Risk management: achieving the value proposition.

• Author: Wallis, Paul

[ILLUSTRATION OMITTED]

Risk management is more than preventing bad things from happening. Properly implemented, it can provide strategic and operational opportunities by focusing activities on what is important to an organization. Risk management creates value by providing opportunities for process improvement, controlling the risks that can hurt the organization most, breaking down silos, and helping the organization achieve its objectives. It empowers employees by better defining the risk framework management and staff work under, thus supporting more timely decision making and the potential for managing issues before they become problems.

Not all risk is bad. While we tend to focus on the negative when considering risk management, risk is in fact the chance of something happening that might have an impact on a jurisdiction's objectives, and it can be bad or good. In fact, as the economic situation requires managers to be more creative in dealing with budget issues, risk can be an important tool--risk and innovation are inextricably linked.

In the public sector, there are great opportunities for streamlining processes and being more strategic in meeting citizen needs. Accountability, however, remains a major issue. Citizens expect top-quality service, quickly, yet they also want to be sure taxpayer money is well managed. These conflicting objectives can mean spending more on processes to manage certain risks that would have less of an impact in private-sector organizations--for instance, expense reporting, procurement, travel, and training. The public then perceives the enhanced oversight as increased bureaucracy and, to some extent, trusts government less because of it.

DEFINING RISK AND RISK MANAGEMENT

Risk can simply be defined as the effect of uncertainty on objectives or outcomes. Risk management refers to the coordinated activities used to direct and control an organization's response to risk. Effective risk management, also referred to as enterprise risk management or integrated risk management, is holistic, addressing risk that affects the organization as a whole. Risk can arise from internal or external sources, including an organization's inability to achieve its objectives, client dissatisfaction, unfavorable publicity, threats to physical safety, security breaches, mismanagement, equipment failure, and fraud.

An effective risk management initiative includes the following attributes:

* It is a coordinated activity.

* It supports business objectives.

* It is strategic.

* It is a process, part of the organization's fabric.

* It supports informed decision making.

* It provides reasonable assurance (because risk is not eliminated but managed).

An organization that understands risk and risk management can take advantages of opportunities that present themselves; in this way, risk management can be a value proposition (see Exhibit 1). For example, processes and controls can be rationalized, and activities focused on the key risks. This enables a more holistic and informed view of programs, services, and processes.

Successful risk management is a combination of and careful balance between two key components: risk and cost. Assuming that the questions in the risk and cost columns can be answered positively, the potential value of risk management can begin to be realized.

KEY SUCCESS FACTORS

Many public-sector organizations realize the benefits and value of risk management, applying a variety of techniques. Good risk management frameworks are available...