Risk management is the identification and prioritisation, based on the impact to the business, of unforeseen events and issues, followed by activities to mitigate and control negative outcomes that might result in unacceptable damage to the profitability, reputation or success of the business. Tools, processes and strategies are implemented or developed to support these activities.
We live in an extremely volatile time, when even large, established enterprises are re-evaluating their futures. With the emergence of the COVID-19 pandemic and its ongoing impact on world markets, businesses are having to contend with heightened risks, along with the prospect of continued disruption, well into the uncertain future.
To manage the impact of these threats and uncertainties, successful businesses are taking a renewed interest in optimising and enhancing their approach to risk management. This means refocusing traditional strategies away from simply reacting, to proactively identifying and preparing for possible risks long before they emerge. With the right approach to risk management, businesses large and small can reduce not only the potential negative impact of specific risks, but also the likelihood of those risks occurring in the first place.
In some ways, risk management is similar to the safety features of an automobile. Like a car's headlights, it allows businesses to see any obstructions or dangerous conditions before they arrive. Like a car's brakes and steering, it offers the ability to course-correct organisations that might otherwise run into unfavourable scenarios. And like seatbelts and airbags, it provides extra layers of protection in the face of unavoidable situations.
In other words, risk management exists to ensure that the business continues to exist. Here, we take a closer look at some of the key factors that make risk management such a vital concern for companies of all sizes:
Effective risk management isn't only concerned with large, existential threats, it also addresses more personal risks to employees and customers. For example, it enables organisations to identify health and safety issues before they affect employees. Correctly employed, risk management helps organisations establish a secure environment for everyone involved in the organisation in any capacity.
Two important purposes of risk management are identifying possible undesirable events and establishing processes and procedures to minimise the impact to the business. As risks are actively tracked and managed, teams are able to focus on their critical outcomes, without having to worry about being derailed by unexpected disruptions or other emergent events. At the same time, risk management clearly highlights areas of challenge within projects, allowing teams to address these issues swiftly, rather than setting them aside to deal with other, day-to-day concerns.
Correctly applied, risk management can help organisations avoid legally unfavourable situations. By managing risks and preparing for or preventing hazardous scenarios, businesses can operate without the danger of being held liable for damages that those risks may otherwise incur.
Risk management isn't guesswork; it's a data-intensive look at probabilities to create an accurate forecast of possible future events. As such, it allows businesses to create highly reliable contingency budgets.
When everything is running smoothly, it's easy to forget all of the important factors that keep operations afloat. Risk management forces organisations to maintain consistency in their processes, using assessments and control testing to identify operational risks. This provides time to address issues and execute plans before risks affect the stability of the business or lead to a crisis.
When an organisation is proactively monitoring to address and respond to risks when they arise, not only does it improve its operational stability but also its productivity and ultimately the bottom line. An efficient organisation can be forward-thinking to position them ahead of the competition.
It's difficult to take a closer look at risk without also gaining a better understanding of security. Risk management can help identify the security threats that might slip through the cracks of a security tool or that an organisation might otherwise be unprepared for, providing a clear path to improving their security posture.
The end goal of risk management is fairly straightforward: to give decision-makers the information and insights they need to guide their business. Risk management provides leaders access to detailed risk data to pinpoint areas that need improvement or inefficiencies, so that they can make better risk-informed decisions to guide their strategies and enable the business to be safe and profitable.
In risk management, risk is categorised into many distinct types:
Although different organisations may need to approach risk management differently, many choose to follow a common process. This risk-management process consists of five basic steps, each consisting of a first and second line of defence:
First line of defence: Review existing risks and identify emerging risks from business activities or report risk events.
Second line of defence: Perform an independent review of risks and challenge first-line activities and outputs.
First line of defence: Perform risk assessments and review risk inventories.
Second line of defence: Perform an independent assessment of risks and challenge first-line activities and outputs.
First line of defence: Manage risks and requirements from laws, regulations and policies.
Second line of defence: Establish control expectations and independently assess and challenge the effectiveness of first-line controls.
First line of defence: Ensure that controls are working effectively and that issues are remediated quickly.
Second line of defence: Oversee first-line monitoring, self-assurance and issue-management activities. Automate control testing where possible for more real-view information.
First line of defence: Provide timely escalation and accurate information to all relevant stakeholders.
Second line of defence: Aggregate and assess information across the enterprise to provide insight to relevant stakeholders.
Risk identification is an essential aspect of risk management. But once a potential threat has been diagnosed, organisations have several options in terms of how to respond. The four approaches to risk management are as follows:
A risk-avoidance strategy may be effective in scenarios in which the risk itself cannot be completely eliminated. Instead, organisations use risk avoidance to deflect and redirect as many risks as possible, reducing the likelihood of experiencing disruption or other damages.
In risk reduction, businesses make adjustments to certain aspects of current projects — either by changing components of the project itself or by altering its scope. The goal of which is to reduce the risk itself, reducing potential losses in the process.
Sometimes the threat associated with certain risks can be addressed by thinly spreading the risk itself across several departments, project participants or even third-party vendors.
Not all risks are dire; some minor risks can be retained with minimal threat to business operations. In many cases, it is more appropriate and more practical to retain certain smaller risks than it is to apply resources towards mitigating or eliminating them.
Despite its importance in modern business, effective risk management may be difficult to implement. Consider the following risk-management challenges:
Risk management should be an enterprise-wide set of responsibilities but many businesses are still organised into silos. This can make it difficult to definitively assign relevant roles in identifying, assessing and responding to risk across the enterprise.
Often, legacy systems and other outdated hardware and software may be incapable of effectively addressing new and emergent risks.
