Every Single Day: Make Risk Management Part of Your Company’s Culture
The recent blockage of the Suez Canal was a rare event that pointed up the need for companies to undertake a certain vital activity every single day: risk management. In today’s post, we’ll define Operational Risk Management and explain why it’s important to make it part of the culture at your organization.
Related on MHA Consulting: Everything You Always Wanted to Know About Managing Risk but Were Afraid to Ask
Lessons from the Suez Canal
The blockage for six days last month of the Suez Canal sent a shudder through supply chains around the world. The canal had been closed previously by geopolitical events, but its sudden obstruction by a single grounded ship was unprecedented.
Even before the ship was freed, many people sought to draw lessons from the incident in terms of international shipping and the global supply chain.
One obvious lesson one might draw is: add the possible closure of the Suez and Panama canals to your threat and risk assessments.
That’s not a bad idea for organizations that depend directly or through their vendors on goods that pass through those chokepoints.
But to me the canal blockage underscored the importance of making operational risk management an everyday part of life at every company. Trouble can come from just about anywhere at anytime, and in ways ranging way from the predictable to the borderline unimaginable. That’s why it’s so important to manage risk every day.
What is Operational Risk Management?
Operational risk management (ORM) is the term we use to define the process of identifying and mitigating risks to an organization’s functioning, finances, and reputation. It also involves accepting a degree of risk in the case of threats that are beyond the reach of mitigation, for whatever reason.
ORM looks at the risk to three aspects of the business: people, processes, and technology.
There are four main strategies for mitigating risk: avoiding it, limiting it, transferring it, or accepting it.
ORM is not about eliminating risk completely. It’s about managing it consciously and intelligently.
The ultimate goal of ORM is to protect the organization and its stakeholders.
Making Risk Management Part of the Culture
I’ve written a lot about risk management in the past. To read some of those posts, check out the links at the bottom or go here, here, or here.
The point I want to emphasize today is how important it is to make risk management an everyday activity at your organization. Risk management should be part of your company’s culture.
Work happens every day, issues come up every day, and risk management should be going on every day.
Risk management is not a one-and-done activity. Nor does it qualify as risk management when a company does an assessment of its risks then puts the assessment in a drawer and forgets about it.
Active, intelligent risk management means constantly being on the lookout for risks and constantly taking steps to mitigate them. (See this post from MHA Consulting CEO Michael Herrera on the “The Top 7 Risk Mitigation Controls, in Order.”)
If you have responsibilities for managing risk at your company, as part of a risk management team or business continuity office, you should be helping and guiding your organization to look at risk every single day. This is true whether that risk comes from workers not wearing hearing protection or the possible blockage of a geopolitically important shipping canal.
Preparing for the Next Event
The recent blockage of the Suez Canal was a reminder that trouble can come at our organizations in many forms, from the predictable to the almost inconceivable. That’s why it’s so important to make operational risk management an everyday part of life at every company.
People involved in risk management and business continuity should work to make risk management a part of the culture at their organizations. By doing so, they’ll help ensure their company is prepared to ride out the next negative event it faces, whether that event springs from an incident that makes headlines around the world or is confined to its own facilities.
Further Reading
For more information on operational risk management and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS:
- The Risk Management Process: Manage Uncertainty, Then Repeat
- Don’t Just Hope: Choosing Strategies to Mitigate Risk
- Types of Risk: Don’t Forget to Keep Tabs on Your Long-Term Risks
- Everything You Always Wanted to Know About Managing Risk but Were Afraid to Ask
- The Top 7 Risk Mitigation Controls, in Order
- Like Lambs to the Slaughter: When BIA Beginners Present to Management
Richard Long
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.
