What is risk management?

Risk management is the identification and prioritization, based on the impact to the business, of unforeseen events and issues followed by activities to mitigate and control negative outcomes that might result in unacceptable damage to the profitability, reputation, or success of the business. Tools, processes, and strategies are implemented or developed to support these activities.

We live in an extremely volatile time, when even large, established enterprises are reevaluating their futures. With the emergence of the COVID-19 pandemic and its ongoing impact on world markets, businesses are having to contend with heightened risks, along with the prospect of continued disruption well into the uncertain future.

To manage the impact of these threats and uncertainties, successful businesses are taking a renewed interest in optimizing and enhancing their approach to risk management. This means refocusing traditional strategies away from simply reacting, to proactively identifying and preparing for possible risks long before they emerge. With the right approach to risk management, businesses large and small can reduce not only the potential negative impact of specific risks, but also the likelihood of those risks occurring in the first place.

In some ways risk management is similar to the safety features of an automobile. Like a car’s headlights, it allows businesses to see any obstructions or dangerous conditions before they arrive. Like a car’s brakes and steering, it offers the ability to course-correct organizations that might otherwise run into unfavorable scenarios. And like seatbelts and airbags, it provides extra layers of protection in the face of unavoidable situations.

In other words, risk management exists to ensure that the business continues to exist. Here, we take a closer look at some of the key factors that make risk management such a vital concern for companies of all sizes:

Creates a secure work environment

Effective risk management isn’t only concerned with large, existential threats; it also addresses more-personal risks to employees and customers. For example, enabling organizations to identify health and safety issues before they affect employees. Correctly employed, risk management helps organizations establish a secure environment for everyone involved with the organization in any capacity.

Aligns team focus

Two important purposes of risk management are identifying possible undesirable events and establishing processes and procedures to minimize the impact to the business. As risks are actively tracked and managed, teams are able to focus on their critical outcomes, without having to worry about being derailed by unexpected disruptions or other emergent events. At the same time, risk management clearly highlights areas of challenge within projects, allowing teams to address these issues swiftly, rather than setting them aside to deal with other, day-to-day concerns.

Decreases legal liability

Correctly applied, risk management can help organizations avoid legally unfavorable situations. By managing risks and preparing for or preventing hazardous scenarios, businesses can operate without the danger of being held liable for damages that those risks may otherwise incur.

Improves budget accuracy

Risk management isn’t guesswork; it’s a data-intensive look at probabilities to create an accurate forecast of possible future events. As such, it allows businesses to create highly reliable contingency budgets.

Increases operational stability

When everything is running smoothly, it’s easy to forget all of the important factors that keep operations afloat. Risk management forces organizations to maintain consistency in their processes, using assessments and control testing to identify operational risks. This provides time to address issues and execute plans before risks impact the stability of the business or lead to a crisis.

Enhances competitiveness

When an organization is proactively monitoring to address and respond to risks when they arise not only does it improve its operational stability but also productivity and ultimately the bottom line. An efficient organization can be forward thinking to position them ahead of the competition.

Heightens security awareness

It’s difficult to take a closer look at risk without also gaining a better understanding of security. Risk management can help identify the security threats that might slip through the cracks of a security tool or that an organization might otherwise be unprepared for, providing a clear path to improving their security posture.

Enables risk-informed decisions

The end goal of risk management is fairly straightforward: to give decision makers the information and insights they need to guide their business. Risk management provides leaders access to detailed risk data to pinpoint areas that need improvement or inefficiencies, so that they can make better risk-informed decisions to guide their strategies and enable the business to be safe and profitable.

In risk management, risk is categorized into many distinct types:

  • Digital risk
  • ESG risk
  • Vendor/third-party risk
  • Quality risk
  • Business continuity risk
  • People risks
  • Environment, health, and safety risk
  • Ethics and compliance risk
  • Privacy/legal risk
  • Financial risk
  • Operational risk
  • Technology or Cyber risks

Although different organizations may need to approach risk management differently, many choose to follow a common process. This risk-management process consists of five basic steps, each consisting of a first and second line of defense:

Identify

1st line of defense: Review existing risks and identify emerging risks from business activities or report risk events.

