In the past, companies have tried to manage risks by focusing on potential threats outside the organisation: competitors, shifts in the strategic landscape, natural disasters or geopolitical events. They are generally less adept at detecting internal vulnerabilities that creep into organisations and other human-designed systems. Indeed, as companies increase the complexity of their systems they often fail to pay sufficient attention to the introduction and proliferation of loopholes and flaws.
Despite all the rhetoric and the money invested in it, managing risks is too often treated as a compliance issue that can be solved by drawing up lots of rules and making sure all the employees follow them. Many such rules are sensible and do reduce some risks that could severely damage a company’s share price, profitability and, of course, reputation. But, rule-based risk management will not diminish either the likelihood or the impact of a disaster. Engineering and managing a company’s evolving risk portfolio has become an organising principle for strategic choice, and companies that succeed in doing this generate far higher returns on their equity than those that stick with their traditional portfolios.
|When common sense fails, it’s not just a gap in basic risk-assessment processes, it’s a symptom of a systematic and cultural collapse.|
|Understanding, defining, and actively managing a company’s risk appetite requires a core of executive directors on the board who possess solid business and risk expertise.|
|"You brought a fresh prospective to risk management with your heat-map. Now we can see dynamically the risks we’re running with"
VP of an Energy Company