Let's get right to the point: Why would an organization's executives support a comprehensive, enterprise-wide risk management plan?
Will it improve the organization's bottom line?
Will it enhance the organization's image?
Will it give staff a feeling that management cares?
Risk management is a series of "maybe"s starting with "will a particular risk occur?"
Who needs a risk management program?
The first question an executive must ask is "Does my organization really need a risk management program?"
"For profit" organization need a risk management program to assure that should an event occur - and it can be a positive event - the organization will continue to meet its service level agreements; can it quickly return to "business as usual" after an event.
At least one (Chick-fil-A) location had to close early after nearly selling out of chicken. At others, lines snaked around buildings and patrons waited upwards of two hours to snag their chicken sandwiches and show their support for Chick-fil-A CEO Dan Cathy's comments supporting traditional marriage.
Non-profit and the charity organizations must continue to serve their clients, their raison d'etre and the reason they are funded. Failing to meet the clients' needs could result in lost funding that in turn can lead to executive and staff layoffs.
Government agencies are in a similar situation. If the agency fails to function as required, agency executives' jobs are in jeopardy.
The "bottom line," especially for those in the Executive Suite is "Risk management is a critical tool to protect the organization's bottom line - and, by extension, the executive's position."
Will a risk management program help the bottom line?
A risk management program may help an organization's bottom line in a number of ways.
The organization's insurers may provide a discount for organizations with viable programs in place. However, assume that most insurers will refuse a discount.
Insurance savings will be generated by determining if the level of coverage really is necessary in specific areas. An in-place program should force close examination of all insurance policies. A critical reading can point out coverage shortcomings as well as provide an indication how quickly the insurer will pay if a claim is filed.
An insurer may delay payments for an extended period. Are funds available to sustain the organization until the policies pay off.
Executives who engage an insurance adjuster or a lawyer who specializes in insurance lay to explain a policy's fine print will be spared surprises in the event a claim is submitted.
Will a risk management program enhance the organization's image?
Clients, especially at the wholesale level, expect their vendors to meet vendor service level agreements (SLAs). If the client lacks confidence in the vendor, the client might select another vendor.
A risk management program includes ways to "advertise" the fact that the organization has a viable - read "regularly exercised and maintained - program.
Risk management program "PR concerns" include scripts for event scenarios, identification of target audiences (e.g., general media, trade media, financial media, employees, clients), and both identification of, and rehearsals for, the people who will "meet the media."
Who better to meet the financial media: CEO or CFO? Who will stand in for an identified representative if that person is unavailable? All questions raised by, and answered in, a viable risk management program.
Will staff feel management cares?
An organization's personnel are its most important resource.
True, many functions can be automated, but in the end, the human factor is what keeps the operation operating.
Organizations with risk management programs in which all the organization's personnel -- from very senior executives to the newest intern -- participate tell all hands that they are an integral part of the operation; they have an interest in seeing to the welfare of the organization.
"If there is a plan and I'm part of the plan, I know the organization cares about me."
Will a particular risk occur?
First and foremost, the organization needs to identify the risks it faces.
That information is from all hands; from the executive suite to the janitor's closet.
In the process of identifying risks, the risk management practitioner should be doing double duty as a business analyst/efficiency expert. The practitioner, unlike most personnel in the organization, sees the operation in its entirety.
As the practitioner follows the processes from one functional unit to another, he or she can identify ways to enhance the operation's efficiency or possibly reduce costs.
Once the organization's critical processes are identified, then risks can be identified.
The risk management practitioner, based on the practitioner's knowledge of the organization, recommends both means to avoid or mitigate the risks and the priority that the risks should be addressed.
The final decision - which risks to address and in what order - is made in the executive suite. The practitioner will implement management's decision.
Final thought: Project or program?
Risk management must be an on-going program composed of projects. A program allowed to lie fallow means both effort and money were wasted. To be ready when it is needed, the program needs to be exercised and maintained. The executive suite needs to assure both happen.
John Glenn (JohnGlennMBCI.com) is an enterprise risk management/business continuity practitioner with more than 13 years experience. Glenn invites comments on this article and others at his Web site to JohnGlennMBCI@gmail.com.