Identify and mitigate risk throughout your business
Over the last few years, we've seen more and more companies realizing the importance of risk management. However, most of the time, it is only in the areas of regulatory and financial risks. But when it comes to business, companies need to work to prevent losing valuable time and money.
On top of regulatory and financials risks, other areas to consider are business strategies, reputation, market changes, operational procedures and security vulnerabilities. Addressing only a few of these areas is like purchasing a home security system and installing it on only one of four doorway entries. To properly manage risk, an organization must establish a risk management governance model and get buy-in from all personnel to plan and execute the model as it pertains to their jobs.
So, where do you begin?
- Brainstorm which risk areas are relevant to your business.
- Identify and innumerate the vulnerabilities in each risk area.
- Determine a mitigation approach for each vulnerability.
- Establish a governance model, which includes all the vulnerabilities. This should include corresponding mitigation steps and oversight functions.
- Assign responsible parties to each of the steps and involve all levels in the organization.
- Create risk management awareness through a formal campaign.
- Include assigned responsibilities as part of performance measures.
- Identify key performance indicators and monitor accordingly.
- Evaluate any incidents and educate based on outcomes.
- Celebrate success.
Here's an example of the model:
The staff of Ben's Cod, a fishing company, brainstorms the following vulnerability: A counterfeit truck pulls up to the dock, gets loaded with cod and drives off (step 1). That is an operational risk that might financially risk $50,000 per truck (step 2) and has reputation risks if people find out about it.
Ben's Cod employees decide to mitigate the risk by creating a system where dock workers check paperwork before they load a truck (step 5). They would add this to their main risk mitigation plan (steps 3 and 4). The staff then decides what the success indicators would be (step 8); for this company it might be one year without a faulty delivery.
Now that they know how to approach their risk, Ben's Cod's HR department (or a project manager or supervisor) would delegate specific tasks to make the plan concrete. This might be:
- Client manager creates list of client's drivers and license plate numbers.
- HR manager informs clients about the new safety procedure.
- Dock manager posts the list by the loading dock.
- Supervisor educates the dock workers about the procedure (step 6).
- Dock worker sees a truck come in, gets the driver's name and license plate number and checks the list.
- Dock manager notices this and reports it to senior management, which sends the worker a $10 gift certificate to a pizza shop (step 10).
- Operations manager sees that a client changed trucks, realized their system has a glitch and proposed a change to the plan (step 9) to include monthly calls to clients to check on any shipment changes.
Companies can choose to do the hard work of making and keeping a risk mitigation plan or they can keep risking profits. So, is it worth the risk?
Patrick Morin, CPA, is a principal at Baker Newman Noyes and is the director of the Risk and Business Advisory Practice. He can be reached at pmorin@bnncpa.com. Ilona Davis, PMP, is a senior manager in the practice. She can be reached at idavis@bnncpa.com.
Most Recent
Most Recent
Comments