2nd line of defense: Perform independent review of risks and challenge 1st line activities and outputs.

Graphic outlining the risk management process.

Assess

1st line of defense: Perform risk assessments and review risk inventories.

2nd line of defense: Perform independent assessment of risks and challenge 1st line activities and outputs.

Control

1st line of defense: Manage risks and requirements from laws, regulations, and policies.

2nd line of defense: Establish control expectations, independently assess, and challenge effectiveness of 1st line controls.

Monitor

1st line of defense: Ensure controls are working effectively and issues are remediated quickly.

2nd line of defense: Oversee 1st-line monitoring, self-assurance, and issue management activities. Automate control testing where possible for more real-view information.

Report and consult

1st line of defense: Provide timely escalation and accurate information to all relevant stakeholders.

2nd line of defense: Aggregate and assess information across the enterprise to provide insight to relevant stakeholders.

Risk identification is an essential aspect of risk management. But once a potential threat has been diagnosed, organizations have several options in terms of how to respond. The four approaches to risk management are as follows:

Risk avoidance

A risk avoidance strategy may be effective in scenarios in which the risk itself cannot be completely eliminated. Instead, organizations use risk avoidance to deflect and redirect as many risks as possible, reducing the likelihood of experiencing disruption or other damages.

Risk mitigation

In risk reduction, businesses make adjustments to certain aspects of current projects—either changing components of the project itself or altering its scope. The goal of which is to reduce the risk itself, reducing potential losses in the process.

Risk transfer

Sometimes the threat associated with certain risks can be addressed by spreading the risk itself thin across several departments, project participants, or even third-party vendors.

Risk acceptance

Not all risks are dire; some minor risks can be retained with minimal threat to business operations. In many cases, it is more appropriate and more practical to retain certain smaller risks than it is to apply resources towards mitigating or eliminating them.

Despite its importance in modern business, effective risk management may be difficult to implement. Consider the following risk-management challenges:

Silos and clarity in roles

Risk management should be an enterprise-wide set of responsibilities but many businesses are still organized in silos, this can make it difficult to definitively assign relevant roles in identifying, assessing, and responding to risk across the enterprise.

Antiquated technology

Often, legacy systems and other outdated hardware and software may be incapable of effectively addressing new and emergent risks.

Lack of automation

Manually responding to risks is time consuming, on-going, and has a high potential for human-introduced errors. Organizations that lack automation capabilities may discover that continuous risk monitoring and response is prohibitively difficult.

No single source of truth

Because businesses need to be able to respond cohesively and quickly to emergent threats, it is essential that they have consistent and reliable information with which to operate. Without a single source of real-time truth, risk management becomes much less effective.

Outdated continuity capabilities

Risk management, continuity, and business resilience all go hand in hand. Organizations without modern continuity capabilities may discover that responding to risks is a difficult prospect.

Volume, speed, and sophistication of risks

Whether it is through digital transformation or cyber threats, just as risk management technology continues to advance, so too do the number and sophistication of new risks and potential threats. Many companies find it difficult to keep pace with the evolving landscape.

Complex risk and regulatory expectations

Just as the number of threats continue to increase so too do that number or regulations driven by new standards, such as for ESG, or the need to mitigate the potential damage to and exposure of sensitive data. The responsibility for complying with these new regulations and protecting vital customer data falls on the shoulders of overwhelmed and understaffed risk and compliance teams.

Mounting costs

Many of these challenges lead to the same problem: increasing costs. As risks continue to increase and compliance standards evolve to meet them, companies across essentially every industry are having to increase budgets simply to remain effective within their risk management strategies.

Lack of skilled employees

Although the number of potential risks organizations are facing continues to grow there is not a growing number of skilled employees that organization can hire to meet the need. Without proficient risk and compliance teams it is a struggle to keep the business safe and profitable.

Risk management is a large, ongoing responsibility. To help facilitate effective risk management strategies, organizations should consider the following best practices:

Keep policies and your risk register current

Review your list of policies and ensure you have the appropriate risks in place to address any issues. And make sure you have a process in place to keep your policies up to date, with the appropriate approvals. Outdated policies can result in compliance violations and audit findings – both or which hare significant risks to the business. You should also regularly review your risk register to ensure it is current.

