Is Business Risk Process Driven or People Driven?

Both people and processes need to be orchestrated via the latest technology in order to move up from risk mitigation to risk intelligence.

Organizations today are hyper-complex and inter-connected;  they, therefore, face more business risks than ever, so more specifically, what are the causes of business risks, process-driven or people-driven, and how to manage risk more intelligently.

1.  Both Process and People factors Contribute to risk 

It’s not so hard to understand both people and process cause the risks, the percentage split can vary considerably depending on both the context being examined and indeed the organization itself, as well as what level of the risks and issues is talking about.

On one side, the leadership discipline is critical at the top tier of the organization; on the other side, every process should be designed to avoid or minimize risks. In addition, people behavior is stronger in reactive activities than in pro-active activities and therefore you can compensate such human natural behavior by giving enough focus on pro-active planning and business process management.

Risk analysis: One of the important aspects when designing a process is to perform a risk analysis so all reasonable risks are avoided or eliminated at that precise moment, to analyze risks once you have already implemented changes in the process is a total waste of efforts, time and money for the organization, thus,  assessing risk both from people and process perspective is a critical step before process implementation.  

To put simply, it isn't people or process, it is people and process: Processes/controls need to be designed based on (amongst other things) people and the culture within an organization at that time. Do people need to be forced to comply with risk management activity or do they naturally consider it as part of their daily job? These are two extremes, but the point is that processes should not ignore where on this spectrum an organization is.

2. Build a Risk-Awareness Culture 

People aspects are probably the least well-understood part of Risk Management, but the most challenging part to manage risks. In essence, the underlying themes and balance in risk are centered around cultural and organizational transformation. 

Leadership sets the tone for the business culture. Risk management may require a lot more future vision as well as a strategic mindset, therefore, management discipline is critical. Primary responsibility for people's behavior and performance must lie with the higher levels of management; they after all set the tone for the organizational culture. Leadership is not only saying, but acting, showing, guiding, teaching, etc., and that comes to a leadership process, as to tackle risk is to create a culture from the board of directors to senior leadership team to front desk/customer service staff.

The meaningful Enterprise Risk Management (ERM) is as much about changing organizational culture as it is anything. Instead of risk management being viewed as the role of a few people in risk management or internal review, it needs to be viewed as the responsibility of every person in the organization that makes a decision and involves risk. Since nearly every decision impacts future events that have yet to happen, this really means that understanding and managing risk should be a part of everyone's job description. Having great processes will not address the organizational change management challenges needed to develop the needed organizational culture. Therefore, process management and change management need to go hand-in-hand.

Cultural values: Cultural values are the result of strategic and governance model of the organization that is supported by their processes, culture is not what you said but what you really do ( live by the values), how can you get people responsible and willing to live your culture? Your recruitment process and your internal process management system as well.  In other words, people are important of course they are the most important element of the organization, but process define the rules and boundaries of performance.

Managing the Grey: In terms of risk avoidance and the risk-tolerance culture, there is grey area in between, the key is balance, give enough autonomy to the business to make its own decisions on taking or avoiding risks, put in place a mandated risk tolerance structure via escalation requirements based on current risk ratings, and get the balance right should result in the future vision aspects, and also provide information to the assurance lines that evaluate the business risk profile for analytical breakthroughs.

Therefore, the holistic risk management shall provide the strategic light and tactical angles to the issues of and in support of pending local, national and global efforts and mission/challenges of changing working environments, economics, regulations, and globalization. Both people and process need to be orchestrated via the latest technology in order to move up from risk mitigation to risk intelligence.

Posted in: Business Process Management,culture Master,GRC