Managing the unseen threats to your enterprise

Risk is a description of the kinds of difficulties that might be encountered given a plan or set of tactics.

Risk management, the proactive anticipation and management of identified risk, has been long established in the financial and insurance industries. 

In the federal market, risk management has become commonly associated with IT security and especially the Federal Risk and Management Program (FedRAMP).  However, risk is an issue that extends far beyond IT and permeates all organizations.

Risk management has four overarching pillars:

  • Strategic – vision, political threats and opportunities, diversification, management’s ability to perceive/anticipate market and industry influencers, company adaptability, ethics, strategic metrics, degree of risk tolerance, and crisis management plan
  • Financial – having adequate funds to perform, stable source(s) of funding, accurate reporting, and routine and surprise audits
  • Operations – policies, processes, performance, compliance, tactical metrics, and quality
  • Technological – having the right platforms and tools for the work to be performed, technology competence, IT security, and innovativeness.

Who owns risk management, as a function, in a company?  Clearly risk management spans across company functions and boundaries.

How might a company proactively manage its risk?  Should risk management, as a function, be owned by an executive, one department, all managers, all employees or ultimately the Board? 

Risk Management and its mitigation are too broad in scope for one person to manage it. The simple answer is that everyone owns risk management.  However, when everyone is an owner, it is owned by no one.

Traditionally, boards of directors or advisors have three primary responsibilities or areas of concern: (1) ensuring the accuracy and integrity of the company’s financials and concomitant reporting, (2) ensuring a commitment to ethical conduct across the company, and (3) validating the company’s strategic vision and plan for the future i.e. future viability. Normally boards do not have insight into operations or tactics that create risks for the company until there is an evident negative outcome.

When negative consequences or publicity arise, a company’s reputation, brand, and business model can put at grave risk. The company may or not have the time and resources to recover. With senior management being increasingly pulled into routine operational or financial issues, they may neither have the time nor perceive the company’s myriad sources of risk.

Boards should lead an ongoing discussion concerning how the company identifies, assesses, monitors, manages and reports the kinds of risks the company may encounter and their mitigation.

About the Author

Bob Davis has over 35-years’ experience in the federal information technology industry. He has held senior positions with products- and services-oriented, high-tech IT companies during his career. Bob has successfully worked for large- and medium–sized companies, and small businesses. Leadership positions have been held in business development, marketing, and program management. Bob has a doctor of management from the University of Maryland University College. He works for a medium-size company in our industry.

Reader Comments

Tue, Nov 3, 2015 John Oberdyne

Mr. Davis provides a very solid rubric with which to look at this issue. However, he seems focuses on structure and process in this brief think piece. He should probably add more emphasis on the Business Environmental Values. For example, in today's world, you can never be too skeptical or watchful about your current employees and contractors and subcontractors. Without using the word, it is perhaps a counter-intelligence mindset. Learn about them, understand them, and, within the law and your rights as a corporate employer, sample their communications. Every manager needs to be alert to disaffection--and know what to do about it, including letting some people go if they poison the business atmosphere and turn off clients. In doing so, the corporate executives should not miss considering what board members do or say, and what the companies auditors, tax preparers, and outside recruiters pose in the way of risk. Accountants in particular have been the root of many problems in troubled gov con industry firms.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above.

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.


contracts DB