By Bruce Dahlgren, CEO of MetricStream, Inc
Investors know before they ever place their first trade, all investments involve some degree of risk. We even craft “safe harbor” statements to warn investors of risks presented in forward-looking statements. Bottom line, we encounter risks almost every day and maintaining business continuity while weathering the storm is critical to resiliency.
"Being resilient allows businesses and investors to absorb risks without suffering catastrophic failure,” says Michael Rasmussen, internationally recognized expert on governance, risk management, and compliance (GRC). “To achieve resiliency, businesses must learn to how embrace as well as manage risk.”
Control risk and you will create resiliency. But I think we can do better than that. It’s time we learned to thrive on risk by turning it into a strategic advantage in the form of new business developments, new innovations, faster time to market and much more. Take a strategic approach to risk whether financial, reputational, legal, regulatory, third-party, and even environmental and you will reap the rewards.
So, what are the top considerations to make when creating a risk-resilient enterprise and turning it into an advantage?
Assess Your Vulnerabilities
From tankers to trawlers, operating any vessel in open seas is a risky venture. But one thing helps keep them safe – nautical charts. Your business should be no different. Having a top-down view of obstacles, hazards, aids, and notifications is a must. Just as ships have navigators, resilient businesses need strategic risk managers to help stay safely on course.
In conversation with a large global communications provider, the head of cyber security and strategy shared that the simple process of defining and implementing “One Risk Score” based on financial impact and grounded in business context has become a framework that enables the company to prioritize investments in cyber security.
Having a centralized view of risks and conducting formal risk assessments on a regular basis with key team leaders from finance, legal, operations, etc., are hallmarks of resilient businesses. This helps ensure smooth sailing when faced with choppy waters. But that is only the beginning. You need data to support your strategy.
Anchor Yourself in Quantifiable Data
It’s easier for companies to consider the impact of a compliance breach when the financial impact is somewhat pre-determined. What’s more difficult is quantifying emerging risks—particularly non-financial risks like reputational risks or cyberattacks. For example, how much would a security breach cost? What capital outflows might it trigger? What kind of financial impact will it have on the organization’s reputation? The impact of non-financial risks is large and visible. Not only do these risks result in revenue losses and fines, but they also lead to long-term erosion of shareholder value.
Corporations need to evolve towards understanding accurate, quantifiable insights on losses as it relates to risk. A strong risk management infrastructure provides the backbone for reporting and analytics, highlighting the aspects of the institution’s reputation, credibility, and trust that could be negatively impacted. These insights can then help leaders make more confident decisions about where to invest next.
Look for Blind Spots
A top-down view of risks works better when coupled with a bottom-up approach. Here, businesses need to empower their front-line workers to report and communicate risks as they arise. Front-line workers are usually the first to experience new risks or be in a lead position to call out breaches of policy, IT, or business operations. By combining front-line with top-down view of risks, businesses can effectively bookend many of their risk management challenges.
Encouraging employees to expose risks is one way of ensuring your internal laundry is not aired publicly. Put a stake in the ground and demonstrate that you are not willing to accept unethical or potentially hazardous behavior. Engage your employees at every level and provide them with a constructive way to share their concerns. In turn, you will help raise awareness within leadership, improve employee engagement and gain the freedom to generate new ideas and innovations.
Bring Together Your Allies
Third-party risk has risen to the forefront of resilient business practices. Recent third-party breaches have exposed businesses to unknown risks latent in their IT and supply chains. Like an iceberg most of the damage done by a third-party can have disastrous consequences but only after you have you have hit ground. These types of risks can have a devastating ripple effect that tears holes through all aspects of business operations. Resilient businesses need effective third-party risk solutions to maintain business continuity. Even better is the ability to increase the speed of onboarding new partners which can help accelerate your bottom line.
Choose your Battles Wisely
Another consideration for resilient businesses to embrace is change and change to policy management. Policies can become redundant, outdated, superfluous; they can be anchors to any operation. Constant change mean businesses need dynamic policy management structures in place so that their policies can ebb and flow in a dynamic business environment. Affecting change can be a tedious process in a large organization. Especially, when you ask people to step outside their comfort zone. Choose the change you need most and focus on a strategic plan to encourage buy-in. Show them how it aligns to your vision and encourage an open dialogue. Create ambassadors that not only see your vision but know how to execute with excellence.
In the end, we face risks constantly. We strive for resilience to counter the uncertainty and challenges that affect us all. History has shown that those who are resilient and have a clear vision tend to be the pioneers who drive change and reach undiscovered shores. To close with a famous quote, “a ship in harbor is safe, but that is not what ships are built for.” I challenge you to look at risk differently. Don’t just manage through, make it a competitive advantage.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.