The top ten mistakes in risk management.
2. Failing to understand the consequences and long-term business impact of risk. Fifty percent of all businesses that suffer a catastrophe close within a year. If this were more widely understood, you could bet that companies would be better prepared. Unfortunately, due to either naivete or bravado, too many businesses believe they will be able to weather a storm. For half of them, this is fatal assumption.
3. Believing that "risk management" simply means "buying insurance." Insurance policies are a component of what you need to protect your company, but it doesn't stop there. There are a host of tools and services you need to manage risk--from disaster recovery plans, to anti-virus software, intrusion detection and firewall technologies, etc.
4. Employing external providers whose impartiality is impaired. Asking your insurance agent to assess your risks and then sell you products and insurance policies to mitigate those risks creates a conflict of interest. How can someone be impartial if they are paid as a result of sales of products and policies, rather than by what you save? The best advice comes from independent sources, not tied to product suppliers, who are paid to make sure your risks are mitigated at the lowest possible cost.
5. Not understanding the overall costs of risk, or how to reduce these costs. Right now, you may be spending 35 percent more than necessary on risk management. If you lack a clear overview of all the products and services you are using company-wide, then you are most likely duplicating efforts. Or, even if you have centralized control, you may be paying unnecessarily exorbitant costs for a customized risk management information system (RMIS).
6. Allowing risk to be assessed and managed by the resources that create the risk. Was your information technology security policy created by your own technology staff? Lack of external oversight leaves open the possibility for internal attacks on your network and intellectual property. This is just one of several ways that managing risks at the source can increase your vulnerabilities.
7. Not managing risk as a focused and centralized discipline. Your systems administrator undoubtedly performs a series of actions to ensure the integrity of your network, protecting you from viruses, hackers and crashes. While these measures may be effective, each can function properly in only a secure environment. This requires application of solutions and policies outside your system administrator's core competencies or control. Your systems administrator's actions are useless if you lack comprehensive internal security policies, detailed disaster recovery and business continuity planning, and ultimately the employment of effective risk transfer and insurance mechanisms.
8. Failing to maintain continuous and measurable risk management initiatives. You might have a disaster recovery plan on file, but it's likely that the last time anyone updated it was two years ago. Risks are always evolving; new vulnerabilities emerge every day. Risk management is not something you do once and then forget about. You need updated, real-time overviews of your risk-mitigation activities in a format that doesn't bog you down.
9. Ineffectively prioritizing and inefficiently allocating resources to deal with risk. Once you have completed your risk assessment, you are faced with the often-paralyzing task of figuring out what to do next. Which problem demands the most attention and money? There are hierarchies of risk, and a good risk manager can help you systematically tackle the most pressing needs first.
10. Not properly preparing and educating your employees for emergencies. A tool is only as effective as the person using it. If your employees are not properly trained to implement your contingency plans and security policies, your risk management efforts will be wasted. When you are busy, it may seem impossible to allocate time to educate your staff on what to do when the server crashes, the phones go down or the office floods. But, when disaster strikes, you will be relieved you did.
Peter C. Teuten is the Chief Development Officer for Business Risk Management Solutions (BRMS), an independent risk management services provider. BRMS is a division of The Keane Organization, which supplies compliance and risk management solutions to Fortune 1000 corporations, financial services firms and mutual funds.
|Printer friendly Cite/link Email Feedback|
|Author:||Teuten, Peter C.|
|Date:||Sep 1, 2005|
|Previous Article:||C-suites gaining another member: increasingly, larger companies are naming a chief risk officer to oversee complex risk management strategies....|
|Next Article:||CFOs positioned to drive BI integration: two major CFO challenges--improving performance management and improving access to information--can be...|