How to Think Like a Risk Manager

Mitigating Risk

The fact that a pandemic could occur was on the radar of corporate leaders. What surprised risk managers and other executives were the unintended implications of COVID-19: the sweeping economic shut-down, the shift to remote working practices, the vast upheaval of standard medical practice.

So, how do you mitigate risk? Ed Horwitz, PhD, CFP®, FBS®, ChFC, CLU, Executive Director, Mutual of Omaha Chair in Risk Management at Creighton University’s Heider College of Business, addressed this question in the inaugural session of the Business Bites Webinar Series, a luncheon virtual education opportunity for business professionals of all industries, sponsored by the Heider College of Business in partnership with the Greater Omaha Chamber.

WHAT IS RISK MANAGEMENT?

Enterprise Risk Management (ERM) is an integrated and continuous process for managing enterprise-wide risks (including strategic, financial, operational, compliance and reputational risks) through a governance framework structure, which drives organizational maturity towards a performance-based ERM model.

The Enterprise Risk Management process includes five steps:

• Identify risk potential or actual risk.
• Assess the frequency, severity and range of the risk.
• Choose methods of mitigating or controlling risk.
• Monitor the effectiveness of these methods.
• Adjust practices accordingly.

To be effective, ERM should be a continuous model in which governance structures and policies identify and quantify risk and look at the efficacy of the organization’s risk management through dashboard reporting and monitoring. Once this information is analyzed, changes are made to shore up institutional risk weakness. And then the process begins again.

WHAT IS THE PURPOSE OF ENTERPRISE RISK MANAGEMENT?

Horwitz says that risk managers are “hardwired to viewing situations through the lens of risk.” But risk is not necessarily negative. In fact, Horwitz maintains, the goal of risk management is not to simply avoid all risks but to make certain the organization is getting compensated for the risks they retain. Opportunities arise from such risk management.

There is a maturity of enterprise risk management systems within organizations, with performance-based ERM as the ultimate goal. The first tier of ERM system is where most organizations start, crisis-based ERM. It is reactive, and its aim is to minimize impact to the organization. Next is compliance-based ERM. More proactive in nature, it’s goal is to meet regulatory requirements. Control-based ERM establishes control standards within an organization to minimize institutional failures. Financial loss mitigation is the focus of tolerance-based ERM. The highest level of ERM, performance-based ERM, is strategic, dynamic, evolutionary and continuous. It’s goals are to maximize stakeholders value.

MAKING ENTERPRISE RISK MANAGEMENT ACTIONABLE

The most common mistake organizations make is focusing too heavily on the execution of a business plan. In fact, 60% of organizational failures are attributed to incorrect strategic assumptions leaders of an organization make, e.g., wrong product or service, consumer behaviors, competitor behaviors and economic beliefs. Shift attention to the assumptions that support those strategies, and not necessarily the executional framework.

So, if risk rests in the assumptions and not the plan itself, it is necessary to look for key risk indicators, or the signals that problems could arise, and then develop a plan if risks do emerge. Taking a step further, look for opportunities to potentially arise from risk.

Disruptive risk is inevitable, but it is preferable to be proactive than reactive to such risk. Here are five steps to addressing disruptive risk within an organization:

1. Address potential risk within scenario planning, including the organization’s Board of Directors. Tap into this wealth of corporate experience.
2. Strengthen Board culture and governance.
3. Include risk metrics in Board reporting.
4. Be vigilant; become a student of emerging risk trends and identify potential risk indicators.
5. Sharpen crisis and communication plans to effectively handle emergency situations should they arise.

Managing risk does not solely rest with the chief risk officer. A risk mindset needs to pervade organizational culture as a shared vigilance, Horwitz says. Senior management of each division within an organization need to think like a risk manager.

This content was developed as part of our Business Bites series, a virtual education opportunity sponsored by the Heider College of Business in partnership with the Greater Omaha Chamber. Request the full interactive Business Bites session to learn more.

Request Session

This article was a contribution by Ed Horwitz, Ph.D., CFP®, FBS®, ChFC, CLU, CSA. Dr. Horwitz is the Executive Director, Mutual of Omaha Chair in Risk Management (ERM) and Associate Professor of Practice in the Department of Economics and Finance at Creighton University Heider College of Business. A business management senior executive, applied clinical researcher and published author with over 30 years of experience in the Financial Planning and Risk Management industry, Dr. Horwitz is regarded as a knowledgeable and optimistic leader who brings a winning attitude and trusted confidence to all settings. He is experienced in the development, implementation and coordination of new collegiate educational programs for financial planning, insurance, enterprise risk management, and financial psychology and behavioral finance.

Learn more about Creighton University’s Enterprise Risk Management graduate certificate