Risk management is challenging for corporations under the best of circumstances. It’s natural for exasperated executives to ask, “What’s the point, again? Why are we doing this?”
Today let’s explore one compelling reason for investing time and energy in risk management: superior risk management allows a company to tolerate more risk. You can take more risks, and you can take bigger risks. That puts you at a competitive advantage relative to your peers.
The roots of this insight actually come from military strategy. In the 1960s and 70s, theorists in the U.S military developed the understanding that success on the battlefield depends on your use of time. The more efficient you are (a fighter jet, a naval convoy, an army squad) in observing your environment and responding to it, the more responsive you can be — which lets you position yourself to defeat your enemy.
That holds just as true in the business world. A company isn’t displaced by bigger competitors; it’s displaced by more nimble competitors able to respond to changing market conditions more quickly.
We can connect that idea back to risk management, too. Remember that “risk tolerance” is just another way of saying “acceptable variation from a performance goal.” (That’s literally true; COSO, in its new framework for enterprise risk management, replaced the former phrase with the latter.) Risk management is about pushing your company forward to its objectives while staying within those guardrails of acceptable variation from a stated goal.
So, really, you want to design a risk management system that makes the best use of time — that monitors key risk indicators and alerts people immediately when they stray beyond those acceptable performance guardrails. The more quickly you can respond when something goes wrong, the more “things” your company can try to do.
For example, if your third-party due diligence and monitoring program is solid, and can easily identify high-risk vendors or alarming changes in ownership, you can expand into new markets more quickly. If your vendor risk management program works well, you can bring new IT services for customers and employees more quickly. If your policy management program responds briskly to regulatory change, you can pivot to new market conditions without incurring regulatory risk.
At its core, a business is simply a group of people cycling through certain processes over and over: making products, closing sales, striking joint ventures, filing lawsuits, hiring new employees, and so forth. Those processes are all supposed to behave in certain ways. Risk management is the system of observing those processes and communicating when they are not behaving in the right ways.
So the better your risk management is, the more quickly you can intercept those processes or transactions that have gone off course — and therefore, you can keep more processes cycling through on the correct course. The company can take more risks, or bigger risks, because it’s better at managing them and reducing the chance they’ll go wrong.
That’s how compliance and risk officers can frame risk management programs as a driver of strategic advantage — because, when you structure them smartly, they are.