Manually responding to risks is time consuming, on-going and has a high potential for human-introduced errors. Organisations that lack automation capabilities may discover that continuous risk monitoring and response is prohibitively difficult.
Because businesses need to be able to respond cohesively and quickly to emergent threats, it is essential that they have consistent and reliable information with which to operate. Without a single source of real-time truth, risk management becomes much less effective.
Risk management, continuity and business resilience all go hand in hand. Organisations without modern continuity capabilities may discover that responding to risks is a difficult prospect.
Whether it is through digital transformation or cyber threats, just as risk management technology continues to advance, so too do the number and sophistication of new risks and potential threats. Many companies find it difficult to keep pace with the evolving landscape.
Just as the number of threats continues to increase, so too do the number of regulations driven by new standards, such as for ESG, or the need to mitigate the potential damage to and exposure of sensitive data. The responsibility for complying with these new regulations and protecting vital customer data falls on the shoulders of overwhelmed and understaffed risk and compliance teams.
Many of these challenges lead to the same problem: increasing costs. As risks continue to increase and compliance standards evolve to meet them, companies across essentially every industry are having to increase budgets simply to remain effective within their risk management strategies.
Although the number of potential risks organisations are facing continues to grow, there is not a growing number of skilled employees that an organisation can hire to meet that need. Without proficient risk and compliance teams, it is a struggle to keep the business safe and profitable.
Risk management is a large, ongoing responsibility. To help facilitate effective risk management strategies, organisations should consider the following best practices:
Review your list of policies and ensure that you have the appropriate policies in place to address any issues. And make sure that you have a process in place to keep your policies up to date, with the appropriate approvals. Outdated policies can result in compliance violations and audit findings, both of which pose significant risks to the business. You should also regularly review your risk register to ensure that it is up to date.
As previously stated, risk management is a shared responsibility that extends across teams, departments and levels. Having a common language and taxonomy that facilitates effective and open communication is absolutely vital. An organisation's risk-management approach should engage stakeholders, both external and internal, to ensure that everyone involved is fully aware of risk, that they are evaluating it in the same way, and that they are up to date and able to provide important insights into identifying, monitoring and responding to risks.
As part of the planning process, it is imperative to identify the organisation's risk threshold. This will allow the business to take the necessary risks to remain competitive without putting the viability of the business at risk. This should be agreed upon at the highest levels of the organisation and goes hand in hand with defining a common language and taxonomy.
Every business is unique, and so are the specific risks each business faces. Likewise, a company's risk management framework should be tailored to its risk profile. Think carefully about your risk management approach and the processes you have in place. In many cases, what you were doing before isn't the most effective way to manage risk, but you also need to ensure that any risk management solution used can be configured and is not taken "as is", simply because it has been effective for other businesses. Improve effectiveness by identifying where the processes available in the tool need to change to meet your well-thought-out needs and operating environments, and be willing to respond dynamically to address issues that have not been fully anticipated for.
Risk management cannot exist in a vacuum — it must be fully integrated with existing governance and planning processes and across many stakeholders. By getting other departments' buy-in and including risk management at strategic and operational levels, businesses can ensure that proper risk management considerations are being addressed early and often.
Money and time aren't the only things at risk when companies face evolving risks. Brand image may likewise suffer, leading to increased losses across the board. Risk management must also address threats to an organisation's reputation. This means that relevant staff will need to be trained in crisis management, so that important information can be quickly disseminated to customers to mitigate reputational damage in the event of an emergent situation.
Although it's important that organisations are able to respond dynamically to emergent risks, it is just as vital that risk management processes remain as consistent as possible across the entire enterprise. This will promote consistency and reliability and help ensure that everyone involved knows exactly what they need to be doing to help mitigate threats.
Although it should be the goal of every business to create an encompassing risk management strategy, the truth is that there will always be uncertainty and other limitations. Make note of these weaknesses and pay special attention to areas where the available information is limited. With a clear picture of risk management gaps, businesses can continue to improve their approach as more information becomes available.
Insurance-policy documentation and certificates are proof of coverage for certain types of risk. Keep this documentation correctly archived and easily retrievable, even well after the coverage itself has expired. Often, large amounts of time may pass between the occurrence of a damaging event and the losses from that event manifesting themselves. Having correct insurance documentation on hand will help to ensure that insurer responsibilities are managed correctly.
There should always be some risk in business to ensure that it stays competitive. However, with the right risk-management solutions, resources and strategies, organisations can effectively manage that risk, while helping to ensure resilience and continuity in the face of an uncertain future. ServiceNow, the leader in IT management and workflow automation, is at the forefront of this movement.
ServiceNow makes the world work better for everyone. ServiceNow allows companies of all sizes to seamlessly embed risk management, compliance activities and intelligent automation into your digital business processes to continuously monitor and prioritise risk. ServiceNow Risk solutions help transform inefficient processes and data silos across your extended enterprise into an automated, integrated and actionable risk programme. You can improve risk-based decision-making and increase performance across your organisation and with vendors to manage the risk to your business in real time. And make risk-informed decisions in your daily work—without sacrificing budgets.
ServiceNow allows companies of all sizes to seamlessly embed risk management and compliance into digital experiences and workflows, so people and organisations work better. Built on the award-winning Now Platform, Risk Management offers complete visibility and control. Identify and manage risks and vital information, monitor high-risk areas, diagnose non-compliant controls and create and schedule vital risk self-assessments, all from a single, centralised location. And, with advanced reporting and analytics, built-in guidance and taxonomy libraries, and advanced automation solutions, organisations have everything they need to evaluate and prepare for risks—without sacrificing budgets.
See how far the right preparation can take you with Risk Management from ServiceNow.
Manage risk and resilience in real time with ServiceNow.