Risk Management: Making the Case to Leadership
Getting leadership to take an interest in risk management is not always easy. If you perform a risk-related role, chances are you have encountered this issue. While it’s understandable that executive management is wary of certain changes, every organization, regardless of size, location, industry, has risks that require attention and monitoring.
Here are a few ways to gain more support from leadership for your risk management program:
Define what success is. Assessing your program maturity can be a tricky first step. Know where you are today and where you would like to be tomorrow with your risk management program. Be sure to communicate this up the chain, so everyone is working toward the same goal. According to Michael D. Kelly, Senior Architecture Consultant for Target, “If you don’t tell the stakeholders what success means, the risk management program will probably fail, or take a long time.”
Understand the cost of your most crucial risk. Pick a risk to present to your leadership with both a high probability and impact. Figure out what it would cost should this risk become a reality. Who will be affected and for how long? What impact would this risk have on business operations as a whole? How much would this event cost the organization should it occur? Speaking in dollars and cents makes it much easier for leadership to see the significance.
Identify and prioritize risks. Now that leadership has seen the impact of your most damaging risk, define all other organizational risks and prioritize them based on probability and impact. Be systematic about your approach. Work from front end employees up to the leadership and figure out what keeps them up at night.
A GRC tool such as Keylight can issue risk assessments to the employees of your choice, making this a much simpler task. Create risk scenarios for every job function and be sure to figure in the price as well as at least two countermeasures to manage each risk. Both front-end employees and leadership will begin to see the value of risk management after witnessing any improvements made based on the risk scenarios most relevant to their department.
Set realistic goals. One of the biggest mistakes you can make, says Kelly, is to over-promise and under-deliver. It does no good to promise that risks will decline when there are too many contributing factors out of the company’s control. Instead, focus on realistic goals. A more realistic goal would be to define all organizational risks or to create remediation plans for your most crucial risks. Once your leadership witnesses this progress they are more likely to support your risk management program.
Learn a few key insights from the workshop Third Party Management by Design.
Read about third parties being both a necessity and a burden.
Read about some of the highlights from our expert panel discussion.