Speak the same risk language company-wide to detect and react to new risks faster.
The credit crunch and subsequent economic downturn have dramatically increased business risk-related challenges.
Many companies have been slow to detect and react to these risks, a delay that threatens their competitiveness.
Companies have learned the hard way that they need to reduce their detection time in identifying new risk-related events and trends. Flexibility is limited. They need time to adapt practices and processes. Early detection provides organizations with precious extra time to react.
At the same time, company structures and communication channels should facilitate a rapid response. The faster companies detect and react to new events, the more time they have to turn risks into opportunities — a true competitive advantage. In the pursuit of effective risk and opportunity management, time is of the essence.
Developing a common risk language
A fast response to new risk-related events requires that the same risk management language is spoken throughout a company. Unfortunately, when it comes to risk management, many organizations resemble a modern-day Babylon of language confusion.
A common risk management language is much more than an agreed set of symbols for communication. It means shared definitions, company-wide priorities, a common culture of risk awareness and accountability, and clear procedures for measuring, monitoring, communicating and dealing with risks.
Companies hampered by a lack of common risk management language and related procedures are incapable of defining and prioritizing different risks, let alone measuring, communicating and monitoring them.
All too often, the different “risk dialects” spoken in an organization are so diverse that a conscious effort is necessary to create a common understanding of the organization’s risk profile.
Well-known risk management dialects
- Hazard analysis and critical control points (HACCP) — the physical, chemical and biological threats to food and drug safety
- SOX 404 top-down risk assessment (TDRA) — a financial reporting risk management tool to comply with Section 404 of the Sarbanes-Oxley Act of 2002
- Failure modes and effects analysis (FMEA) — a procedure for analysis and classification of the possible effects of failures on a system; used in manufacturing and now in the service industry
- Benchmark assessment tool (BEATO) — a tool and a methodology originally designed to check compliance in security assessments
- Probabilistic risk assessment (PRA) — a methodology for comprehensive assessment of risks associated with complex engineered constructions such as airplanes or nuclear power plants
Different units and sections in organizations will view risks from varied perspectives. Developing a common language that everybody understands will allow organizations to define, measure and prioritize different risks and to compare them on a common risk dashboard.
Risk-specific scorecards are used to
assess division-level operational risks
Of course, risks change. Like all languages, a risk management language is constantly evolving and its speakers should adapt. Not developing a common risk management language because risks change is like not installing anti-virus software on your computer because new viruses constantly appear. Create the language, and then update it periodically.