POINT OF VIEW
The Business of Risk Management
About this POV Series:
Verizon provides industry-leading IT, security, and communications solutions and consulting services to
businesses, government agencies, and educational institutions around the world. Working closely with a variety
of multinational corporations, we’re in a unique position to observe, note, and analyze many of the trends
impacting global enterprises. In this paper, one in a series of point-of-view (POV) papers, we focus on one of the
critical business issues confronting CIOs and other executives, and examine the best ways for them to respond.
Identifying risk and prioritizing risk are standard
practices for all enterprise organizations. What’s changed
dramatically is the environment around us. The advance
of technology, the accelerating pace of business, and
exponentially greater degrees of globalization and digital
connectedness all contribute to the growing complexity
of threats and opportunities facing organizations today.
More and more, enterprises are recognizing the
importance of managing all forms of risk—and their
interactions—in a structured way across the organization.
Unfortunately, many fail to understand that implementing
risk management software will only get you so far.
Human behavior must be taken into account when
evaluating the effectiveness of any risk management
program or activity. Incentives and controls are necessary
to motivate decision making in the best interests of the
organization, rather than personal considerations, which
can lead to overly aggressive risk taking—or avoidance—
by key individuals within the company.
Risk and Reward
Business thrives on balancing risk against opportunity.
Organizations that push the boundaries of risk and
explore the margin with some degree of comfort usually
outperform their rivals. The trick is to clearly define your
organization’s risk appetite, and then manage against it.
The most effective risk management programs focus on
managing data and behavior to ensure that the right
decisions are being made in all areas of the organization.
Imagine a company that decides to pursue a new business
initiative that relies heavily on partners. Non-disclosure
agreements are required for each company they want to
talk to during the vetting process. Contracts must be signed
before any activity can begin. Lawyers are brought in to
make sure each company is protected from harm in the
relationship. Reviewing contracts and non-disclosure
agreements is a time intensive process. Each redlined
change creates a new review cycle between lawyers on
each side. Some negotiating points are critical to the success
of the relationship; others are less important. Companies
struggle to get through the process in time for partnership
activities to have maximum impact in the market.
When one party is pushing and the other (in the same
company) is worried, either can create a short document
that clearly spells out the potential liability and also
expresses the expected benefit. Both parties keep a copy
and a third is put in a mutually acceptable place. If a loss
occurs, each party is protected from recrimination,
simply because they thought it through and documented
their thinking. This process has proven to be very
effective in various industries. Pilots routinely fill out a
similar NASA Aviation Safety Reporting System (ASRS)
form whenever they make operational errors. Doing so
provides a similar immunity function by protecting them
from most punitive consequences, and pilots are able to
provide critical operational data that helps drive overall
A similar process could also be applied to business
decisions that create risk in terms of data integrity or
information security. Between IT and the business, who
owns the risk and the liability if something goes wrong?
The analysis should always be centered on risk to the
organization, but too often business decision makers
unwittingly push for or resist changes because of potential
risk to themselves. Lawyers are trained to protect the
company against any potential negative outcome of the
agreement. Business leaders weigh the potential revenue
or profit loss associated with a specific negotiating point
against the total value of the relationship. Too often, an
organization’s people unknowingly negotiate against the
company’s own best interest. A potential loss of $1
million due to a situation that’s occurred 2 percent of the
time in the past seems like a reasonable risk to take on an
opportunity with a $20 million in profit.
Being responsible for losing a million dollars of the
company’s money is a frightening prospect for a staff
lawyer who worries that it could potentially cost his or
her job. To the business owner, the small risk of losing
some of the profit is negligible compared with losing the
contract. To resolve this conflict, consider putting a
system in place that allows either the business owner or
the lawyer to create an “immunity” form.
This is something to carefully consider and proactively
manage to keep initiatives from bogging down in
Toward an Enterprise View
One promising approach to managing risk consistently
across the organization is Enterprise Risk Management
(ERM). This isn’t a new form of risk management. It’s simply
a recognition that risk comes in many forms and the most
appropriate response is open to some interpretation.
Looking at the interplay between operational, financial,
and strategic risks within a business unit provides an
additional layer of insight that isn’t possible when risk is
discussed and managed in functional silos.
Done correctly, Enterprise Risk Management could be
one of the most transformative things a company can do
to improve business performance. But ERM is not about
software. It is about transformative decision-making.
With an ERM approach to a risk-based decision, risk
identification and the management of that risk must be
embedded throughout the organization. Managers and
even line personnel need to develop the ability to
identify roadblocks, opportunities, or hazards that could
interfere with strategic organizational goals. Teaching
managers how to evaluate risk to the company, how to
evaluate relative risk, and how to remove themselves
from the equation can be an effective driver of both
empowerment and increased success.
The challenge we see is that many companies are
focusing on the IT issues related to ERM data management
and analysis. It’s tempting to focus on data and software
because this is familiar territory. However, the real work lies
in understanding your staff’s current behavior related
to risk-taking and changing it so they make better
decisions on behalf of the company. It is about training,
empowerment, and trust in operational risk. Risk aversion
often costs the company significantly more than most
managers believe because it slows decision-making or
sacrifices opportunities—and ultimately revenue. Learning
to trust risk-based decision models and to accept
inevitable but occasional losses at the cost of larger gains
can be empowering to the whole organization.
So, it comes down to training and incentivizing people in
the organization to change the way they approach
decision making. We consistently stress this to clients
who look to our solutions to improve data flow, integrity,
and/or integration for Enterprise Risk Management.
Implementing an ERM system isn’t going to improve
decision making if internal cultures and behaviors
All businesses are susceptible to losses from uncontrolled
risk. However, those risks can be managed effectively in
order to exploit new opportunities and reduce negative
impacts. To achieve better risk management, organizations
must do more than rely on better information management
and stronger analytics capability. They need to establish
clear lines of accountability and incorporate training and
incentives into the overall risk management process.
© 2010 Verizon. All Rights Reserved.
The Verizon and Verizon Business names and logos and all other names, logos, and slogans identifying Verizon’s
products and services are trademarks and service marks or registered trademarks and service marks of Verizon
Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and
service marks are the property of their respective owners.
Visit our website at verizonbusiness.com/thinkforward to
explore more strategies related to risk management.