Managing the unseen threats to your enterprise
Risk is a description of the kinds of difficulties that might be encountered given a plan or set of tactics.
Risk management, the proactive anticipation and management of identified risk, has been long established in the financial and insurance industries.
In the federal market, risk management has become commonly associated with IT security and especially the Federal Risk and Management Program (FedRAMP). However, risk is an issue that extends far beyond IT and permeates all organizations.
Risk management has four overarching pillars:
- Strategic – vision, political threats and opportunities, diversification, management’s ability to perceive/anticipate market and industry influencers, company adaptability, ethics, strategic metrics, degree of risk tolerance, and crisis management plan
- Financial – having adequate funds to perform, stable source(s) of funding, accurate reporting, and routine and surprise audits
- Operations – policies, processes, performance, compliance, tactical metrics, and quality
- Technological – having the right platforms and tools for the work to be performed, technology competence, IT security, and innovativeness.
Who owns risk management, as a function, in a company? Clearly risk management spans across company functions and boundaries.
How might a company proactively manage its risk? Should risk management, as a function, be owned by an executive, one department, all managers, all employees or ultimately the Board?
Risk Management and its mitigation are too broad in scope for one person to manage it. The simple answer is that everyone owns risk management. However, when everyone is an owner, it is owned by no one.
Traditionally, boards of directors or advisors have three primary responsibilities or areas of concern: (1) ensuring the accuracy and integrity of the company’s financials and concomitant reporting, (2) ensuring a commitment to ethical conduct across the company, and (3) validating the company’s strategic vision and plan for the future i.e. future viability. Normally boards do not have insight into operations or tactics that create risks for the company until there is an evident negative outcome.
When negative consequences or publicity arise, a company’s reputation, brand, and business model can put at grave risk. The company may or not have the time and resources to recover. With senior management being increasingly pulled into routine operational or financial issues, they may neither have the time nor perceive the company’s myriad sources of risk.
Boards should lead an ongoing discussion concerning how the company identifies, assesses, monitors, manages and reports the kinds of risks the company may encounter and their mitigation.
Bob Davis has over 35-years’ experience in the federal information technology industry. He has held senior positions with products- and services-oriented, high-tech IT companies during his career. Bob has successfully worked for large- and medium–sized companies, and small businesses. Leadership positions have been held in business development, marketing, and program management. Bob has a doctor of management from the University of Maryland University College. He works for a medium-size company in our industry.