Create a common language

As previously stated, risk management is a shared responsibility that reaches across teams, departments, and levels—having a common language and taxonomy that facilitates effective and open communication is absolutely vital. An organization’s risk-management approach should engage stakeholders both external and internal to ensure that everyone involved is fully aware, evaluating risk in the same way, up-to-date, and able to provide important insights in identifying, monitoring, and responding to risks.

Identify your risk threshold

As part of the planning process, it is imperative to identify the organizations risk threshold. This will allow the business to take the risks necessary to remain competitive without putting the viability of the business at risk. This should be agreed upon at the highest levels of the organization and goes hand in hand with defining a common language and taxonomy.

Be willing to configure

Every business is unique, and so are the specific risks each business faces. Likewise, a company’s risk management framework should be tailored to its risk profile. Think carefully about your risk management approach and the processes you have in place. In many cases what you were doing before isn’t the most effective way to manage risk, but also ensure whatever risk management solution used can be configured and is not taken “as is” simply because it has been effective for other businesses. Improve effectiveness by identifying where the processes available in the tool needs to change to meet your well thought out needs and operating environments, and be willing to respond dynamically to address issues not fully anticipated for.

Integrate throughout

Risk management cannot exist in a vacuum; it must be fully integrated with existing governance and planning processes and across many stakeholders. By getting other departments buy-in and including risk management at strategic and operational levels, businesses can ensure that proper risk management considerations are being addressed early and often.

Include image-related risks

Money and time aren’t the only things at risk when companies face evolving risks; brand image may likewise suffer, leading to increased losses across the board. Risk management must also address threats to an organization’s reputation. This means that relevant staff will need to be trained in crisis management, so that important information can be quickly disseminated to customers to mitigate reputational damage in the event of an emergent situation.

Work systematically

Although it’s important that organizations be able to respond dynamically to emergent risks, it is just as vital that risk management processes remain as consistent as possible across the entire enterprise. This will promote consistency and reliability and help ensure that everyone involved knows exactly what they need to be doing to help mitigate threats.

Be aware of limitations

Although it should be the goal of every business to create an encompassing risk management strategy, the truth is that there will always be uncertainty and other limitations. Make note of these weaknesses, and pay special attention to areas where the available information is limited. With a clear picture of risk management gaps, businesses can continue to improve their approach as more information becomes available.

Make sure of risk insurance policies

Insurance-policy documentation and certificates are proof of coverage for certain types of risk. Keep this documentation correctly archived and easily retrievable, even well after the coverage itself has expired. Often, large amounts of time may pass between the occurrence of a damaging event, and the losses from that event manifesting themselves. Having correct insurance documentation on hand will help ensure that insurer responsibilities are managed correctly.

There should always be some risk in business to ensure it stays competitive. However, with the right risk management solutions, resources, and strategies organizations can effectively manage that risk, while helping to ensure resilience and continuity in the face of an uncertain future. ServiceNow, the leader in IT management and workflow automation, is at the forefront of this movement.

ServiceNow makes the world work better for everyone. ServiceNow allows companies of all sizes to seamlessly embed risk management, compliance activities, and intelligent automation into your digital business processes to continuously monitor and prioritize risk. ServiceNow Risk solutions help transform inefficient processes and data siloes across your extended enterprise into an automated, integrated, and actionable risk program. You can improve risk-based decision making and increase performance across your organization and with vendors to manage the risk to your business in real time. And make risk-informed decisions in your daily work —without sacrificing budgets.

ServiceNow allows companies of all sizes to seamlessly embed risk management and compliance into digital experiences and workflows, so people and organizations work better. Built on the award-winning Now Platform, Risk Management offers complete visibility and control. Identify and manage risks and vital information, monitor high-risk areas, diagnose non-compliant controls, and create and schedule vital risk self-assessments, all from a single, centralized location. And, with advanced reporting and analytics, built-in guidance and taxonomy libraries, and advanced automation solutions, organizations have everything they need to evaluate and prepare for risks—without sacrificing budgets.

See how far the right preparation can take you, with Risk Management from ServiceNow.

Get started with ServiceNow Governance, Risk, and Compliance

Manage risk and resilience in real time with ServiceNow.