Many crazy glitches happen when no one is paying attention. It is imperative to establish a control framework that forces a regular check on the risks being taken and compares those to the limits that have been set.

In this process, you want to take the following actions:

The most effective way to build risk controls into day-to-day activities is to consider present risks and identify the processes where they are generated. Determine the source of the risk, and manage at that point. Undertake your root cause analysis before a risk event occurs, if possible.

Building these controls is a pretty straightforward activity. The key is to incorporate checks and controls into the business process. Make them as seamless as possible. Also, make your checks and controls sensible and easy to manage. If the controls and limits are based on concepts like unexpected loss, they may not work in the sales organization despite their fundamental soundness. This is because the administrators may not have access to the measurements.

For that reason, it is important to consider what is being implemented, who will manage and monitor it, where checks and measures will originate (if used), and if measures can be translated into information that’s useful to staff.

Now that the ways and means of building risk into business processes have been covered, what about the best approach to take? Try something like this:

Identify the key sources of risk.(Hopefully, you’ve come this far already.)

Group the risksinto categories of similar or identical locations.There may be several different types of risk festering in the same location. This is more common in divisions of your organization that handle customers, human resources, or production.

Consider the types of management and mitigation methods to use for each risk and group of risks in each category.Are there any similarities? Are there opportunities to combine these risks or groups into a broader risk management program for the sector?

Consider the business process.What needs to be changed or added in order to implement the mitigation? Are there new steps, such as a measurement or a check?

Generally, if you can identify a control or measure that can be managed early in the process, the likelihood of managing a risk before it further materializes is going to skyrocket. Limits and controls can be built into the process at key points of inception. That way, you can identify the challenge and make a quick decision on whether to take that risk.

A quick scenario helps to illustrate this point. Consider taking an order from a customer on credit. That order serves as the start of a potential risk or group of risks. However, it’s fairly easy to gather information about the customer at the time of order. You can identify creditworthiness using scorecards, describe the products, and make sure the products hide no key issues that could result in a potential lawsuit. From there, you can establish the right contract terms that ensure timely payment and expectations from your company.

There’s more. You can manage against several potential risks—all based upon the path you take with the customer. You can decide up front if you want to do business with that customer. Or you can set the terms. You might recognize that gaining this new customer or transaction will cause you to break one of your core limits. What price will you provide? Does the price cover anticipated risks? In some cases, you can even look at your performance measures and see whether the risk versus return results are in line with company expectations and targets.

Mitigation methods that can be built directly into the steps and flow of the business process are often the most successful. The challenge is that they may involve adding a new step to the process, which could cause disruptions and likely new requirements for training, education, and documentation.

Routinely monitor your risks. Try to understand how your risks change as you conduct business and further evolve when you take on new clients, add a division, begin a new product line, or acquire another company.

For each risk, ask yourself: “How often will these risks change?” Next, establish time-lines and methods for monitoring each risk. In your method, include the control and limits to be used as checkpoints.

If you possess measures such as expected loss and unexpected loss for each exposure, you can generally convert those figures into limits. Then you can rapidly check and compare exposures against the total amount of risk-related loss that the company can survive. Often it is easiest to list each exposure and check it against already established measures. Look for changes or trends in the exposures. Are they growing? Why? Is the company approaching a limit?

Checking and monitoring groups of risk is similar to checking and monitoring individual risks, except that the additional characteristics require additional checks. Consider how your risk groups combine and how the correlations among risks will be addressed (if at all). Monitor by type of risk, originating business line or department, or product or service type. Also consider who will be responsible for this measuring and monitoring. This leads to a new concept: the hierarchy of assurance.

A typical hierarchy of assurance takes a predictable shape when depicting organized risk management. Business department employees take responsibility for monitoring individual risks and small groups of risks in their respective businesses or departments.

In larger companies, they may be assisted by a risk officer. As groups of risk “roll up” within an organization, line management and perhaps higher levels of management swing into action. They take responsibility for monitoring across their spans of control (again, generally aided by risk people). However, they are looking for broader conclusions about the movements of risks. They are also more concerned about the coverage and effectiveness of controls. The funnel narrows even further at the final review point—the audit. This area of focus will be fairly narrow and generally wrapped around compliance.

The hierarchy of assurance shows how the greatest level of responsibility for monitoring risks and groups of risks falls with the common workforce.