It has been ten years now since the Sarbanes-Oxley Act passed, creating the need for better corporate governance, compliance, and risk management. In that time a great many steps forward have been made in the name of better and more transparent business practices. However, despite this recent drive, it appears that for some, this effort has only created more risk management problems along the way.
The primary issue in most of these cases appears to be a lack of any clear success on these companies’ part to properly define risk. Instead of looking at these threats on the broad, all-encompassing basis that they should, they instead choose to focus too specifically on only a few chosen subsets. For instance, those guilty parties may focus entirely on issues of compliance and operational risks, both of which only make up one small part of all risks, ignoring the much larger threats at their own peril.
It would seem then that to be truly effective, companies should develop an all-encompassing risk management strategy that attempts to foresee and prepare for risks in all possible areas and not just those that seem the most likely, lest they wind up leaving themselves unguarded to one degree or another. This, however, would also be a tremendous mistake.
Yet another drastic problem faced by many risk management programs is that they seek to be too extensive and wind up spreading themselves too thin, becoming unable to properly maintain observance of those areas that really matter the most to a given company. Should this occur, a company’s risk management program has essentially invalidated itself by overreaching its capabilities until it has rendered itself useless.
A recent study that looked at risk management in over one thousand companies discovered that the biggest risk area that organizations should be concerned with, the one which has caused the greatest amount of damage to most companies, was issues of strategic risk. Ironically, this has also become one of the lesser-regarded threat areas among many companies. In order to correct this issue, companies are going to have to begin by reassessing how they define risk factors by taking a much closer look at how their organization is run and what areas may pose the greatest possible problems down the line.
Ultimately, the answer is one of moderation, forethought, and careful planning. The core principle to any good risk management program, and the one that most companies seem to often overlook, is that such programs are a full-time responsibility that must be constantly monitored and maintained. This will mean that a risk management team will need to be in charge of keeping track of all possible mitigating factors, to be assessed for their relevancy, seriousness, and proximity, taking everything into consideration while at the same time being decisive and staying focused on those factors which pose the greatest possible threat to the company.
Done correctly, risk management is far from a simple matter, however, the benefits it may provide in strengthening a company’s corporate governance practices and protecting against any number of undue losses are invaluable.