Integrate enterprise risk management and process excellence
Thomas Kohlenbach, senior product specialist at Nintex, shares his thoughts on driving process excellence through risk managementAdd bookmark
The adage ‘no risk, no reward’ has long been applied to everything, from nights at the casino to sports strategies, and acknowledges that where there is a benefit to be had, it comes with a potential cost.
However, when you are making decisions at the enterprise level you cannot afford to be so flippant. Risk is no joking matter, and businesses spend a significant amount of money each year trying to manage and mitigate the risks they face.
While risk cannot be avoided, it can be managed wisely to ensure your organization sees the benefits of its strategies without inviting disaster.
The key to doing this well lies in your processes.
Make teams aware of non-compliance risks
Most businesses recognize and manage their operational risks as a routine part of their day-to-day function. Everything from the health and safety policies and programs to information security and hiring practices plays a part in protecting assets and activities from potential costly issues.
While few companies would attempt to run any scale of operation without acknowledging and trying to mitigate these potential problems, the degree of success can often come down to how integrated those efforts are in the actual operations.
Enterprise risk is no exception. According to a study by the Poole College of Management at NC State University: “The ERM (Enterprise Risk Management) function is valuable in pushing management to focus on the longer-term risks that may not seem significant today but are building in significance over time and may require more lead time to prepare a response.”
While few would deny the importance of communicating the risks around plant and machinery to front line staff, what about the dangers of non-compliance to industry or legislative standards, the risk of market shifts and new competition, or the possible outcomes of recession and financial fluctuations?
Managing significant business hazards is key not just for strategic managers, but at every level of the organization. But to do this effectively, the risks related to non-compliance should be clear to all.
Link risks to everyday activities
Risk compliance starts with good process management. Whether a risk is operational or at the enterprise level, it can be tied to the regular activities of the business. Financial market fluctuations relate to investment and cash flow protocols, market shifts impact product development and production practices, and changes in competition need to be worked out through marketing, research and development, and strategic orientation.
For every risk, there are numerous processes at every level that have a direct bearing on the organization’s exposure. Where processes do not exist for an enterprise risk, the risk analysis exercise should highlight this and developing those procedures should become a priority.
Once the processes are identified, they need to integrate the risk information. This is easily done for operational risks, but there is no reason not to incorporate enterprise risks the same way.
The key is providing visibility of the risk for all staff. A good process management platform will allow teams to see where risks connect to their processes and identify what those risks are. While the enterprise risks are held at an executive level, their impact can be mitigated on the ‘shop floor’ through well-communicated risk management that ties to everyday processes.
A clear example is in compliance issues. Not meeting legislative or industry standards can have disastrous consequences for a business. In some industries, such as the medical field, non-compliance to key requirements will effectively shut down the entire operation.
When there are changes to legislation or the introduction of new standards, the communication of those requirements needs to tie directly to the processes that affect them.
Teams engaging with these processes need to see that certain steps are not simply ‘check boxes’ that could be shortcut on a busy day, but vital elements for the protection of the business. Managers need to know that those steps are not just acknowledged, but adhered to with due care.
Integrate risk management for a healthy process culture.
When enterprise risks are tied to business processes, there is greater visibility for all parties. It adds context to risk management, ensuring that signoffs and reviews are given the significance they deserve.
When risk managers review the controls, they can see them as applied to the relevant operations. What is more, a well-managed process platform will notify risk managers in real time when there are relevant changes to the risks they oversee.
If a process that connects to their risk portfolio is updated, it should trigger a risk assessment or review for the relevant risk manager. Better yet, those who are responsible for the risk management could hold approval rights for changes to those processes, ensuring there is no need to undergo rollbacks if changes introduce vulnerability.
Integrating risks into processes makes sure that these vital business practices are not siloed. When staff sign off risk controls as active, they do so with an application mind-set, taking the more intangible aspects of enterprise risks and anchoring them in the day-to-day realities of the business.
When process champions look at enhancing process execution, they see where it could impact the business through tagged operational and enterprise risks. A great process management platform will make all of this possible online too, providing email alerts and escalations for non-compliance or out-of-date controls that let dispersed workforces engage with the risks and processes, wherever they are.
Enjoy the reward of well-managed risk
It is vital that risk management is a process consideration, especially for enterprise risks. Well-managed processes in an organization with a focus on process excellence will integrate risk management into the very documents that direct their activities.
Those connections provide visibility across the business for the important strategic risks the company faces, and ensure that risk management is not restricted to your executives, but becomes a shared responsibility in your organization.