business landscape — are elements that can be identified and analyzed through specialized processes. They are not sudden storms, difficult to foresee or explain.

In this understanding of corporate risk, innovation plays a central role. Thanks to advanced technologies, such as artificial intelligence (AI), machine learning, and analytics, companies are in a better position to detect, examine, and manage both internal and external situations that could jeopardize their business objectives. In this regard, it is not surprising that, according to a report, 54% of organizations view risk management as one of the priority areas in their AI implementation projects.

However, to consolidate effective risk management, technology is not the most critical resource. Innovation must complement a tactical approach — regarding business threats — that encompasses the organization’s processes, roles, and strategies. According to studies, this is an area where companies still face significant challenges.

For example, only 13% of Mexican organizations consider their risk management capabilities to be advanced. These companies have effective resources (including innovative solutions) to identify, measure, and manage threats in a consistent, agile, and cross-functional manner (that is, encompassing multiple business processes and areas). Additionally, they establish specific risk management procedures and assign clear responsibility for each identified threat.

In contrast, in over 80% of organizations, risk management remains an activity that, for various reasons, has not yet delivered optimal results. In these companies, although threats may be properly identified, they are only addressed within a few departments or processes — there is no risk vision that integrates the entire company. The focus tends to be reactive (when the threat is already a problem in progress); there is no clearly structured strategy for managing risks, and responsibilities for contingency management are not always defined.

To provide strategic support to risk management efforts — enhancing the capabilities of the technologies focused on this task — organizations need to establish processes and practices that go beyond threat detection. These should reinforce agility and the capacity to respond to any contingency along the way. Five actions are especially helpful in this respect:

1. Corporate culture, at all levels, must embrace risk acceptance. This means recognizing that potential dangers to the organization — economic, geopolitical, regulatory, among others — are not exceptional circumstances, but rather, elements that are part of the ecosystem of any business. Accordingly, they must be addressed through analysis, constant monitoring, and strategic planning. It is also necessary to promote the understanding that risks affect all business areas and functions — no department or corporate process is immune. Risk management, therefore, must be based on an integrated organizational view.

2. Establishing a realistic perspective on threat management. Risk management essentially means anticipating contingencies and being prepared to address them. It is not a tool for repairing already-consummated events. For this reason, it is vital for organizations to distinguish between a risk (a situation or factor that could impact the business) and a problem (a difficulty already in motion and producing effects). The company must understand that threat management is not a reactive emergency strategy but a comprehensive plan to prevent risks from turning into problems. And if a threat does materialize, the organization must be ready to overcome it swiftly and effectively.

3. Threats must be quantified, not just identified. Any threat that succeeds in affecting the company will generate costs — administrative, technological, financial, human capital, and operational infrastructure. In its risk management strategy, an organization must have a clear view of what it will cost to deal with a materialized threat: What financial impact could we face? Can we handle the situation with existing staff, or will we need to invest in new hires? What will the implementation of a Disaster Recovery Plan (DRP) cost to address the contingency? These types of questions are useful for objectively measuring the financial impact of a risk, while also facilitating the projection of special budgets and the design of procurement strategies so that if the threat does affect the company, these resources will already be considered and not need to be improvised during an emergency.

4. Business threats must be managed strategically. Once the organization has a clear understanding of the costs associated with a potential risk, it can make more tactical decisions. For instance, after evaluating the financial cost of a threat, a company might choose to absorb the risk rather than invest in an insurance policy, especially if the potential impact does not justify the expense and the organization could handle the issue with internal resources. Similarly, in the face of specific threats, the company might choose to transfer the potential risk costs to a third party, such as an outsourcing provider — an entity that would assume the risks associated with activities not critical to core business performance.

5. Establishing specific roles for risk management. Even when equipped with advanced tools to monitor, analyze, and manage threats, a company must create dedicated roles focused on business risk. A position such as chief risk officer (CRO) leverages data and analytics from technological solutions not only to detect the imminence of a danger but also to add tactical intelligence to risk management — crafting strategies to mitigate threats across corporate areas, conducting cost analysis, defining levels of exposure, and assessing emerging contingencies. In the most advanced companies in terms of risk management, each corporate area has a designated threat leader; in other cases, each critical risk has an assigned response team.

In an increasingly challenging business environment, risk management is becoming ever more critical for companies. For this reason, organizations must evaluate their risk management concepts and practices, assessing whether they truly drive a tactical and intelligent approach, or merely serve as alarms that sound once the damage has already been done. Between these two approaches lies a world of difference.