Everyone should be managing your company’s risks. But your executives need to take the lead, establishing a comprehensive enterprise approach that recognizes and responds to operational, legal and financial risks wherever they occur.
Every business faces its own unique set of risks. Different companies could face liquidity or cash flow threats, a sluggish supply chain or a dip in customer satisfaction. And a problem in one area often snowballs into other parts of the business. A severe weather event that triggers a slowdown in parts deliveries could hinder production, leading to frustrated customers and a revenue shortfall.
“Addressing risks across your business often feels like a game of Whac-A-Mole,” says Oliver Williams, head of enterprise risk management at Regions Bank. “While you’re putting out a fire in one area, another one flares up somewhere else.”
These realities argue for a comprehensive approach for recognizing and responding to wide-ranging risks. “Your senior executives and the board of directors need to think about risk as they build your business plan, deciding where to invest your risk-management time and resources,” he says. “The best companies establish a culture in which every employee is a risk manager.”
A world of escalating risks
Among today’s biggest risks are cyberattacks, which are happening more frequently and can be catastrophic for a company’s reputation and bottom line. And if criminals penetrate your business, your suppliers and customers may be affected as well—and a cybersecurity breach at a vendor or customer could expose your crucial data.
Fraud is another major concern. These risks from outside or inside a company can quickly take aim at its ability to continue doing business. “When you think about how risks can compound through an organization, any kind of adverse event can threaten your reputation, which can lead to a loss of customers, which can lead to liquidity and cash flow issues,” Williams says.
The need for an enterprise approach
Handling risk in silos, as many businesses do, can be inefficient, with multiple departments creating their own plans to recognize and respond to cyberthreats, for example. “But attacks can come from anywhere in the company,” says Williams. “Someone may get a phishing email, while another gets a phone call in which someone tries to trick them into divulging sensitive information.”
Employees need to repel these intrusions, but they also need to alert those in charge of security that dangerous emails and calls are getting through the company’s defenses. “If you see something, you need to say something, but then you need to take steps to make sure everyone is aware of the danger and that it’s being dealt with across the enterprise,” Williams says.
Top management needs not only to set the expectation that everyone is a risk manager, but also provide the tools, opportunities and authority to mitigate the risks that they find, Williams says.
Measuring the risks you face
Smaller companies may think they lack the time and resources that a larger business has to measure the risks they may face. But establishing metrics for identifying, monitoring and managing risks can be relatively simple—and crucial in deciding how to respond. “Suppose you want to measure fraud risk,” Williams says. “Drill down to determine where it’s happening—in what operational units, what locations, what products,” he says. “You can develop simple metrics to measure that at a very granular level.” Then you can deploy your resources where the need is greatest.
Qualitative measurements can also be helpful. You could survey your employees and tabulate what they tell you about potential vulnerabilities. And you can poll your customers to gauge their satisfaction and other sentiments. “If you do that, you’re probably going to find risks that need to be mitigated,” he says. “You’ll find out customers are upset because they didn’t get what they wanted, it took too long or there was another adverse outcome. That’s where your risk is.”
What’s your risk appetite?
Managing risk inevitably involves trade-offs. Your company’s risk appetite is a determination of how much risk you may be willing to take in certain areas. That starts by identifying key risks, then considering what you may be able to tolerate. “You need to do this as part of your strategic business planning,” Williams says. You might decide that you’re willing to accept a slightly higher risk of fraud, for example, to spare your customers from dealing with anti-fraud measures—but only if that doesn’t threaten your bottom line. “Gauging your risk appetite lets you start thinking about what levers you can pull,” Williams says.
Help from an experienced team
“Our bankers see a lot of different kinds of risks across a lot of different kinds of companies,” Williams says. “Chances are, if you’re thinking about how to respond to a particular kind of risk, they’ve seen it elsewhere.” In addition, Regions Bank has extensive resources its bankers can tap in specialized areas such as cybersecurity and treasury management. “There’s a wealth of talent you can take advantage of, both in planning your approach to risk management and in responding to particular events,” he says.
Start today
- Read more: How to create an anti-fraud training program.
- Learn more: Consider what resources you can access to prevent fraud.
- Take action: Set up flexible security controls using Regions’s iTreasury platform.