Many recent trends, not the least of which is the current financial crisis, have combined to greatly raise the visibility of enterprise risk management.  Risks today are much more complex than in the past, and are rarely self-contained -- they are often related to each other in complex and hard to manage ways. A failure in one area of the business can have dramatic effects on other areas. In addition, the increased visibility, and catastrophic financial effects of a number of recent corporate security breaches have made the management of risk of all types into a front-burner issue for all corporations.

But, many companies are plagued by risk efforts that are inconsistent and ineffective at recognizing or mitigating the key risks that the company faces (witness the clear lack of effective risk management in the current crisis). As a result, visibility of the current status of key risks is limited, thereby making risk- based decision-making a problematic process at best.

The problem often boils down to this the risk information available to executives often doesn't enable them to make well-informed risk decisions. One way to think about the level of maturity of a company's risk management environment is to consider its overall Risk IQ, which includes two critical elements visibility and insight. Risk IQ requires risk visibility into the proper information, at critical points within processes and procedures, to identify risks across the enterprise. In addition, risk insight reflects whether this information is structured and presented so you can properly assess, quantify, and manage these risks. Executives need to be able to see the relationships and impacts of risks on their strategic objectives, business processes, and the like, so as to improve risk decision-making and drive better operational performance. Without risk visibility and insight, organizations cannot identify, measure, or control risks effectively.

This is all well and good, but how does a company improve its Risk IQ?

First, let's look at why some companies have a relatively immature risk infrastructure today. Many companies manage risks in organizational silos, in which each group identifies, quantifies, and mitigates risks using their own techniques and approaches. For example, risks may be identified either using different formal risk hierarchies, or even worse, no formal models at all. So, one group might use one term for a given risk, and another group might use a different term for essentially the same risk. It's obvious that this precludes effective communication and collaboration related to that risk. But, more importantly, many risks are cross-organizational in nature and the lack of a common nomenclature makes even identification of those complex risks more difficult.

The lack of common risk procedures also impacts risk assessment and quantification. One business unit might perform assessment using estimates from key individuals, others might use automated surveys, others might do brainstorming, etc. There are a number of techniques that can be used to assess risk, and although there may be reasons why these techniques might vary across the enterprise, usually inconsistent processes lead to inconsistent results. Also, the actual risk ratings given by individuals might vary considerably. One person's low risk might be another's medium or even highrisk. Also, one group might use a different Key Risk Indicator (KRI) than another group, leading to lack of clarity about the real severity of the risk. (Note: a KRI is environment-specific metric that can be used to identify areas of increasing risk, hopefully before they become critical. For example, a KRI might be the turnover rate for key IT Administrators, which can easily lead to increased service disruptions and reduced system availability.)

The lack of common practices, terminology, and metrics makes the creation of an effective risk management environment challenging. So, if this is the problem, how can it be attacked?

The key to increasing your visibility to risk is to establish a common risk management framework across the enterprise. But, what does a common risk management framework really mean, and why is it important?

First, there should be common processes, terminology, and practices for managing risks of all kinds. Everyone should manage risk in a way that is consistent across the enterprise otherwise, it's as if individual groups are speaking different languages when discussing risk. And, given the complexity and cross-organizational nature of most enterprise risks today, such a situation is very likely to lead to poor risk management approaches.

Risk identification should be done using the same comprehensive risk library so that everyone can communicate about risks consistently. A risk library is simply a formal and hierarchical taxonomy of key risks that has been developed by the collaborative process of an independent industry body (for example, risk management models are available from ISACA, ISO, and NIST). This will at least help ensure that the same essential risk is named the same across the organization.

The process of risk assessment should also be uniform, and all risks should be mapped to the business processes, organization, and strategic objectives that they impact. Some cases may require somewhat different assessment processes (such as surveys, interviews, brainstorming, etc), but these differences should be explicit and required for each individual case.

Most importantly, insofar as possible, risk metrics should be the same across the organization, so that when risks are quantified, appropriate comparisons between them can be made. As noted above, risk ratings should be more specific than low, medium or high, and whatever metric is used, it should be consistent for all groups for a given risk type.

Many problems also arise from a lack of awareness of the amount of risk that upper management is willing to take. The current crisis is a poster-child for this problem. Therefore, it is essential that risk tolerances be fully understood, communicated, and monitored across the enterprise. When the people on the front lines are not aware of how much risk upper management is willing to take, improper (and risky) activities often result. This means that not only must everybody be speaking the same language in relation to risk, but communication and monitoring of risk tolerances should be proactive and ongoing.

But, in addition to reducing negative risk, a consistent risk framework enables more effective management of risk related to new business opportunities that the company needs to undertake in order to grow. All new business activities involve risk, and the prudent management of risk is what often differentiates successful companies from their less-successful competitors.

Next, risk management practices should be incorporated into all key business processes and decisions. Each individual must know what their risk-related responsibilities are, and how they fit into the bigger picture of the enterprise risk management model. Risk must be considered as an essential element of all business processes, just as quality and cost are emphasized and tracked for these same processes.

And, lastly, if management is going to make their risk-related decisions using high quality information, that information must be easy to capture and enter into the system by the individuals who have direct access to it. For example, the failure of a risk-related IT control must be able to be quantified and captured immediately (entered into a risk management information system of some kind) by those individuals who are testing that control. Relying on multiple levels of communication (especially informal communication such as email or spreadsheets) tends to lower the quality of the information on which management may base their decisions.

Improving your Risk IQ is not a simple or quick process. It requires work and planning, but can help to increase the overall maturity and effectiveness of your risk management approach. Creating a common risk management framework across the enterprise is an excellent start on this effort. It helps provide consistent and uniform risk identification and terminology, assessment processes, and metrics. When everyone uses the same risk framework, collaboration is improved, risk awareness and assessment is enhanced, and higher-quality risk-related decisions can be made.