Even a company that is quite thorough in identifying and mitigating the most important risks it faces may spend valuable resources focusing on minor risks, or even nonrisks. The problem involves what some call “pet risks,” or those identified by company managers who wish to assign a perhaps unjustified priority level to an issue of particular importance to their own department.
“For 23 years I’ve seen company management at all levels try to drive their own issues,” says Alyssa Martin, executive partner and partner in advisory services at Weaver, a Southwest regional accounting firm. Normally they look to attach their issue to a bigger, perhaps tangentially related, risk that management is focusing on. “It’s a management tactic, but when it supersedes more urgent risks, it’s not OK,” she tells CFO.
The practice is much less common in a company that “truly has a risk-management process,” says Martin, who spoke on the topic of enterprise risk management at a recent Institute of Internal Auditors conference. “That process will filter out the difference between a risk and an operational issue.” She describes an operational issue as, for example, a garage that needs repair or equipment that’s old.
Risk managers should investigate whether worn-out equipment, say, is a symptom of a bigger issue. “If we are late adopters to technology, and therefore we have a technology risk — that the company is not responding appropriately to changes in technology — then that equipment on its last leg may be a symptom of that risk,” says Martin.
An organization practicing enterprisewide risk assessment would have already identified the most critical risks to achieving the company’s objectives, she adds. The mere fact that the equipment needs to be repaired or replaced should not, by itself, be enough to warrant the attention of risk managers.
Also, many risk-management models include programs that provide visual graphic aids for prioritizing risks. Most operational risks fall low on the chart.
Martin notes that it’s important for consciousness of risk and risk management to permeate an organization. A company that relies on one person or even one team to spread that consciousness is “not at a very high level of maturity,” she says.
CFOs can lead that charge by example, asking intuitive questions about new risk-management initiatives, such as: Does that item truly have a risk-management attribute? Is it a symptom of something that’s already on the company’s top 5, 10, or 15 critical strategic risks? Does it warrant the level of attention that the person driving it is requesting?