Golf never seemed exciting to me. Striking the ball, lazily walking after it, chit-chatting to pass the time, and repeating the same on the next hole. I wasn’t even ready to bring it under the umbrella of sports. But, for the last three years I am in the course with the sunrise and just loving the various delicacies the game has to offer. We can talk more about golf, but some other time.
The point is, to enjoy and realize the benefits of anything, you need to fully understand and execute it the way it demands. One area which has been the victim of the same issue in business is Risk Management. In my opinion, there are four misconceptions that have made Risk Management look like a square that is opaque. People have not been able to look into what RM has to offer. These four misconceptions are detailed below:
Luxurious concept – relevant for big organizations
For organizations of a certain size maintaining a separate department for Risk Management might be luxurious; but not the concept. It is indeed a necessity, an essential for ensuring sustainable business success. Each and every organization is practicing it to a certain degree in one way or another, consciously or unconsciously. What might be missing is the consistent application under a certain framework.
The risk register is the ultimate outcome
It is often thought that the development of a risk register with some fancy charts and responsibilities assigned is the whole purpose of the risk management program. It definitely is not, in fact, a very small element in an overall scheme of things. What one should strive for is making risk practices part and parcel of daily organizational activities. Be it a decision related to a new product launch, annual strategic plan preparation, or considering an outsourcing option e.t.c.
The responsibility lies with the Chief Risk Officer
If we have a CRO, he will take care of the risks. That’s what the management in general thinks.
He is not the one directly responsible for achieving your goals, how he could be for managing the related risks. Everyone in the organization is responsible to manage risks in his/her domain. CRO is there to provide a framework, inculcate the risk-conscious culture (with the assistance of top management), draw an integrated organizational risk picture, facilitate in running the process and challenge the risk owners where required.
Another addition to the compliance functions
Well, that depends on how it is run in the organization. In its true sense it should strive to facilitate in identifying, assessing, and treating the risks against current business objectives; and those related to not capturing the available opportunities.
Yes, when it is restricted to quarterly updates of risk registers it will appear to be compliance-oriented.
In nutshell, risk management is a part of the overall performance management and if treated in that context can do wonders for the organization.