Commonly, these managers keep Excel spreadsheets filled with risk informa-
tion, but each manager does things differently, making comparisons difficult
or impossible. Furthermore, the frequency of updates may vary widely, with
the sales department conducting risk assessments quarterly while the devel-
opment organization does them once a year.
This siloed approach means that you have no way of aggregating data about
risk. Because you can’t aggregate the data, you can’t really gain an enterprise
view of risk, either. There is no transparency of the risks at an enterprise level,
and generally any formal focus on risk management is on the negative aspect
of risk, rather than a proactive approach to strategic risk management.
This fragmented approach to risk, with everyone doing their own thing, creates
a false sense of security. You think your organization is managing risk, but in
fact, the organization lacks any visibility or insight into common business sit-
uations with regard to risk. With this approach, you can’t really protect value
or create value. The only real perspective offered is historical, and managing
a business based solely on a historical perspective doesn’t allow a business
to move forward.
The risk manager’s job approach
With the risk manager’s job approach, some people are appointed to think
about risk some of the time. With this approach, the company believes it is
taking risk seriously because it has hired or appointed a risk manager. The
risk manager then has the job of gathering information from all the line of
business managers, meeting with them to discuss their risks, and working
with them to provide ongoing risk-related information. This approach does
have some merit because it indicates that risk is taken seriously and is given
the support of management. If this is the only approach your business takes,
however, it can lead to isolated support for risk management, which at best
can yield only isolated benefits. Another danger of this approach is that line
of business experts generally only communicatetheir risk information rather
than taking responsibilityfor managing their risks: They report the information
up the chain and then consider their job done. They don’t take responsibility
for mitigating and managing the risks; after all, they think, that’s the risk man-
ager’s job.
The systematic, enterprise-wide approach
Another way of thinking about the systematic, enterprise wide approach is to
say that this approach means that the right people are thinking about the
right risks at the right time. The infrastructure and processes that have