As more and more countries, more and more companies, as well as societies and individuals, have started to awaken from a more or less pronounced state of bewilderment after several months of lockdown, the word « risk » and its associated corporate avatars « risk management » and « enterprise risk management » have come once again to the forefront.
Once again because it had for instance already been the case in the wake of the 2008 global financial crisis or even earlier with the Enron and Arthur Andersen scandal. It is as if risk management would be a subject matter deemed relevant only when a crisis occurs and solely when a risk becomes tangible and concrete and that outside of these specific periods, risk management would merely be a check-in-the-box exercise, entangled in bureaucracy and appearing exclusively in the form of static risk registers, overcrowded checklists, reports and dashboards of all kinds for the sake of routine management reporting.
This may be due not only to the confinement of the discipline of risk management in compliance and internal control but also to the siloization of the risk management function within organizations.
This may also be due to the way risks are articulated by risk practitioners themselves, i.e. insisting on downside risks without enough highlighting upside risks. As a risk practitioner myself, I must admit that most of the time decision-makers are asking us to focus exclusively on “negative” risks. As a matter of fact, this is very often due to the lack of involvement and non-recognition of the strategic value of risk management by the top management. The problem here is that we may miss “positive” risks that can be taken to contribute to the organization’s objectives and to enhance the organization’s performance and competitiveness.
This may also be due to the way risks are articulated by risk practitioners themselves, i.e. insisting on downside risks without enough highlighting upside risks. As a risk practitioner myself, I must admit that most of the time decision-makers are asking us to focus exclusively on “negative” risks. As a matter of fact, this is very often due to the lack of involvement and non-recognition of the strategic value of risk management by the top management. The problem here is that we may miss “positive” risks that can be taken to contribute to the organization’s objectives and to enhance the organization’s performance and competitiveness.
Moreover, enterprise risk management has to be more holistic and de-siloed as it is clearly linked to business continuity, crisis management, disaster recovery and the likes. IT risks as well as operational risks must also work hand in hand, especially in an increasingly digitalized world and as the expansion of teleworking has shown. And there is also a need for a broader view on potential strategic risks.
The current crisis has clearly reinstated the need for security and more broadly the need for more resilient business models where the discipline of risk management has definitely a role to play. And I would dare to say a new role to play.
A more proactive approach to risk is needed, where risk management is framed around business impact and correlated with business strategy and business objectives in a way that is adding value to the organization and helping decision-making.
In this future of great uncertainty, there will still be threats to anticipate but there will also be opportunities to seize.
I welcome your thoughts and comments.