I spoke to a senior business leader who talked about how the thoughts of navigating the risks associated with some of the business processes he currently manages keep him awake. He leads the segment of his company that coordinates customers' activities, mobile transactions, and e-commerce payments. Some of the reasons why he was worried were:
- Possibility of a hacker compromising customer data for spam or identity theft
- The fear that a customer data breach will result in a reputational damage
- Concern that someone might use a stolen card to make an online purchase
- Thoughts of an employee mistakenly sending confidential data to a wrong email
Addressing all these concerns requires a risk management strategy. An effective risk management strategy is extremely important to mitigate potential risks that might prevent the achievement of business objectives. A survey from EY showed that 84% of board members do not believe their organizations have a highly effective risk management strategy. Risk management strategy is a vital part of the risk management process, which involves the following steps:
Asset Identification & Prioritization
The first step of the risk management process is to identify the organization's assets, including physical assets, employees, information, and intellectual property. After identification, the assets are prioritized based on criticality. Assets could be classified as high, low, or medium based on their criticality to business operations.
This helps to identify, prioritize, and determine how risk is treated. It involves three (3) steps:
- Risk Identification - This involves identifying threats and vulnerabilities that place business assets at risk that might impact the achievement of business objectives. Example: What are the threats to data in the data warehouse? What harmful event may cause damage to physical assets? What are the harmful events that could cause danger to company employees at work? What could cause damage to business assets? Is our software susceptible to a malicious cyberattack?
- Risk Analysis - Based on information obtained from the risk identification process, the risks are analyzed and prioritized based on the likelihood of a threat's occurrence and impact.
- Risk Evaluation - This examination of the risk analysis results and comparison with established risk evaluation criteria to determine whether the risk is acceptable or additional controls are required to manage or mitigate risk.
Risk Management Strategy
This is the third phase of the risk management strategy. It is also known as risk treatment. It is the approach adopted by an organization to address risk. It leverages the information and results from the risk assessment process which includes identification threat, determining their probability of occurring an impact. It varies based on the company's risk appetite.
- Risk Transfer - This strategy transfers risk to an external party. It is often adopted when a company cannot mitigate the risk associated with a business activity due to a lack of expertise or other complexities. Risk transfer doesn't discard the risk but transfers the responsibility of risk treatment to another party. An example is hedging an exchange rate risk through a derivative control or outsourcing a software development project to an IT company.
- Risk Acceptance - This is also known as risk retention. It applies when an organization is aware that risk related to a business activity is known and accepted because it is unlikely to occur or is within the company's risk appetite. An example is when a company decides to limit resources allocated to perform review checks for transactions below a set threshold because the probability of fraud occurrence is low.
- Risk Reduction - This is also known as risk mitigation. The strategy attempts to prevent a risk occurrence by implementing a control to mitigate the risk. An example is a company implementing a customer feedback mechanism to address customer concerns and avoid customer attrition. Also, human resources can implement an exit interview process to reduce employee turnover.
- Risk Avoidance - This strategy eliminates risk from occurring due to costly consequences. It applies where an organization does not engage in a business activity because its associated risk exceeds its risk appetite. An example is when the company considers an opportunity to expand its product line but decides not to continue after analyzing the business plan and discovering that it's too risky and will significantly impact the organization.
The risk management process is an ongoing exercise. After the risk has been identified and analyzed and an appropriate risk treatment strategy has been determined, there is a need to continuously monitor risk by tracking changes in the environment, its impacts on business objectives, and existing risk management strategies. This process will help adjust strategies as required to ensure they are still relevant and effective.
There is no business without risk. Developing and implementing a risk management strategy that allows business executives to identify, address, and monitor risks is crucial to risk management success. Effective risk management creates a healthy environment to achieve business objectives and helps business leaders identify opportunities and actions they need to take.
If you're interested in learning more about how risk management can help achieve your business goals or have any questions, please feel free to follow/connect with me on LinkedIn.