Risk is the possibility of suffering harm or loss. The definition in the Free Dictionary also references danger. Harm or loss for most enterprises either comes from opportunity lost or regulatory sanction. Either way, the situation is bad for the enterprise.
Some risks can be eliminated but most can only be mitigated by exploiting your advantages and shielding your deficiencies. This is the essence of risk management.
I think the easiest way for an enterprise to mitigate risk is to know what it is supposed to do and then do it. In order to understand what it is supposed to do, an enterprise must completely understand its entire set of requirements and then implement processes that satisfy those requirements. This is not something that just happens. It must be planned, executed, and implemented. It must then be constantly evaluated as requirements change.
Another opportunity for risk can be found in those processes between what we do and what we’re supposed to do. Most exception processes are ad hoc and not well designed. They arise from a crisis situation where workers have a very specific problem to solve and so they solve it. The problem is that they don’t have or take the time to evaluate their solution against the enterprise’s entire set of requirements. This opens the possibilities that the new process allows people to do things they shouldn’t or doesn’t make them do things they should. Both of these are risky situations.
So, the first part of managing risk is to identify those processes where the enterprise is not doing what it is supposed to be doing. This requires that the enterprise evaluate everything it does against its entire set of requirements. I’ll discuss remediation next time.