I will start this post with a guess. I think that after reading the title of the post, some risk management professionals probably answered the question in the title with something like:
“Yes, all risks reported by operational teams throughout all our sites or divisions are rolled up to our corporate Risk Register where we have a consolidated view of all risks throughout the enterprise.”
This is indeed the way things are supposed to be in theory, and how they have been historically for many organizations. But is it the right way? Is there a crucial element missing in the process? To begin with, some risk management professionals have a problem with the concept of a static Risk Register. They think it’s not an effective way to manage and mitigate risks, but that’s a topic for another day.
More importantly, simply rolling up operational risks from all sites or divisions to the corporate level is not enough. There must also be a calibration of risk ratings. An operational risk at a specific facility or unit may have a “high” or “critical” priority, but it may have a “low” or “medium” one at the enterprise level. Financial resources are limited, which is why they have to be allocated effectively, and without a proper calibration (or adjustment) of risk ratings there is a danger that some important risks are not mitigated because less important ones are being addressed instead.
Operational and Enterprise Risks Can Align Differently
Let’s look at two examples, one quantitative and one qualitative, to show the alignment of operational and enterprise risks.
A Consumer Goods Company
In the first example, a multi-billion dollar global consumer goods company has a structure composed of many divisions, each representing a different product category or brand. The division for personal care products (soaps, shampoos, skin care, toothpastes, etc.) has developed a new product that is being rolled out globally. The market launch of the new product is running into a problem in Japan because there are not enough local retailers and distributors to offer the new product to consumers.
Based on revenue projections for the new product for the Japanese market, the division determines that there is a $30 million risk exposure. The longer the product launch is delayed in Japan because of a lack of local retailers and distributors, the less likely any immediate projected revenue would be realized. The revenues from sales in Japan would be pushed out to the next quarter or next fiscal year.
A $30 million risk exposure is significant from the division’s perspective, which is why the risk is rated as “high”. But the consumer goods company has revenues in the billions and the personal care products division accounts for about 20% of its global revenues, therefore the $30 million risk exposure may have a different priority at the enterprise level, compared to the operational level. It doesn’t mean that the risk is ignored at the corporate level. Rather, the risk would have a “medium” rating instead of “high”.
An Industrial Manufacturing Firm
In the second example, an industrial manufacturing firm has 50 facilities around the world. One of these facilities is reporting a medium likelihood of a workplace fatality because of rising incident rates, and leading indicators that are not improving (e.g. number of training hours, attendance in safety meetings). At the facility level, a workplace fatality would result in some operational impacts, but a critical reputational impact, which is why the risk is rated as “high”.
At the enterprise level, the operational impact would be almost insignificant, since it’s one fatality at one facility out of 50, but the reputational impact would still be critical. If the industrial manufacturing firm considers as one of its fundamental values, and it has been highlighting the reduction of workplace fatalities over the years, to the point where it’s very close to zero, the reputational impact would be as critical at the enterprise level as at the operational level.
In this example, there is no calibration in the risk rating. The risk at the facility level is rated “high”, and it would also be rated “high” when aligned at the corporate level.
Align Operational and Enterprise Risks with Risk Management Software
The exact same risk can have a different rating at the operational level and the enterprise level. What does this imply? First, there are many reasons why risk management software is better than spreadsheets to maintain, update and manage a Risk Register. Given the additional layer consisting of different ratings for the same risk, any doubts about the advantage of risk management software over spreadsheets can be laid to rest.
Second, risk management software must offer functionality allowing the allocation of two risk ratings for the same risk:
1) The rating at the operational level set and tracked by an operational team. Operational teams would see risk ratings pertinent to them.
2) The rating at the enterprise level, set and tracked by corporate risk managers. The enterprise risk management team would get more relevant ratings of all risks throughout the organization.
In conclusion, you properly align operational and enterprise risks by calibrating risk ratings, if applicable, at the corporate level, to ensure that the most important risks across the enterprise are addressed first, instead of those generating the most noise at the operational level.
Download the Verdantix Green Quadrant Operational Risk Management Software 2019 report and learn more about the 17 most prominent operational risk management software vendors: