With the accelerating speed of change and emerging digital technologies, businesses today face unprecedented opportunities and risks, hence, risk management, or at higher level, risk intelligence becomes strategic imperative for business execution. From structure perspective, are the risk management functions fragmented (reporting to many different managers) or centralized (reporting to one management chain)? What role has responsibility for risk management? What are the positive aspects and challenges of your organization's risk management structure?
Deploy an enterprise-wide risk management structure: The organization, itself, is a key element in the "soft" planning stuff. Do not deny the necessity to have clear organizational risk management structures which define "individual" roles/structure, such as: risk management, compliance, internal audit, business processes, continuous improvement and specific functions (quality, environment, safety...)... But if these structures act like silos, a compliance, an internal audit, a risk management, a quality organization, all of them having their own "findings" and "ideas, " how does that loop back into a corporate improvement program -improving business processes or launching projects in coordinated way? If all these organization (compliance, audit, risk, quality, continuous improvement...) go into operational departments (marketing, production...) in parallel, you may drive everyone crazy.
People are still the weakest link in Risk or any kind of Management. This involves not just one single manager, which leads to "buy-in" discussions. What organizations are struggling with, is a bigger picture that explains the interplay of these structures in a practical way with which the processes are structured to give everyone an understanding of each person’s assignments, allows for quick response when needed from a higher official and helps know who to send questions to. The most time consuming part of a risk management professionals job is gathering, identifying, cleaning and then assessing data; determining the ROA on risk management programs should enable reduction in the "preliminary" risk work and an increase in actual risk management actions. This should be the primary target of risk management software. The challenge would be getting information of certain assignments that you need guidance from other departments on, more often, there is always a time gap when consoling department heads from other groups. The leveraging of incentive programs such as "Pay For Knowledge" and "Pay For Performance" is therefore important. It's strange that in many organizations, the business and the technology are often addressed first and the human change strategies are often forgotten altogether!
Risk Management Measure: It makes sense once people are on the same wavelength of how they can use both quantitative and qualitative factors to assess risk under a valid math model or the use of any ordinal scale be it in spreadsheets or in risk tools. In essence, the goal for risk management metrics and measures is to building understanding on decision support. Start to educate the basics of scalar measurement. The in's and out's of ratio-based scalar measurement vs. ordinal ranking scales. And build a culture of risk intelligence that people can communicate and collaborate to manage risk via more tangible data and information.
To put simply, risk management is no long one single department’s job, but a RM mechanism which needs to be well embedded into both soft business factor such as corporate culture and hard organizational element such as processes, and it is not only about risk mitigation or controlling, but be more more mature and advanced as risk intelligence. So the risk management structure is also not a static hierarchy, but be agile to adapt to the changes, and designed for digital transformation.