It’s that time of year when we have resolved to do better. Most business owners or managers have probably resolved to increase revenue and profits in the New Year. We urge you to include improving your risk management performance, too. By identifying and mitigating the risks you face, those bottom line resolutions you make are more likely to come true. You need to reduce losses as well as increase revenue.
First, Have a Risk Management Plan
The first resolution has to be to have a risk management plan, and implement it. We sometimes get so immersed in our own work that we forget that there are managers and companies who do not take adequate steps to identify and manage the risks to their businesses. And others have a mistaken belief that they have a risk management plan just because they bought some insurance.
Some recent research by Chubb Group of Insurance Companies shows that both public and smaller private companies have significant gaps in risk management. A 2012 survey of public companies found that 2 out of three companies still do not have cyber insurance even though an electronic breach of data was seen as the most pressing risk. Similarly, 42% of these companies reported experiencing an employment practices liability event, yet some of them still do not have risk management tactics in place to mitigate this risk.
A related study conducted in 2013 found that smaller private companies may have invested even less in risk management despite the fact that 1/3 of them experienced a loss event in the past 3 years. Those that do take risk mitigation steps, like background screening, often mis-use the tactics. Some key findings from that research include:
- Most firms believed their general liability insurance protected them from most of the risks they face, including cyber losses, fiduciary liability, and employment practices liabilities.
- 42% of the companies had broad exclusionary policies toward criminal backgrounds, exposing them to legal action by the EEOC or other agencies.
- 68% of companies use social media, but only 12% have usage policies for employees.
- Many companies use cloud providers for data storage, but only half of these have plans in place for cyber breaches.
There is a lot of room for improvement.
6 More Resolutions to Improve a Risk Management Plan
We expect that most of our readers do have a risk management plan in place. For you, we offer six ideas to incorporate into your program that will allow you to pursue opportunities without losing your grip on the reality of risk. If your enterprise is like most, it’s looking for new opportunities to grow and prosper in the months ahead. As you well know, growth can be hindered or even stopped in its tracks without a wise approach to protecting people, brands, and profits.
1. Set the tone at the top.
We have often emphasized the importance of corporate culture in helping to mitigate those risks that arise from internal sources (see our previous post on the environment of fraud control). We do not mean that the formal controls you implement are unimportant in any way. But the culture of your organization helps to shape the behaviors of your people, for better or worse.
The key point about corporate culture is that top managers are ultimately the ones who define it by the actions they take. It is only common sense that what managers do—and are seen to do—tells other employees how to act. If a manager is known to falsify bits of information on an expense report, every other employee is empowered to do the same thing. We argue that this rule extends to even small things, because any perceived approval of unethical behavior opens the door to cheating on big things, too.
2. Understand the Fraud Triangle, and use it.
The famous Fraud Triangle of Donald Cressey describes the 3 main factors that have to be present for fraud to occur. There must be individuals who are motivated to perpetrate the fraud, often because of financial pressures they experience. The fraudster needs to find a rationalization to justify his or her violation of the trust they have been given. And finally, there have to be opportunities where the potential fraudster can see a way to enrich himself. Our Fraud Triangle infographic summarizes this model.
Of these three, the most important insight we find in the Fraud Triangle is that most organizational frauds are crimes of opportunity. These opportunities are operations where there is weak or absent control, or where relationships with 3rd parties are inadequately monitored or poorly structured. We cannot always know when an employee is stressed by finances, or believes he has a right to organizational funds. But we can systematically examine our systems for weaknesses that can create opportunity, and eliminate them.
3. Break down the silos.
Organizational silos are those vertical parts of an organization that operate as if they were independent of the other parts. Every manager knows that silos can dampen important communications between operating units, often to the detriment of the organization as a whole. But every manager also knows, at least intuitively, that maintaining connections with other units is time-consuming and exposes him to unknown and uncontrollable demands.
With respect to risk management, silos pose a specific threat that company-wide risks, or risks that derive from processes that cross the silos, will be systematically undervalued. Successful risk management does need to drill down to very detailed controls, but it must also have a holistic component that integrates them. Silos are a threat to risk management.
4. Make risk management a standard part of the process.
Anyone who has ever worked a garden knows that you cannot do something once and walk away thinking it is done forever. Gardens and organizations are dynamic entities that grow and change in complex ways. They need to be managed with persistent attention to important factors.
Risk management is like this. It needs to be part of your standard management process, with periodic re-visits to basic issues like financial controls, HR liabilities and compliance, insurance, and 3rd party relationships. More generally, risk management works best when it becomes part of your corporate culture and enlists the efforts of employees at all levels to manage risks.
5. Make management review part of your process.
As part of integrating risk management into your standard process, make sure that there is a regular management review of the process itself. The absence of this oversight is one of the most common reasons fraud and other loss-making events occur, even when there are apparently effective controls in place. To borrow a phrase from another context, you need to “stress test” your controls on a regular basis to make sure they are still appropriate and effective in mitigating your ever-shifting risks.
6. Don’t blame the whistleblower – help him.
Far too often we see the whistleblower turn into the fall guy. There is a natural tendency to dislike the snitch or tattletale, and often little personal reward for pointing out failure to an organization. But in fact, you should set up a process for your employees to report when they observe something they think is out of order. After all, who is closer to the workplace action where employee frauds and risks occur?
One of the important characteristics of a fraud reporting mechanism, or other method of communicating about risks, is that the reporting employee needs the assurance of anonymity. Giving potential whistleblowers an easy, safe way to tell you about unhealthy developments in your organization can prevent very serious and costly breakdowns.
Risk management requires a systematic effort just like your growth strategies do. Good luck to you on both of these vital projects in the coming year.