617062.TIFby Thomas Frenehard, GRC, SAP

I think we’ll all agree: risk management is all about breaking silos. Indeed, an enterprise risk management (ERM) program can only be efficient if it crosses departments and functions.

If only one area of the organization successfully monitors and mitigates its risks, then the program as a whole isn’t effective in protecting the company’s value drivers.

However, even for those companies who have successfully crossed this bridge and made it truly enterprise-wide, there is one last pitfall: the isolation of the risk owner.

If the opinion of the risk owner is the only one sought, then the crossing of silos will have been in vain, because the end result would be somewhat similar and only reflecting the views of one.

That’s why, to my mind, collaboration is so vital in risk management.

I’d like to illustrate how I believe collaboration can be achieved and significant gains can be obtained from such an approach.

 Collaborate for Risk Identification

Not one person can be a specialist in all areas, so being able to gather different experts together can truly help in identifying all the potential impacts of a risk event. But most importantly, it helps in listing all its drivers. These drivers are the risk sources that should be addressed by proactive measures in order to prevent the risk from occurring. Indeed, avoiding a risk usually has a lesser cost than recovering from a crisis.

Collaborate for Risk Analysis

As for the identification, different experts will have different views when assessing the impacts of a risk. An accountant will very much focus on the financial aspect incurred while an operations manager might be more inclined to document the potential disruption in the business chain. Involving marketing and communications experts in the analysis phase would also enable you to capture any reputational impact or change in customer perception that could be experienced.

Collaborate for Risk Mitigation

Concerning the response strategy of a risk, again collaboration is crucial. An internal control and compliance specialist will be able to know what controls are already documented and can be leveraged to cover the risk – or if none exist, this person will be the best suited to propose the creation of a new control.

Our operations manager from earlier on might be the best expert in business continuity for this part of the business. Indeed, some continuity plans might already be in place and can, once again, be used to mitigate the risk.

Finally, someone from the insurance department will not only be able to advise on the company’s coverage level, but will also be able to use this information to review the current insurance policies purchased. This optimizes the cost of insurance for the company and also provides better coverage of the risk thanks to adapted criteria.

Bottom Line

At the end of the day, it’s always up to the risk owner to decide what to do. But having these views can significantly help in describing accurately a risk and its outcome and in defining a realistic response strategy.

What about you? Do you use collaboration in your risk management process? Are there any other areas than the ones I mentioned where you have integrated this approach?