The pressure is on for the risk management discipline. Failed financial giants like Lehman Brothers, environmental disasters like the oil rig explosion associated with BP, massive product safety recalls like the ones Toyota and Fisher-Price issued in 2010, not to mention the string of regulatory settlements topping the $1 billion mark, still loom large in the collective corporate memory. The role of risk management needs to be reexamined to prevent such devastating events.
Given this current state of concern, long-time risk practitioners and newcomers alike are finding themselves with a greater load of responsibilities, requests and requirements. External stakeholders such as customers, partners and investors want to know whether their reliance on your organization puts their own best interests at risk. Internal stakeholders such as board members, C-level business executives, and internal auditors want to know that their organization has formal processes for identifying and addressing its most critical risks.
Individuals with the knowledge and skills needed to build these processes are in greater demand, which means potentially good news on the career front. However, with such intense scrutiny coming from all directions, successful risk management programs must be formally defined and well documented to avoid being the hapless scapegoat when things go wrong.
Successful risk management must resemble its surrounding environment, not oppose it.
Many may feel pressure to slim down the role of risk management to avoid high costs and burdens on the business; however, risk practitioners must watch they do not take shortcuts when defining the parameters of their programs, a step in the risk management process that the ISO 31000 standard refers to as "establishing the context." In Forrester's "Risk Manager's Handbook," part of the recently launched "Governance, Risk, and Compliance Playbook," my colleagues and I outline the following best practices for establishing the context, based on the four core elements outlined in the ISO 31000 standard: internal context, external context, risk management context and risk criteria.
The internal context puts the role of risk management in its proper place
Successful risk management must resemble its surrounding environment, not oppose it. If your organization is collaborative, authoritarian or process-focused, then your risk program should be collaborative, authoritarian or process-focused. When establishing the internal context of your risk function, document the elements of the organization that will be potential assets and potential roadblocks in your efforts. At this point, you will want to answer:
- What are our corporate or organizational objectives?
- Who are the relevant internal stakeholders?
- What resources and processes can we leverage to improve our chance of success?
The external context describes factors affecting risk inputs and outputs
Risk management would be much simpler in a vacuum, but naturally, external factors account for much of the uncertainty that will influence a business's ability to meet objectives. Conversely, there are external factors that you may want to influence with your risk program. Key questions about the external context include:
- What is our organization's current environment?
- What are the industry drivers and trends that will most affect us?
- Who are the relevant external stakeholders?
The risk-management context defines the elements of success
With an understanding of the relevant internal and external factors, you now have to explain the context of the risk management function itself. This will be the most important step in building a program that can meet expectations -- it will also likely be the most difficult. In this part of the framework, some of the most important questions to answer include:
- What are the risk management function's goals and objectives?
- What is the scope of the program?
- How will we measure the success of the program?
The risk criteria set the stage for consistent definitions and processes
In the final step of establishing the context of your risk management framework, you will explain how risks will be articulated, measured and prioritized for treatment. Decisions here directly influence how the organization perceives risk; they guide the composition of policies, procedures, tools and reports. You will have to decide:
- What criteria will we use to describe risks?
- How will we measure likelihood and impact?
- How do we define our risk appetite and tolerance?
Cost concerns, inexperience, limited resources and skepticism all threaten to limit wide-scale risk management programs. But even when these pressures justify streamlining the role of risk management, they should not deter careful consideration for the framework components explained above. To develop a risk program with perceived value and broad support, formalize your framework. Make it something you can pass along to the business, to auditors and to your executives, and be prepared to accept their feedback. Risk management requires participation and support from across the business, both of which are much easier to garner if key stakeholders have a hand in planning.
About the author
Christopher McClean is a principal analyst and research director at Forrester Research, serving security and risk professionals. Join Chris at Forrester's Business Technology Forum, May 6-7, in Washington, D.C.