Enterprise risk management: How much risk is too much risk?

To plan effectively for risk, you must look across holistically across your organization. This article highlights six key elements of enterprise risk that, when considered together, enable you to identify and mitigate those most critical to your business.

In business, we take risks every day. There is rarely a business decision or strategy that doesn’t come without at least some level of risk—typically greater as the potential reward increases. We often find ourselves asking, how much risk is too much?

To answer that question, you first must understand the fundamentals of enterprise risk and the various types of risk inherent in your business.

Despite many high-profile news headlines, many organizations still treat risk management as an afterthought. Even those that have taken proactive steps to manage risk have a tendency to define risk too narrowly—thinking primarily in the context of their industries or types of business. For example, technology-intensive firms will often focus on potential perils to their systems, but they don’t look critically at other areas of their businesses. Financially oriented organizations, on the other hand, may focus more on controls and governance. In fact, though, some of the biggest risks can come in forms you never expected.

Manufacturing companies, for whom continuity of operations is paramount, will often consider and plan for physical risks—such as fires or natural disasters—to their plants. For a manufacturer with a primary factory in Kansas, management may even go so far as to arrange a back-up production agreement with another company (typically not a competitor) in a nearby state in order to sustain its production capabilities should severe weather disable its facility. But if the same manufacturer established a production facility in another part of the world—for example, China—its risks may be much different. Consider the example of a manufacturing firm with one plant in China, whose production facility was disabled for a time by a very different type of risk—it was subject to a mandatory shut-down when one of 3,000 workers came to work after being exposed to SARS (Severe Acute Respiratory Syndrome).

How could the company have anticipated and prepared for that risk?

Understanding the elements of enterprise risk.

To plan effectively for risk and mitigate those most critical to your business, you must look holistically across your organization. This involves analyzing six key elements of your operations as a whole.

1. Business environment. What risks exist in your geographic area(s)? Your competitor base? Your customer base? Your regulatory environment?
2. Business strategy. How solid and well defined is your strategy? Is there any risk associated with your ability to execute? Could competitors or other factors affect your ability to do so?
3. Business processes. What are your most critical business processes, and what are the key risks to those processes? Have you considered the risks not only to your own operations, but to key business partners—such as those in your supply chain—whose operations are critical to those processes?
4. Technology. What systems do you operate, and what are the key risks associated with those systems? Are they secure? Do you have procedures in place to switch over to a redundant system in the event of failure? Can they handle your expected volume and business reliably?
5. People. How do you attract and retain people? If yours is an intellectual capital-intensive business, what steps are you taking to mitigate the loss of key people? And to protect your client relationships and intellectual property should people leave?
6. Finance. What is your investment strategy? How do you manage cash? Does your organization have sufficient reserves to handle unforeseen circumstances, or to capitalize on unexpected opportunities?

From assessment to enterprise risk strategy.

An enterprise risk assessment provides analysis and insight for these areas, identifying the potential risks inherent in each, their probabilities of occurring, and their magnitude of impact on the business—in effect, assigning a risk “score” to each key element of your business. From this information, it is then possible to begin quantifying the potential affects, in dollar terms, both for particular areas of operation and for the company as a whole. More specifically, this comprehensive view of risk can:

• Provide quantifiable support for individual business decisions.
• Lay the foundation for a comprehensive enterprise-wide risk management strategy.
• Help prioritize investments and initiatives on correcting or mitigating areas of unacceptable risk.
• Provide a benchmark for assessing changes in risk over time.
• Educate executives and managers throughout the organization about risk and risk management.

In short, it provides the type of information you will need if you want to answer the question posed above: How much risk is too much?

The biggest risk may be waiting for something to happen.

Let’s return to the example of the manufacturing company whose plant was forced to close temporarily when one worker contracted SARS and exposed others in the factory. Had the company looked at risk more broadly and understood the potential for this type of event, it could have put in place strategies—such as employee education and incentives that would exempt employees from penalty if they were unable to work due to illness— that would have prevented/mitigated the risk of an infected employee coming to work. Or, it could have established manufacturing partnership agreements to transfer production to a non-competitor with like manufacturing capabilities. Either way, it would have been able to sustain operations. 

West Monroe Partners works with executives to assess, quantify and build strategies for mitigating all types of enterprise risk. For more information, please contact Rich Sypniewski, This e-mail address is being protected from spam bots, you need JavaScript enabled to view it .

In this issue:

• Internet usability: will your site's users find what they're looking for?
• Software as a service: is it time for a closer look?
• A little preparation goes a long way: six keys to recovering from a disruption to your business
• Customer relationship management (CRM) roadmap: getting a CRM strategy off the ground