When I am preparing an executive team or board for an enterprise risk workshop, I say to them, there are three types of enterprise risks.
- Individual risks. A risk within a division or business unit that is of such significance that it deserves the attention of the executive and board.
- Enterprise systemic risks. That is, risks that manifest in multiple places and multiple ways with varying levels of potential impact. On their own, they are something the division or business unit is dealing with while getting on with the job. However, when these are viewed at an enterprise level, they are a serious risk that deserves an enterprise-wide response.
- Un-siloed risks. That is risks that are identified in-between division and/or business unit silos. A risk that exists because either, no one owns a particular issue, or because everyone thought someone else was tackling it!
Of the three, the second category is perhaps the most interesting. It takes a bit of brain strain to understand what the risk is and how to articulate it sufficiently well for the executive and board to work with it to a conclusion that it is a risk of significance, and that it does deserve an enterprise-wide response. Or that it should continue to be handled at division/business unit level.
A typical example came up for me recently. Information management – the risk that access to the right information, at the right time for decision making, is not available or it is incorrect or outdated information.
Given organisations are all about people making decisions, getting this right is critical. You know it and I know it, however, it is not always as easy as 1 – 2 – 3. In particular with mergers, acquisitions and re-structures. However, the one that annoys me the most is the ridiculous situation where there’s been a lack of investment in technology forcing people to manually search through file directories for information.
The extent of the “technology debt” conversations I have had in the past 12 months is alarming. What can you do about underinvestment in technology? Two things. Go into each area of the business, get examples of the challenges and understand the causes and implications and the likelihood of a significant risk event. Bring them all together and estimate the cost in time and effort to manage the underinvestment and develop low probability through to high probability risk event scenarios and put it all to the executive and/or board.
The other thing you can do is buy my book Persuasive Advising – How to Turn Red Tape into Blue Ribbon book for the CIO!