As risks associated with technology and cybersecurity have increased in the last decade, it is more imperative than ever that corporations undertake the proper protocols to protect themselves.
When it comes to implementing risk management processes, many assume C-level executives head up these efforts, involving key departments throughout their organizations. According to a recent study conducted by NC State’s Poole College of Management, however, 80% of organizations surveyed from all over the world have no formal risk training for executives.
A quick look at recent headlines shows how quickly a cybersecurity incident can damage a corporate brand. Many companies that have recently experienced data breaches also have been exposed by the media because of ineffective or nonexistent integrated risk management strategies. This can be for a variety of reasons, from executives trying to hide the breach to the belief that they can resolve the issue before it grows into something larger or, possibly the worst of the options, they are not aware that the breach is even occurring.
So how do we make risk a priority for executives? In my opinion, it comes down to properly re-framing the mindset of executives around risk through effective education and training.
Educate executives on risk types
When it comes to business, the term “risk” generally produces negative connotations, causing many to avoid addressing the phrase—and the issues—altogether. From workplace injuries, data breaches and even social media nightmares, risks tend to mean trouble for executive teams. The reality, however, is that not all risk is bad. Thus, executive teams must be able to distinguish good risk from bad risk.
What constitutes good risk? Simply put; proactive risk choices that benefit the company. These can include exploring emerging markets and growth opportunities, expanding operations into new product areas and even partnering with new vendors. While these risks can produce negative results, given that they are actively pursued by leadership teams shows that they are intended to better the company and its employees.
Executive teams need to understand the differences in positive and negative risks and their larger impact to their organizations. Specifically, understanding multiple risk types exist can change the approaches your management team takes to recognize and address risks, which will echo throughout your organization.
Train executives on how to address negative risks
Executives must realize negative risks are unavoidable. Because negative incidents will happen, executive teams must learn how to bring proactive approaches to managing these speedbumps in daily operations. Thus, formal training programs should be implanted to educate executives on proper risk management.
Training programs should include internal and external communications strategies, both with positive and negative risks, remediation strategies for negative risks and provide tips on how leadership teams can be risk thought leaders throughout the organization.
Remember, an executive team that places value on proper risk management planning and training will produce a similar culture, enterprise wide.
This will allow organizations to more proactively manage risks before they snowball into larger issues, ensuring long-term success.
Consider creating risk committees
Since all C-level executives are crunched for time, risk management often falls to the back burner. In many situations, I’ve found it beneficial for the C-suite to create corporate risk committees. Designed to reduce the burden on corporate executives by providing an advisory board to report on risks, corporations can benefit from dedicated professionals examining risks throughout the organization in areas including IT and operations.
These committees serve as an extension of the C-suite and can create better transparency, while providing informed insights to help leadership teams make better, more educated decisions.
Remember the importance of a top-down approach
No matter what approach you take to educate your executive team and get them more involved in risk management, corporations must remember enterprise risk management requires working from the top down. As risk professionals, we must do our best to gain leadership buy-in and conduct enterprise-wide training to stay ahead of risk. If NC State’s study has taught us anything, it’s that we still have a lot to learn.