The risk manager’s role, then, becomes like that of another business owner,
helping the organization improve its wall-to-wall risk awareness and risk man-
agement approach. The risk manager can also help develop best practices.
It’s important to send a message that risk managers support the corporation
in risk management, not that they “handle” risk management. Human resources
supports the organization with detailed information about health insurance
and the like. But employees have to file their own health claims and know
what coverage they have. Similarly, risk professionals support risk manage-
ment but they cannot possibly have the breadth of knowledge of all the risks
that people across the organization have. Risk is everyone’s job.
A systematic framework in place .......................................................
Because you’re looking for consistency and comparability in your approach
to risk management, you need a systematic approach to gathering and man-
aging that information. One way to do this is by adopting an enterprise risk
management framework that leverages technology to collect, monitor, and
manage the key risk information. The important factor here is to put measures
in place that drive consistency so that everyone is not out there creating
apples-and-oranges spreadsheets that, though perhaps wonderful on a depart-
mental level, are impossible to compare with the kumquats-and-cucumbers
spreadsheets produced by another division.
This systematic framework also sets boundaries for the type of risk manage-
ment the company will do. It answers the following types of questions:
�How quantitative does the analysis need to be?
�Which areas of the business are we going to include?
�Which types of risks are we going to monitor?
�What are the key risk indicators associated with those risks?
Technology that creates a risk picture
The final component you need is a technology infrastructure that provides an
ability to manage and communicate all components of risk and response. A
good technology infrastructure should
�Automate the collection, analysis, monitoring, and response of risk-related
information
52 Part I: Governance, Risk, and Compliance Demystified
