Friday, January 27, 2017

The Executive Risk Review







If this sounds like Management 101, it is.  It is the same kind of management control system that is used to manage financial metrics.  The only thing that might be new is applying the idea to risk. 

Meeting the demands of key customers and regulators to manage cyber risk is yet another challenge for the executives of small and medium businesses.  As if you needed one more thing to worry about, along with revenue, product, and cash flow!  Yet it is possible to make a credible, practical, and above all useful start on managing cyber risk without breaking the budget or getting mired in endless detail.  A simple way to get started is with a quarterly risk review.  Here is how to go about it -- without buying a Lexus when all you need is a Corolla.  This will work for any organization, whether a business or not, that is big enough to have quarterly business reviews.

Simply this:  add a risk review to the standing agenda of the quarterly business review.  A risk review addresses three basic questions:
  • What are the most important risks facing the company in the next 12 months?
  • Are these risks acceptable to management and the owners, given our current circumstances, or should we be doing something to manage those risks better?
  • What action should we now take to manage our top risks better, and what progress have we made in actions previously agreed?  Who will take responsibility to do them, and when should they be complete?  How will we know if they have been effective? 

 As management exercises its judgment about what the most important risks are and what to do about them, it is automatically setting risk management priorities.

Despite its simplicity, this approach has much to recommend it.
  • It makes management think consciously about risk.  That is the first step in managing it.
  • It establishes a recurring and repeatable routine.  That lays the groundwork for bringing almost any risk into acceptable bounds.
  • It results in decisions and actions, so it gets things done, in priority order.
  • It is a structure that can be matured over time to any level of sophistication.  Soft words like “important risks” can be made more objective and quantified.
  • It is very efficient, a good use of scarce executive time, once the cadence is established.
  • It shows that management is paying attention to risk.

“Paying attention” deserves some elaboration.  Sooner or later a key stakeholder will insist on having assurance that management understands its risks and is managing them.  Stakeholders include the board, current and prospective investors, key customers, regulators, and auditors.  To credibly assert that, “Yes, we do know our risks, we review them regularly, and we take appropriate action to manage them,” you can do a few simple things to create auditable evidence that your stakeholder with expect or insist upon.
  • Put “risk review” formally on the agenda of the meeting.  (Every business review should have a written agenda.)
  • Prepare a simple two-page “risk report” ahead of the meeting and discuss it.  It can even be an email to the management committee.  The CFO, VP Finance, or CIO might be responsible to prepare it. 
  • Document the results of the risk review in the meeting minutes.  (Yes, have minutes!)  This can be as terse as a note that risks were reviewed and certain actions were assigned.  Cite the risk report and say it was reviewed.

The secretary of the meeting, who could be one of the participants or an administrative assistant, should be responsible to collect, organize, and preserve these documents, so that they can be audited later.  All documents should be dated and bear evidence of having been distributed to relevant executives, such as by email.


Another note will get into what a risk report should have.

No comments:

Post a Comment