Kevin Campbell | November 23, 2020

In last week’s article I wrote of the importance of quantifying risk and the two most critical aspects in that endeavor:

  1. using a common yardstick across the enterprise and getting all risk down to a dollar value, and
  2. putting a risk mitigation plan together that is simple, actionable, and designed to change behavior.

This week let us discuss the positive effect of a governance program on risk management.

Before we jump headlong into this topic, and in the spirit of full disclosure, I am compelled to reveal to all that I am not a big supporter of standing steering committees, oversight committees, governance councils, IT review boards, and the like.  Excluding publically traded organizations in the U.S. who must have a certain number of these types of councils per SEC regulations and federal law, many other organizations who create such oversight committees due so for some significant reason.  No person that I have ever met has ever emphatically announced, “Excellent, I get to be on more committees!”  The formation of a standing committee, council, board, or whatever other term that may be used to describe the body’s function is directly related to a repeated failing in one or more functions of the organization’s leadership.  The most notable area of failure is in communications, but there are many other areas as well.

But there are exceptions.  Innovation Councils that allow new ideas to be brought to light and discussed is an example.  Staff Development Boards who identify rising stars and arrange for cross-discipline opportunities is another.  Diversity and Inclusion Councils, Health and Safety Program Boards, and Employee Engagement Teams are many other examples.  And, yes, Risk Management Councils are also in that category.

This may seem, at first thought, to be an oxymoron.  Participation on a Risk Management Governance Council does not sound like a good time!  Risk is certainly not as exciting as innovation or emerging technology.  However the function that such a body can provide can be invaluable to an organization.  Their job will be to create, disseminate, train, and implement a program to identify and quantify the many types of risks present across the enterprise.  Afterwards, they would then present the ranked list of mitigation steps for the most critical risks facing the organization and thereby greatly reduce the exposure to those threats to the business.

If such a risk governance body is composed of two experienced/senior members and the rest composed of younger, mid-career managers along with a few rising star individual contributors, the make-up would be ideal.  The mid-career managers and individual contributors would be exposed to the many facets of the enterprise and learn so much more than just their own discipline.  With counsel from the senior leaders on the committee to help guide the team, these younger members of the organization will bring new and fresh approaches on how to not only to address the identified risks but also how to engage the workforce in helping take the needed steps to mitigate the risks.  They will build the framework on how risk will be identified, quantified, and addressed throughout the enterprise.  That type of internal experience is golden for any individual from their own career perspective but also the investment return back to the organization from a staff retention/staff development perspective and from the direct results of lowering risk exposure is tremendous.

Actionable insights beget behavioral change.

As long as the Risk Governance Board does not develop a life of its own and has the discipline to limit grand multi-phase plans, new systems, checkpoints, reports, liaison representatives, and the like and keeps their recommendations simple, they will be successful.  Recommendations should be a series of small, straight-forward, and highly actionable efforts to reach the final goal.  Employees can more easily understand such steps and will quickly identify the results.  That enables them to change their personal behavior.  Organizational behavioral change follows soon after.

Next week we’ll wrap up the topic of risk and risk management in the IT world along with some closing thoughts, so stay tuned.  In the meantime I hope everyone enjoys a safe, enjoyable, and socially-distanced Thanksgiving!