Organizational Risk in an Economic Downturn

Organizational risks are threats, negative effects or problems that can occur as a result of an event or an action within a company. During turbulent economic times, organizations need to be especially vigilant to minimize potential risks that could ultimately affect the bottom line or shareholder ROI.

Organizational risk can include many types of risk (e.g., investment risk, budgetary risk, program management risk, legal liability risk, safety risk, inventory risk, and the risk from information systems).

Managing organizational risk is not an exact science. It brings together the best collective judgments of the individuals responsible for the strategic planning and day-to-day operations of organizations to provide adequate security and risk mitigation.

There are two main categories of risk: internal and external. Internal risks can result either from processes or from the management of information, while external risks result from changes in the environment of the company (political, economic, technological, sociological changes) that can exercise a negative influence on the objectives and the strategies of the company.

Managing Organizational Risk

Managing organizational risk in tough times means taking a holistic view. This requires an integrated cross-departmental framework of controls, checks and balances. Key examples of issues facing organizations that impact corporate risk include fraud, new technology implementation, and the advent of global markets.

• Fraud continues to be a problem for numerous organizations. Oversight and quality control managers within organizations must be aware of this issue and develop consistent policies and procedures to address fraud prevention.
• New Technology Implementation: In the current business market, organizations are always looking for the latest and greatest innovation to help improve workflows, increase efficiencies, and reduce costs. However, new technologies introduce new organizational risks, and businesses must recognize and prepare for this during the implementation process.
• Careless Strategic Decisions: In this day and age, careless decisions can have a ripple effect across continents and into the global marketplace. The cost of strategic errors and the speed of their consequences on the company are increased, enhancing the overall risk profile of every major decision.
• Management Information also can represent a risk when the information serving for decision making is incomplete, out of date, erroneous, late, not relevant, etc.

Organizations can no longer afford to treat risk in silos, or as separate departmental level initiatives. Risk management needs to be an integrated, enterprise-wide approach, keeping focus on multiple key indicators that show early warning signs of potential business problems, with preplanned strategies to address potential risks. Further, ongoing board level attention is required because risk management is no longer tenable as purely a compliance issue, as recent market events have highlighted. Globally, organizations are facing uncertain times, and management of risks at the highest level is critical. Only with a systematic but strategically led approach to risk management can organizations of today be more assured of avoiding, or better managing, the pitfalls of difficult market conditions.

Optimizing Organizational Risk Prevention

Businesses always need to think about the many risks that exist both inside and outside the organization. Understanding the risks specific to your organization and having a framework of controls in place will better allow you to address these risks. The real value for the organization comes from going beyond compliance and actually creating affirmative value out of these processes. Ultimately, the goal for any organization would be to elevate risk management processes to the point where they can actually become a differentiator for that company.

Before the implementation of Sarbanes-Oxley legislation, internal investigation and audit departments had been moving toward more value-added functions. But with the advent of the new regulatory and compliance burdens, organizational investigators and internal audit teams have had to divert focus back to internal investigations and monitoring organizational personnel and activities.

Over time, these new regulatory and compliance burdens have become more ingrained within organizations, and there is a need to reexamine the role of the internal auditor to try and move beyond its reactive role and begin proactively identifying issues and risks that are facing the organization outside of strict compliance parameters. This proactive element is where internal auditors begin adding value to the organization, and not just protecting the organization from fines and sanctions.

This last element is actually becoming more than just a buzzword or the latest trend. In fact, ratings agency Standard & Poor's has noted that it will begin taking organizations' Enterprise Risk Management (ERM) frameworks into consideration. Suddenly, the issue of risk management and proactive issue identification now becomes one that can have a real impact on a company's finances.

What Are the Common Problems Faced When Tackling Organizational Risk?

One of the biggest challenges facing any organization is to address shared problems. Most businesses do not take the time to do proactive risk assessment, and then fall into the position of discovering key vulnerabilities once it is too late to avoid the fallout. Responding to problems is certainly easier than identifying potential problems before they occur, but the costs of failing to be proactive ultimately will be borne by the entire organization.

With risk analysis being limited to a compliance focus, internal auditors and the entire framework of risk assessment are not positioned to identify problems; rather, they are built to solve problems once they bubble to the surface. Again, the challenge is to look more widely at business risks than the organization is obliged to from a compliance point of view.

Checklist of Principles for Effective Risk Management

To achieve best practices for organizational risk management, consider the following:

• Value the management of the organizational risks in the whole of the company.
• Develop a continuous process of both evaluation and control of the organizational risks in the company.
• Integrate the control process of the business risks into the organizational processes.
• Estimate the organizational risks with regard to the strategic objectives of the company.
• Extend beyond the financial aspect to spread the management of the organizational risks to all the aspects and at every level of the company.
• Estimate the performance
  factors, processes, development projects, and departments as well as the strategic, operational and financial decisions by taking into account possible risks.
• Estimate the organizational risks and re-estimate them constantly according to the severity, to their occurrence and to their detection.
• Elaborate control strategies of the organizational risks according to the levels of estimated risks.
• Regularly revalue the methods and the tools of identification, evaluation and control of the organizational risks to improve them constantly.
• Make simulations of extreme situations to measure the efficiency of the methods and the control tools of the organizational risks.
• Involve the managers in the identification process, evaluation and control of the organizational risks.
• Organize training sessions to master the concepts and the control tools of the organizational risks.
• Form an organizational risks management committee to approve policy, model and management tools of the organizational risks and to estimate and revalue regularly the organizational risks.
• Develop information systems to supply all the information necessary for the management of the organizational risks.
• Estimate regularly the performance of the process of management of the organizational risks.
• Communicate the results to the administrators.

