Know what you are looking for when defining your organization's relevant risks.
Many companies have not clearly defined what their main risks are. Even at the board level there can be disagreement about the most relevant risks their company faces.
Vertical consensus: determining risks across business units and divisions
There are multiple reasons for this lack of risk consensus. In a siloed organization, different units and divisions within a company may have very different views on the gravity of a risk.
Managers in the human resource or marketing function, for example, may have different risk perceptions from managers in the legal or internal audit function. A similar lack of consensus may exist between managers in different business lines.
Silo thinking can have very grave consequences. In the absence of company-wide definitions, priorities and procedures, different business units will always press for more attention for “their” risks once detected. And those best able to articulate their perspective may get the resources, instead of resources going to the area most directly affected by a key risk.
Senior management and board members need to define the main company-wide risks, communicate them throughout the organization, and develop procedures to measure and monitor them.
Vertical silo organizations should also pay special attention to systemic, cumulative risks. These are present in multiple silos and may represent a very significant risk to the company as a whole, although from the perspective of each individual silo, they may not seem that important.
Horizontal consensus: sharing a common risk language through the ranks
Managers in different horizontal, hierarchical layers within an organization tend to have different perceptions and time frames when thinking and talking about performance and risk.
Strategic risk analysis and its related scenario analysis are often perceived to be the domain of executive management and the board. Lower down in the organization, managers stress tactical SWOT analysis, operational risks and related scorecards, or very short-term budget-to-actual considerations.
The board may be asking, “Are we in the right markets going forward?” But further down in the organization an operational manager may ask, “Do I continue selling to company X now that it has been denied credit insurance?”
As in the case of silo thinking, management should communicate the company-wide risk management priorities and procedures up and down the hierarchical layers of the organization. And regardless of horizontal layer, everyone should share the same view regarding the most important short-term, medium-term and long-term risks and how to manage them.