5 reasons why you need an enterprise risk management plan and how to create one

Let’s broaden our scope beyond a project or software testing and discuss the health of your organization. It doesn’t matter one lick what kind of business you’re in, and I think you will discover several aspects of this article that apply directly to you and your organization.

First. Risk is real, and that’s because things happen outside of our control every day, but having the foresight to know those risks and having a plan to avoid them if they’re threats to you will ensure you prevail against the unknown more often than not. From manufacturing to medicine to finance, and every kind of enterprise in-between, everyone needs an enterprise risk management (ERM) plan.

What kind of risks are there?

In today’s business world, evolution never stops, so it is not surprising that risk evolves along with that progress.

Costs of a risk -a quick note

All risks have a financial impact that should be assigned an opportunity cost based on that impact; be it additional profit or lost sales, increased operational costs, or liability to self, customer, and employees. So whether you consider a threat solely within the realm of financial or not, you need to assign it a financial cost if it’s realized (meaning if it actually happens).

Five benefits of an ERM Plan

As organizations complete their ERM planning, they often uncover a number of benefits associated with the exercise. Everything from increased profitability to faster time to market. Owning and managing risk as part of normal business operations means you’re in a much better position to succeed. So given all that, let’s focus on five benefits experienced by most industries:

1. You’ll have a risk-conscious culture

By going through the process of transforming your culture to one that respects the nature of risk and is enabled can both ensure the “good risks” happen (called opportunities) and the “bad risks” don’t occur (called threats) means you have at the end of the day an organization that’s overall more naturally capable of being successful. That’s because having an enhanced awareness of risk gives you greater insight when making decisions.

2. Standardized reporting of risks

An ERM plan facilitates a structure and process for risk management, so you’re better able to report on identified risks at various levels of the business, and with more time to be able to effect change.

Note: even just having a basic, yet standardized risk report, gives you the tools to improve the focus of your Leadership. The key here is to provide leaders the data around likelihood of the risk occurring, the impact of the risk, the cost associated with the risk, and the steps you plan to take to ensure the risk either happens (for opportunities) or doesn’t happen (threats).

3. Improved focus and perspective

ERM plans provide a comprehensive view of risk, alerting key leaders when the company’s risk profile changes. Used effectively, ERM plans provide a framework to evaluate risk positively as a competitive opportunity.

4. Resource efficiency

A welcomed byproduct of developing an ERM plan is you find yourself typically with more time and resources on your hands after the plan has been implemented. The old adage “once of prevention or pound of cure” is real and by building an ERM plan you’ll see that you have much more availability to run and grow your business.

5. Coordinating regulatory and compliance matters

With an ERM plan in place to identify and monitor/control risks across the organization, you’ll find that data is ready and available to reviewers on request. You like short and easy audits, right?

Start crafting an ERM for your organization

Implementing an ERM is no easy task. It requires the help of senior leadership to define the scope of the ERM to start, but expect lots of iteration as the plan spreads downstream to the operational teams. Senior leadership must also communicate the importance of enterprise risk through the organization.

Aligning the ERM plan with your business strategy and next steps

Starting your risk assessment with the organization’s strategic plan in mind is an excellent place to start. Just make sure that your ERM plan aligns with the mission, vision, and core values of the company.

Then after you’ve identified the risks, the next step in your journey is to assess each risk and determine how to either mitigate it (if a threat) or capitalize upon it (if an opportunity). Remember to rank your risks based on the dollar value associated with that risk. Opportunities are positive (ex: you win the lottery, +$1MM), while threats are negative (ex: you tear your ACL, -$35K).

Software development has a lot of risks to your business too

In a development project, software QA plays a significant role in identifying and managing risk, be it to the viability of the product, the business process the code supports, or the dev team who’s always under pressure to deliver.

That said, other QA firms don’t look at risk at all, and others don’t manage it effectively in their engagements, but at Lighthouse Technologies, we’ve packaged our risk-based testing methodology into our standard service offering.

When you work with us, we’re able to not only manage the risks associated with your development and QA work but also tailor our approach based on our risk assessments, so you get the most impact from our work together. For example, weak or fragile portions of your code get tested more or more often used portions of your code get tested more, etc.

It’s an approach that others in our industry haven’t and can’t do, but we’ve mastered it, and with this method we’re able to help you not only ensure your production releases go out on time and your audits go smoothly, but that it’s easier and less painful to go through those events.

So if you made it this far in the blog, I want you to call or email me (Jeff) and let’s have a conversation about the risks you face and how things, in general, have been going lately. Whether we end up working together or not, I’d like to set time aside to hear from you and offer some solutions.

{ 0 comments… add one }

Leave a Comment

PMIASQIEEESoftware Engineering InstituteInternational Software Testing Qualifications Board