Questions an organization should ask to develop a truly proactive value include:

• Are we too focused on basic compliance objectives?
• Which risks are we monitoring?
• Which potential risks are not recognized within our current framework?
• Are we monitoring the right risks?
• Are our risk mechanisms alerting us to the right risks at the right time?
• Why are we focusing so strongly on the financial risks when there are actually more nonfinancial risks within the business that go unmonitored?
• Do we want our internal auditors to be monitoring solely those risks that tick a compliance box? Or do we want our internal auditors to operate within a framework that makes them much more valuable?

How Should the Organization Respond to These Answers?

• Take an assessment of the risks across the whole organization and create a “map” of risk danger-zones. This also should include potential vulnerabilities, not just current concerns.
• Put an appropriate controls framework in place.
• Ask questions about how your business is set up to respond to a risk issue and whether the right people, policies, and procedures are in place.
• Determine if internal audit has aligned its plan to address the organization's top risks and if it has the skilled resources to execute; consider whether external sourcing of the internal audit function is required.
• Identify diverse financial and nonfinancial risks across the entire business.
• Start addressing and managing risk at the enterprise level, not just at the department level.
• Focus on driving efficiency and effectiveness of the internal audit function.

The Impact of Changes

The impact of changes of perception and the practices of management will result in a new paradigm in viewing, understanding, and applying the controls. These controls move from reactive toward a preventive and proactive control, and ultimately these controls are transformed into a new organizational risk management process.

This process can now extend beyond the financial aspect to include all aspects and all levels within the company. In this environment, enforcement of risk management now becomes the shared responsibility of every manager within the organization, providing a more rounded, proactive set of protections for the business.

Brett Tarr serves as general counsel for eMag Solutions, based in Atlanta. Before joining eMag, Tarr worked as a practicing attorney at King & Spalding LLP, and has held chief operating officer, legal counsel, and senior marketing executive positions for several corporations over the past 10 years. He can be reached at [email protected].

Organizational risks are threats, negative effects or problems that can occur as a result of an event or an action within a company. During turbulent economic times, organizations need to be especially vigilant to minimize potential risks that could ultimately affect the bottom line or shareholder ROI.

Organizational risk can include many types of risk (e.g., investment risk, budgetary risk, program management risk, legal liability risk, safety risk, inventory risk, and the risk from information systems).

Managing organizational risk is not an exact science. It brings together the best collective judgments of the individuals responsible for the strategic planning and day-to-day operations of organizations to provide adequate security and risk mitigation.

There are two main categories of risk: internal and external. Internal risks can result either from processes or from the management of information, while external risks result from changes in the environment of the company (political, economic, technological, sociological changes) that can exercise a negative influence on the objectives and the strategies of the company.

Managing Organizational Risk

Managing organizational risk in tough times means taking a holistic view. This requires an integrated cross-departmental framework of controls, checks and balances. Key examples of issues facing organizations that impact corporate risk include fraud, new technology implementation, and the advent of global markets.

• Fraud continues to be a problem for numerous organizations. Oversight and quality control managers within organizations must be aware of this issue and develop consistent policies and procedures to address fraud prevention.
• New Technology Implementation: In the current business market, organizations are always looking for the latest and greatest innovation to help improve workflows, increase efficiencies, and reduce costs. However, new technologies introduce new organizational risks, and businesses must recognize and prepare for this during the implementation process.
• Careless Strategic Decisions: In this day and age, careless decisions can have a ripple effect across continents and into the global marketplace. The cost of strategic errors and the speed of their consequences on the company are increased, enhancing the overall risk profile of every major decision.
• Management Information also can represent a risk when the information serving for decision making is incomplete, out of date, erroneous, late, not relevant, etc.

Organizations can no longer afford to treat risk in silos, or as separate departmental level initiatives. Risk management needs to be an integrated, enterprise-wide approach, keeping focus on multiple key indicators that show early warning signs of potential business problems, with preplanned strategies to address potential risks. Further, ongoing board level attention is required because risk management is no longer tenable as purely a compliance issue, as recent market events have highlighted. Globally, organizations are facing uncertain times, and management of risks at the highest level is critical. Only with a systematic but strategically led approach to risk management can organizations of today be more assured of avoiding, or better managing, the pitfalls of difficult market conditions.

