Time to put risk to work to fatten your bottom line. Integrate risk management into all aspects of your company. Three of the most important areas in which to integrate are your governance,your organization, and your culture.

Someone must keep an eye on your risk management programs and status. Realistically, the impetus for managing risk comes from the top, because risk management is a supervisory task that requires regular decision-making. Governance becomes a key part of making sure that risk capabilities are implemented and developed as intended.

Transparency is key to governing. You want to develop a clear understanding of what you’re measuring, how you’re measuring it, and the outcomes and implications of your findings. You also want to oversee and evaluate how your risk management actions and decisions are being carried out.

Strong, progressive governance creates and sustains momentum. You’ll know when you have momentum; there will be a seamless interchange between your business and risk management practices. You address new risks, implement the prevention and management approaches that you identified and agreed upon with other decision-makers, and ensure that the processes and risks are monitored. Momentum-based governance also supports a continuous improvement mindset, creating active and ongoing interest from the top. Of equal significance, it also gives everyone, especially senior management, a clear line of sight on what is going on within the framework of risks and the programs that are relying on their mitigation.

As it pertains to risk management, your organization is an enabler (in the positive sense). After all, how else do you implement risk management without your people? The old adage about people being a company’s greatest asset certainly applies to risk management.

The culture you and your staff create will enable your risk management approaches to succeed. Your staff will implement the programs, help identify risks, and support (if not actually conduct) the measurement, mitigation, and monitoring of risks. They also are the means by which you establish a culture that embraces risk management capabilities and creates greater risk awareness.

When risk management implementation goes well, the organization can support the delivery of capabilities and the development of the right risk culture. This happens while the organization reduces its sources of risk and lessens its overall exposure. When implementation goes poorly, the exact opposite effect will result—a negative, often backstabbing culture that doesn’t achieve its objectives. Your employees not only serve as the drivers of your risk management approaches, but they can also become a big potential component of operational risk.

Developing a risk culture is one of the most important things you can do to manage risk. The way in which key decision-makers view the relationship between risk and the company defines the tone and spirit of the culture. Like any culture, yours thrives only to the degree in which everyone contributes to its success, and every company has its own nuances when it comes to risk. Some organizations foster and do very well with high-risk cultures and activities (e.g., financial trading firms). This can be fine as long as you are aware of the consequences and what they mean with respect to your investment in risk management. Other organizations are inherently risk averse (e.g., regulators). By looking at a map of industry risks, you can determine where you stand. Being in an industry with high risks doesn’t necessarily mean that you need to be more aggressive (some of the most successful companies are conservative players in high-risk industries), but it does help to understand the range of potential behaviors that you—or your competitors—may consider in order to be successful.

Consider the type of culture that you want to foster within your organization. Now consider how it pertains to risk. Does your culture foster a risk-aware environment? If not, should it? Next, consider how your team perceives risk.

You can go a long way by simply making people aware of risk and the issues that it presents. This alone can be one of the best risk mitigation methods.

Ten factors matter more than any others in the development of a risk culture. The level of urgency with which people understand and manage risk depends upon their views of these factors:

Overall, the bottom line comes down to two questions:

Daily operations and processes are to your company what the heart and lungs are to your body: the driving force that makes it functional and successful. Consequently, this is one of the areas where the rubber really meets the road when it comes to applying risk management capabilities.

There are several ways in which working risk into your business processes makes a big difference:

You can manage risk when and where it happens. You can identify risks more quickly and prevent or mitigate them more effectively. If they do materialize, you can identify the root cause more efficiently. You support continuous improvement as an integral part of the risk management process.

Risk management becomes cheaper and more effective.When risk management becomes part of the business process itself, it is easier and less expensive to manage. It is also more effective.

Risk management information can be used to optimize processes. This can happen in many ways, which will be discussed in greater detail in Chapter 20. By building information about risk into your business processes and decisions, you optimize your processes. Consequently, you can make decisions more quickly, target customers more effectively, and price customers relative to the risk that they bring to your company.

Risk information can improve workforce management. You can build risk-adjusted return measures into your remuneration system and performance monitoring approaches. By doing so, you give people incentives to generate the sort of outcomes you seek—optimizing profit on a risk-adjusted basis.

Your overall risk management approach is determined, and you have made the proper analyses and evaluations. The overall program is so thoroughly integrated into your business that daily risk management duties feel no different from any other tasks on your routine to-do list. Good for you! However, there is one area of business process that always changes, always poses new challenges, and therefore must always be addressed to ensure stability: new projects. In day-to-day management, the project environment is considered to be its own microcosm. You must use the entire risk management process but focus it narrowly on the execution of a single project.

Risk management can be applied to new projects in two ways: as part of strategic decision-making and as part of day-to-day project management. The aim of strategic decision-making is to understand the potential strategies and initiatives that support the long-term objectives of the company, both in terms of the return and growth they bring to the company and the risks they carry.

Applying risk management to new projects helps determine whether or not the company should move forward with the projects. It also helps stakeholders understand what needs to happen to improve the likelihood of strategic success. This can be as simple as building in some mitigation strategies, such as capital buffers. You could also try more sophisticated analyses, such as looking at different approaches and implementation paths and evaluating the trade-offs associated with these options from return, growth, and risk perspectives.