Well, maybe you’ve done those things.
Would you do it again? Certainly NOT.
It is not rocket science. Companies need to set up a strategy, define associated objectives and KPIs, and allocate resources accordingly to succeed. Formalized or not, every single one of them follows at least one defined path on which they face many difficulties, obstacles, delays, regressions, incidents, etc., that need to be anticipated as early as possible within cost constraints.
So they hire a risk manager, spend millions in training programs for internal risk champions, implement controls, monitor performance, improve assessment processes, develop or acquire enterprise risk management software, deploy it, train people on it … until someone raises a hand during an assessment session to ask “specifically, why do you think we are at risk on that process?”
Oh, there will be answers. Many of them. Actually, as many answers as the number of experts in the room. And therein lies the rub.
The same way objectives and targets are used for performance management, they should also be used for risk management. If, collectively, everyone did NOT agree on what the objectives are, then depending on everyone’s so called “risk appetite”, you might end up with the final decision being that of the one who talked the loudest in the room. And maybe he’s right. Or not. Who knows?
Assessing risks in a vacuum is a waste of time and money. Many companies spend years and millions of dollars gathering experts or triggering risk surveys to identify, analyze, evaluate and find treatment actions to solve potential issues stemming from a process or product that has no concrete, targeted objectives.
Risks should always be assessed in the light of an objective. Every risk program or system should be set up to provide an organization with the appropriate framework to identify and manage risks that could prevent objectives from being met.
So, no objectives, no risks. What do you think?