Optimizing Organizational Risk Prevention

Businesses always need to think about the many risks that exist both inside and outside the organization. Understanding the risks specific to your organization and having a framework of controls in place will better allow you to address these risks. The real value for the organization comes from going beyond compliance and actually creating affirmative value out of these processes. Ultimately, the goal for any organization would be to elevate risk management processes to the point where they can actually become a differentiator for that company.

Before the implementation of Sarbanes-Oxley legislation, internal investigation and audit departments had been moving toward more value-added functions. But with the advent of the new regulatory and compliance burdens, organizational investigators and internal audit teams have had to divert focus back to internal investigations and monitoring organizational personnel and activities.

Over time, these new regulatory and compliance burdens have become more ingrained within organizations, and there is a need to reexamine the role of the internal auditor to try and move beyond its reactive role and begin proactively identifying issues and risks that are facing the organization outside of strict compliance parameters. This proactive element is where internal auditors begin adding value to the organization, and not just protecting the organization from fines and sanctions.

This last element is actually becoming more than just a buzzword or the latest trend. In fact, ratings agency Standard & Poor's has noted that it will begin taking organizations' Enterprise Risk Management (ERM) frameworks into consideration. Suddenly, the issue of risk management and proactive issue identification now becomes one that can have a real impact on a company's finances.

What Are the Common Problems Faced When Tackling Organizational Risk?

One of the biggest challenges facing any organization is to address shared problems. Most businesses do not take the time to do proactive risk assessment, and then fall into the position of discovering key vulnerabilities once it is too late to avoid the fallout. Responding to problems is certainly easier than identifying potential problems before they occur, but the costs of failing to be proactive ultimately will be borne by the entire organization.

With risk analysis being limited to a compliance focus, internal auditors and the entire framework of risk assessment are not positioned to identify problems; rather, they are built to solve problems once they bubble to the surface. Again, the challenge is to look more widely at business risks than the organization is obliged to from a compliance point of view.

Checklist of Principles for Effective Risk Management

To achieve best practices for organizational risk management, consider the following:

• Value the management of the organizational risks in the whole of the company.
• Develop a continuous process of both evaluation and control of the organizational risks in the company.
• Integrate the control process of the business risks into the organizational processes.
• Estimate the organizational risks with regard to the strategic objectives of the company.
• Extend beyond the financial aspect to spread the management of the organizational risks to all the aspects and at every level of the company.
• Estimate the performance
  factors, processes, development projects, and departments as well as the strategic, operational and financial decisions by taking into account possible risks.
• Estimate the organizational risks and re-estimate them constantly according to the severity, to their occurrence and to their detection.
• Elaborate control strategies of the organizational risks according to the levels of estimated risks.
• Regularly revalue the methods and the tools of identification, evaluation and control of the organizational risks to improve them constantly.
• Make simulations of extreme situations to measure the efficiency of the methods and the control tools of the organizational risks.
• Involve the managers in the identification process, evaluation and control of the organizational risks.
• Organize training sessions to master the concepts and the control tools of the organizational risks.
• Form an organizational risks management committee to approve policy, model and management tools of the organizational risks and to estimate and revalue regularly the organizational risks.
• Develop information systems to supply all the information necessary for the management of the organizational risks.
• Estimate regularly the performance of the process of management of the organizational risks.
• Communicate the results to the administrators.

Questions an organization should ask to develop a truly proactive value include:

• Are we too focused on basic compliance objectives?
• Which risks are we monitoring?
• Which potential risks are not recognized within our current framework?
• Are we monitoring the right risks?
• Are our risk mechanisms alerting us to the right risks at the right time?
• Why are we focusing so strongly on the financial risks when there are actually more nonfinancial risks within the business that go unmonitored?
• Do we want our internal auditors to be monitoring solely those risks that tick a compliance box? Or do we want our internal auditors to operate within a framework that makes them much more valuable?

How Should the Organization Respond to These Answers?

• Take an assessment of the risks across the whole organization and create a “map” of risk danger-zones. This also should include potential vulnerabilities, not just current concerns.
• Put an appropriate controls framework in place.
• Ask questions about how your business is set up to respond to a risk issue and whether the right people, policies, and procedures are in place.
• Determine if internal audit has aligned its plan to address the organization's top risks and if it has the skilled resources to execute; consider whether external sourcing of the internal audit function is required.
• Identify diverse financial and nonfinancial risks across the entire business.
• Start addressing and managing risk at the enterprise level, not just at the department level.
• Focus on driving efficiency and effectiveness of the internal audit function.

The Impact of Changes

The impact of changes of perception and the practices of management will result in a new paradigm in viewing, understanding, and applying the controls. These controls move from reactive toward a preventive and proactive control, and ultimately these controls are transformed into a new organizational risk management process.

This process can now extend beyond the financial aspect to include all aspects and all levels within the company. In this environment, enforcement of risk management now becomes the shared responsibility of every manager within the organization, providing a more rounded, proactive set of protections for the business.

Brett Tarr serves as general counsel for eMag Solutions, based in Atlanta. Before joining eMag, Tarr worked as a practicing attorney at King & Spalding LLP, and has held chief operating officer, legal counsel, and senior marketing executive positions for several corporations over the past 10 years. He can be reached at [email protected].