Business Case for Risk Management
Businesses are increasingly challenged to stay agile and be able to adapt to disruptions in their industry market. However, most businesses have not focused on how this translates in a crisis situation. This becomes increasingly challenging as more and more businesses become decentralize but operate at a global scale. Risk management is a solution to streamline many of the problems in decentralized business units.
In Deloitte’s, Extended enterprise risk management (EERM) 2018 report, 55 percent of organizations are now equally or more decentralized. Many organizations are trying to bring their risk management in-house in order to have more insight. Shockingly, only 10 percent of respondents are currently using customized systems for their risk management while others are grossly unprepared to handle a crisis across business units.
There are some companies even capitalizing on their risk management as a way to uncover unnecessary redundancies and potential revenue streams.
Many multinational organizations are starting internal innovation hubs to tackle disruptions from competitors, but why not utilize the same model for crisis management. Using risk management can help uncover new revenue streams and build efficiencies through process optimization.
Why not innovate through risk management?
Your crisis management team is formed to develop pre-set response procedures. This process allows for open discussion of what is most likely to happen. For example what business units need to be involved in the process based on the impact assessment. The crisis management team should be scalable based on the type of crisis and organizational impact. In most crisis scenarios, communications and operations often play a vital role.
How to identify disruption?
Here are some creative ways to start identifying disruption:
1. Historical incidents:
Use your own company’s past experience or industry crises to start addressing likely scenarios and lessons learned. This is a great jumping point because these scenarios are likely to happen again. This prospective hindsight allows your organization to work backward and by understanding the risk and to identify what could have been done to prevent it. This allows some introspection on whether your company is aware of these disruptions and how you plan on responding to them.
2. Business Impact Analysis (BIA):
Business Impact Analysis (BIA): A key part of developing your risk management is having a business continuity strategy. This involves identifying and calculating likely scenarios that will affect your business from running its core business functions.
This process either requires more quantitative and data-driven assessments or qualitative data from subject matter experts. The first step in the BIA is to map out all critical business functions. After the data gathering, it is time to compare the recovery time objectives (RTO). The RTO is the amount of time the business function be out of operation before it will have an unacceptable impact on the organization. For the different business functions, the lower the RTO, the higher the importance. To utilize the BIA effectively, you must calculate the costs of mitigation to prioritize investment.
Some starting points for BIA::
Industry regulations and standards:
Depending on your industry, there may already be a set of standards and regulation checklist out there that your company can use as a framework.
See resource: International Organization for Standardization
Your insurance policy can give you some insight into the likelihood and risk of certain disruptions and what data is needed for insurance claims. In many cases, insurance companies prefer organizations that invest in resiliency such as crisis management and business continuity.
3. Identify disruptions by business trends:
- Some great resources are:
- Organisation for Economic Cooperation and Development (OECD). Search their database library on market trends and policy reforms.
- World Economic Forum: Global Risk Report 2019 – A summary of the risk landscape from an insurance and human perspective
- Cyber attack is a common theme in today’s business management and a real threat to your reputation. Have you investigated and updated your plans and procedures?
- Your competitors can help inspire what to invest in. If your competitor releases news about new initiatives they are undertaking, chances are your stakeholders will be looking to you for the same.
4. Creating a culture for feedback and innovation:
Your business culture can empower your greatest assets, your employees. Those employees that are implementing your risk management strategy may have valuable insight. They can help prioritize what needs to be mitigated, as well as the key steps to ensure critical business functions.
- Empowering your employees to identify possible risks and incidents that can happen can help them to plan ahead. Preparing resources for fast response is key. Simultaneously, discovering opportunities to build efficiencies or capitalize on business innovation can be a huge asset
- Developing a feedback loop: Have exercises to practice your set procedures and ensuring your organization is prepared. This can involve third-party contractors or fourth-party response teams depending on your scope of operations.
- Continuous training and evaluation of your risk management strategy: This includes running exercises that are scheduled to ensure response and recovery time are optimal and meeting industry standards.
In conclusion, there is a growing need for business units, especially in a larger corporation, to be able to develop risk management plans and exercises in response to the most critical situations. Identifying possible disruptions and crisis that your company will most likely face, is just the first step in preparing for the worst case scenario. Practice makes perfect, and the faster and efficient your response, the faster you can recover.
Krizo makes crisis management plans simple, enabling you to respond fast and efficient to any unwanted event. Our platform centralizes communication, actions and critical information.