Enlisting Management Support
A good risk and control environment requires top-down involvement. The highest ranks of management in the business must see the value of understanding the risks and ensuring that appropriate controls are in place. Management must then make it clear to the lower ranks that risk and control is a core competency. All levels of the business need to understand that this is an issue of pure dollars and cents, i.e. an effective risk and control program will reduce losses and improve revenues through improving customer loyalty. Think of it as a "build it and they will come" challenge. If management lays the foundation for a sound risk and control environment, the business will follow.
If you find that management support is not present, then you need to meet with management. Some potential talking points:
- A good risk management process is a "pay me now or pay me later" proposition. Yes, you can ignore business risks today and refocus resources on other functions such as improving sales. But the risks will not go away and by ignoring them they will likely have a much more severe impact when they surface in the future. So spending wisely on a risk and control program today will avoid significant losses in the future.
- If your business is part of a regulated industry or the Fortune 500, the business is likely required to have an effective risk management process. For example see the PCAOB Auditing Standard #2 used in conjunction with SOX 404 audits or the FFIEC IT Handbook on Information Security.
- If the business has no effective risk management process, it lacks the ability to identify or communicate levels of risk. As a result, one manager's "High" risk becomes another manager's "Low" risk. More importantly, senior management will have no effective way of analyzing funding requests for projects that purportedly reduce risk. One manager may want to upgrade the firewall, another may want funding for a more robust implementation of anti-virus software and another amy want to move the company to a higher level of encryption for data storage. All three managers may claim that the projects address a "High" risk, but without an effective risk assessment process the senior manager will have no objective means of determining the true risk or the cost/benefit to the company.
- It is the unknown risks that are the most harmful, because the business is likely unprepared to address them. Consider the "unknown unknowns" of the Iraq War and how those risks came to impact the American strategy. A thorough risk assessment gives the business a higher level of flexibility and preparedness for when these go wrong.
©2009 ISRMC, LLC