Risk management is a process in which organisations identify, assess and mitigate risks that could potentially affect their business operations. Corporate risk management refers to all of the methods that a company uses to minimize financial losses. Corporate risk management is as much, or more, about ensuring success in the face of uncertainty, rather than just testing against possible failure scenarios. It's more positive to deal with deviation from expectation rather than the negative mindset of what to do if the worst happens.
Risk is a certainty in life and business, so it needs to be positively managed.
Your organisation needs to consider any possible event or circumstance that could have negative influences or outcomes. Its impact can be on the very existence of the company, the resources (human and capital), the products and services, or the customers of the enterprise, as well as external impacts on society, markets, or the environment.
Lines of Enquiry
Regular audits must be undertaken, with the following lines of enquiry:
Strategic – test against failure to deliver the organisations goals
Governance, Commercial, Partnerships, Internal Impacts, External Impacts
Operations – test against failure to develop and adopt appropriate operational processes and controls
Process Design, Process Operation, Information Management, Business Continuity
People – test against failure to appropriately resource our company and to take care of our people
Appropriate Resourcing, Skills & Knowledge, Performance & Reward, Diversity & Inclusion, Security & Safety
Customer Care – test against failure to appropriately protect and retain our partners and customers
Customer Knowledge, Customer Security, Transparent Dealings
Technology – test against failure to provide reliable and performant applications and infrastructure, and devices on which the services are performed to meet the operational, regulatory and reporting needs
Adequacy, Availability, Performance, Recoverability, Support
Cybersecurity – test against failure to protect the body of technologies, processes, and practices designed to protect networks, devices, programs, and data from attack, damage, or unauthorised access.
Regulatory – test against failure to demonstrate compliance with regulatory requirements
Regulatory Reporting, Regulatory Authorisation, Regulatory Implementation, awareness of Regulatory Change
Legal – test against failure to demonstrate compliance with legal requirements
Partner Contracts, Supplier Contracts, Mergers and Acquisitions, Intellectual Property, Indemnities, Confidential Information, Statutory Reporting
Finance – test against failure to meet the operational, regulatory and reporting monetary needs
Treasury, Cash Flow, Reconciliations, Financial Reporting
Financial Crime – test against failure to deliver the organisations becoming a victim of financial crime or allowing it to happen to others
External Fraud (money and/or data), Money Laundering, Asset Security
Physical – test against failure to plan for and protect against events such as fire, flooding, power loss or crimes like staff assault, terrorist attack, theft and vandalism
Buildings, Equipment, People, Recoverability, Security, Support
Reputation – test against failure to protect the company's good name in the market place and the consumer base
Governance, Communication, Disaster Recovery, Business Resumption, Customer Complaints
Leaders should work closely with internal and external auditors. All findings must be discussed, agreed and regularly tracked to resolution.
Corporate risk management is a major topic. This article is a short reminder of what needs to be considered.