The importance of positive risk management

It’s an approach that recognizes the value of risk and aligns it with business strategy. It moves beyond the fortress mentality of negative risk management, focusing on enabling risk-informed business decisions. It’s underpinned by processes and technologies that provide consistent risk visibility and ensure proactive risk management. And it’s a cultural shift where the entire organization—from the board of directors to frontline employees—understands their critical role in the organization’s risk posture.

So, what are the key attributes of positive risk management?

• It involves everyone. Historically, risk management has been primarily the domain of core risk teams. With positive risk management, that needs to change. Business stakeholders must take ownership of their risk posture, proactively identify and manage risks, and align business decisions with risk appetite. Frontline employees become the eyes and ears of the organization, providing early visibility into emerging risks. And risk management teams become the glue that binds everything together, collaborating with business stakeholders to provide the best-practice processes and expert risk guidance that fuel visibility and control. 

• It starts at the top. Positive risk management is a major cultural shift. That doesn’t happen from the bottom up. Board members and executives need to clearly and consistently communicate the strategic business value of risk, define the organization’s risk appetite, establish measurable objectives, ensure accountability, and monitor progress. 

• It needs a common language. Because positive risk management spans the entire organization, you need a shared way to talk about risk. This starts with a common risk taxonomy—a structured way of describing and classifying risk—and includes well-defined risk and compliance processes. Consistency is key. For instance, if your finance and cybersecurity teams define a high-priority risk differently, you can’t accurately assess overall risk to support informed decision-making. 

• It’s proactive. You can’t make risk-informed decisions based on annual risk assessments. Your risk landscape is constantly changing, so you need to proactively identify emerging risks—such as those that come along with accelerated digital innovation. In fact, a ServiceNow and ThoughtLab survey of 1,000 global C-suite executives found that 81% of organizations that lead on risk readiness proactively manage technology-related risks, compared to just 45% of those not identified as leaders. 

• It’s resilient. Traditional risk management focuses on avoiding and eliminating risk. Mitigating risk is important, but bad things will always happen no matter how strong your defenses. When you take a positive approach to risk and embrace it, you must also hone your ability to recover. Make sure you have plans in place to respond effectively when risks turn into reality. Business continuity management is part of this, but you need a broader approach beyond simply responding to disasters. 

• It’s flexible. The unexpected always happens. For example, who would have thought at the beginning of 2019 that a pandemic would bring commerce to its knees? Don’t plan for known risks only. Build a process foundation that lets you respond quickly and effectively to both likely scenarios and those that seem very unlikely. 

• It’s automated. Positive risk management can’t run on emails and spreadsheets—manual approaches don’t scale or provide the enterprise wide visibility you need. Bring together your risk and compliance data and processes on a unified platform. This will give you a single source of truth and let you drive consistent, automated workflows and implement real-time dashboards across your business to create visibility, speed, agility, and accuracy.