Global trends have reshaped industries and completely changed the priorities and the way companies design, build and deliver services to consumers and corporate clients to stay relevant. Today, when uncertainty and complexity are latent in your daily operations, decision making and projections are made difficult due to the lack of clarity and certainty of the future. Decisions that could potentially affect business strategy or objectives in the short, medium and long term if potential risks are not properly managed.
The accelerated increase in the implementation of new technologies has brought with it tipping points in terms of security with respect to their use. Preserving the security and protection of information is possible through the adoption of a risk management methodology that, from a technological perspective, ensures control over the infrastructure at the physical level, information systems at the logical level and organizational measures at the human level.
Risk management, being proactive and not reactive, contrary to what many people think, is not a brake on the growth and progress of the organization. Although this process contributes to a change of mentality from the inside, in order for the results to be as expected, it is important that employees, area leaders and managers are aware that it is necessary to adopt it in order to foresee and identify in time possible situations that may affect the company’s operation, including its logistics, strategy and finances.
Considering the above, what is risk management? It is a strategic methodology to identify, analyze and respond to risk factors that could impact the success of a project, and that by identifying them correctly, give rise to anticipate and take control of possible future threats or incidents. A well-structured and implemented risk management methodology helps to make decisions based on reliable information, that is, by implementing the appropriate tools it is possible to have greater certainty to allocate resources, considering risks to mitigate and probable causes of the different possible scenarios that the organization would have to face.
What are the risks that could arise and how to address them for correct decision making?
Although risk management is a booming topic in companies at national and international level, in some cases, there are still affectations in terms of security, confidentiality, integrity, traceability and authenticity, due to incorrect implementation or lack of attention to certain warning signs that indicate possible adverse events that may go unnoticed, among which are:
- Leadership management and tone of questionable leaders
The task of exercising supervision, direction and control of the processes by leaders and managers must be directed towards a role of constantly guiding planning and operations, this guarantees the effectiveness of the risk management model and the successful implementation of the strategies. As for the tone of leadership, it is vital to focus on openness, continuous improvement and commitment of the different areas and also to encourage proactive behavior in employees. A poorly managed leadership that is not open to change could create a barrier of resistance to accept negative news or contrary information.
- Imprudent risk taking
Risks must be taken with discipline, without hasty determination, knowing and knowing that they are the starting point so that the impact is as small as possible. The organization must choose the right person to be in charge of the proactivity of the employees, of the management and follow-up of the primary risks and of the periodic accountability to ensure that they are assumed in a prudent manner within the established limits.
- Inconveniences with management performance
In many cases, the risk management model is out of focus. This is due to limited resources, poorly assigned roles, lack of anticipation and organization of priorities. The model must be designed with a strategic focus based on the organization’s vision, and its impulse must be from the top down, from management to employees, and not the opposite, as is often the case.
- Incompetence or ineffectiveness of risk assessment
This deficiency occurs when assessment activities do not effectively and accurately identify the company’s real risks. It also happens when they are identified in time, but not shared and socialized with employees so that there is a common vision. What for some is of vital importance, for others may go unnoticed, so it is important to involve the main stakeholders so that there are conflicting opinions, respecting the different points of view.
- Lack of integration and commitment to performance
When potential risks are assumed as a simple complement to the strategy, the result is unrealistic objectives, which are reflected in the objectives set. The consequences of this include a disjointed strategy, with which it will not be possible to comply. There cannot be a lack of connectivity of risk management with the core processes of risk management. It is of utmost importance not to allow it to be absorbed by insignificant details, but by losing focus and not focusing on what is really important, the execution of the project would be at risk.
To avoid putting the project objectives at risk, it is necessary for the organization to take key actions such as: updating the governance model for a more adaptable one, having a team with the right skills, having technology to track customer actions, strengthening cybersecurity and privacy, adopting data intelligence and more advanced architectures.
And now you must be wondering how to properly implement a risk management model?
According to the University of Southern California Marshall School of Business, the following information security risk management methodology is the ideal for people, organization and technology to be correctly intertwined and is focused on the inclusion in management as a support phase, identification of key dependencies, critical assets and processes, existing and future threats.
The methodology aims to establish a management process that focuses on continuous improvement. It starts with the establishment of the context and continues with the identification, communication, estimation, evaluation, treatment, monitoring and, finally, acceptance of the risk. All this in different phases which are mentioned below.
- Planning phase: implementation of objectives and phases for the risk management process. The purpose of planning is to deliver results in line with the organization’s overall policies and objectives. Likewise, the communications plan and the analysis of the current organizational context are established to define the scope of technological risk management.
- Execution phase: implementation and operation of controls, processes and procedures (including the operation and implementation of defined policies), corresponding to the assessment and treatment of risks.
- Verification phase: evaluation and measurement of the performance of the processes against the security policy and objectives and reporting on the results.
- Action phase: implementation of changes required for process improvement. It is vitally important to constantly monitor, verify and act in the shortest possible time, without forgetting continuous improvement. In this phase, in addition, the changes and compliance with the indicators previously established from planning are verified.
To conclude, the implementation of risk management goes hand in hand with the need to build trust and involve employees in critical moments. Organizations today with their accelerated vision towards disruption in innovation, and by using technologies in their daily activity as part of their business processes, are exposed to all kinds of risks that could divert their course from one moment to another.
- Marshall Business School, USC
- Ernst & Young Global Limited
- Escuela de Postgrado Gerens