This is the title of the article by BCG published a few years ago. The article discusses the principles that should govern the approach to risk management by companies of all shapes and sizes.
The authors make several points with which I agree. Here are some excerpts:
- Risk management is essential in today’s volatile economy. In a continuously changing economic environment, companies cannot assume a stable risk landscape.
- Stop thinking of risk management as primarily a regulatory issue. Embed risk management in the mindset of the broader organization.
- Risk management is a value-creating activity that is an essential part of the strategic conversation inside the company. The goal of that discussion should not be to eliminate or minimize risk but to use it to create a competitive advantage.
- Risk management starts at the top. The organization needs to demonstrate that it has made risk management a high priority and an integral part of the decision-making process by appointing a dedicated risk leader who reports back frequently to the CEO and the board to discuss the latest trends and any changes in the company’s risk scenarios.
- Risk cannot be managed from an ivory tower. Risk Management should not exist in isolation from the rest of the organization, with an insufficiently granular understanding of the actual business-specific risks the company faces. To avoid this outcome, integrate risk management into the company’s entire routine management processes, including planning, capital allocation, controlling, and reporting.
- Understand the scope of the risks the company faces.
- Plan for how the company will manage those risks.
- Act to mitigate the risks or take advantage of strategic opportunities.
- Avoid relying on black boxes. Although sometimes appropriate, over-reliance on complex metrics or models can muddy the risk management process, turning it from a transparent management activity into a frustrating black box. The appropriate level of complexity is company-specific and depends on the industry, business model, availability of data, level of experience, and mandatory legal requirements.
- Align risk management with a company’s overall business strategy. Companies need to identify all relevant risks – not just those that can be easily quantified. Some of the relevant risks for a company may be those that are qualitative and especially difficult to quantify.
- Risk management is more than a policy; it is a culture. The objective of a company’s risk-management system should be not only to enforce new policies but also to create a risk-aware culture that addresses risks proactively, not reactively, and manages them to create new sources of competitive advantage.
- Effective risk management depends on the free flow of information throughout the organization. Unless employees at all levels of the organization are actively involved in the risk management process, it will be difficult to maintain the unrestricted flow of information. This can result in the most important data getting buried in one part of the organization unavailable to other parts of the business.
- Risk management deals with uncertain futures. As a result, the goal should not be to develop precise metrics or future outcomes but to strive for a general understanding of the probabilities and potential impact of various trends or scenarios on business performance and enable decision-makers to confront the uncertain nature of risk and act accordingly.
- Risk management is never about finding “the answer.” Rather, it is about continually refining the organization’s assumptions about the future and its understanding of the implications of those assumptions for the company’s business. Assumptions about risk often change quickly, so the relevant parameters, probabilities, impacts, and correlations should be revisited frequently.
- It is possible to prepare for unknown risks by building an organization that so excels at crisis management that it is resilient even in situations in which it is blindsided by unprecedented challenges. For example, through developing the ability to detect, capture, and exploit information patterns as well as to think outside existing frameworks and risk landscapes.
- Avoid the downside, but don’t forget the upside. Companies should use risk management also to identify new opportunities and to exploit them systematically. For example, scenario planning should be used to define not only worst-case scenarios but also best-case scenarios. Think in advance about how a company can make the best use of the latest market developments and trends and ultimately make the right decisions.
I enjoyed reading the article and highly recommend it.