Embedding Sound Risk Management Practices into an Organization
Core principles for risk management adoption within an organization.
In the last few weeks, I've discovered-or rediscovered-that it's really hard to get risk management professionals to talk about money, or to quantify the impact of their efforts on the business. But it's not because they're unwilling to talk. Most are more than willing to share what they've learned or what they're seeing in the industry.
Some might even be able to give rough estimates on how much they spend on e-discovery or PCI compliance or internal audits, but not many can wrap their arms around how much goes into managing risk across the business. In fact, according to Protiviti managing director Scott Gracyalny, what many of them have done in terms of risk management to this point, they have done out of fear.
In other words, they want to stay out of jail, avoid fines and prevent bad publicity for the company. "It's been more of a defensive position, posture or set of actions. It's reactive instead of proactive ..." he told me recently.
They rationalize their fear ... with a handful of ROI indicators: I'm going to do this because, even though I can't put my finger on it, intuitively I know I can reduce my risks. I can ensure compliance. I could reduce my audit costs. I could reduce my internal costs for documenting, testing and evaluating controls. Intuitively, I know I can do a better job of detecting or preventing fraud.
And not everyone is taking a reactive approach to risk management. Gracyalny said Protiviti has seen a shift in mindset with some clients who are seeing risk management as opportunity. They're trying to take a more proactive approach. He explained:
They're saying, 'You know what? I see this as part and partial to running my business. Therefore, I want to better understand my risks across the enterprise. I want to involve more individuals across the enterprise in identifying, measuring and monitoring these risks, as well as effecting positive change in correcting any deficiencies.'
And once the proactive companies get a better grip on their risk management activities and what they cost, Gracyalny says those companies will align and integrate risk management with enterprise performance management. And at that point, he said, they might have more measurable numbers in terms of spending or impact on the business.