The results of a recent survey by North Carolina State University and the American Institute of Certified Public Accountants reminded me of the slow progress being made by organizations in implementing risk management. Titled “The State of Risk Oversight”, here are just a few of the findings from the survey.
Why do most organizations see risks increasing, yet less than a quarter have mature programs, with even fewer considering them as providing value. I believe the problem is threefold.
First, the perception of risk management is often viewed in the outdated traditional sense as being focused on hazard risks that have negative outcomes. Busy executives are not inclined to focus on the downside, they are operating in a competitive environment and are more interested in finding the upside.
Second, risk management is looked upon as a stand-alone activity that is separate from the main activities and processes of the organization. It should be part of the responsibility of management and an integral part of all organizational processes including strategic planning.
Third, there is little learning and development provided to executives and managers on decision making and how risk management helps decision makers make informed choices, prioritize actions and distinguish among alternative courses of action.
If risk management continues to be viewed more as a compliance exercise than one that produces strategic value, then it will not succeed. If the proper level of training is not provided, it will never be embraced in the c-suite, not to mention other managers. It must anticipate threats as well as identify opportunities to provide a competitive advantage.
I believe there is a better way. Simply engage the management team in a series of conversations that clarify their objectives, helps understand the environment in which they seek to achieve those objective, identifies threats and opportunities, focuses on the most important issues, and responds with the best plans.
It’s all about making the best-informed decisions that support the achievement of objectives, and it doesn’t need to be complicated or time-consuming. Until it is perceived as protecting and creating value, organizations will spend their resources elsewhere.