Today, companies that want to deploy an effective operational risk management (ORM) programme face a number of headwinds. In recent years, rapid shifts have transformed the way businesses operate - particularly those in the industrial sector. Companies are now more global than ever with larger and more complex supply chains. They need to manage an expanding list of regulations, and the explosion in social media means their activities are scrutinised more closely than ever before.
Most notably it is increasingly difficult in today’s environment for organisations to secure adequate funding necessary to ensure their ORM strategy continues as an ongoing programme. Research recently conducted for DuPont Sustainable Solutions (DSS – the consulting arm of DuPont) by independent consulting firm Verdantix found roughly two out of every three organisations (65%) claimed lack of available budget was a significant barrier to securing funding for ORM programmes.
Based on this research, in which 75 senior leaders across eight industry sectors spanning 10 countries were interviewed to determine their perceptions of ORM strategies within their organisations, DSS recommends seven steps companies should follow to implement a successful ORM programme:
1. Get the backing of the organisation’s leadership. This is a critical first step. An ORM programme will only be truly effective if it is championed at the very top of the organisation. Roughly eight out of 10 companies (79%) say that accountability for risk management is assigned at the corporate level, according to the research conducted for DSS.
2. Introduce risk accountability across the organisation. Employees across every level of the enterprise need to be trained to incorporate risk-based thinking into their day-to-day activities and be held accountable for risks within their immediate area of control. Alarmingly, more than one-third (38%) of companies say that shop-floor employees are currently not held accountable for risk management.
3. Agree to timely risk assessments. Risk assessments help ensure companies comply with new requirements and keep risk management a top priority. The frequency of these audits should be determined by the unique characteristics of each company and its operational footprint. According to the research done for DSS, 92% of firms are conducting risk assessments on at least an annual basis. Reviewing and revising an organisations’ risk assessment on a regular basis allows the company to keep the risk profile up-to-date and to incorporate any relevant changes (economic, geopolitical, technology, workforce).
4. Quantify and prioritise risks. Managing an optimised ORM program requires that risks are quantified in terms of probability and severity, and calculated in terms of the costs and benefits of mitigating a risk versus allowing the risk to remain as is. This enables mitigation efforts to be targeted most effectively.
5. Establish appropriate metrics and key performance indicators to monitor and assess performance. This is one of the most important steps in a successful ORM programme. It enables companies to ensure the appropriate effort and resources are expended based on the specific risk profile of the business. The research conducted for DSS shows a number of firms are already aware of the importance of this step and are supplementing the development of their metrics with advice from outside sources.
6. Implement consistent, well-documented and cost-effective controls. Such control measures are necessary to actively mitigate identified priority risks. While nearly all companies (98%) feel they already have adequate controls already in place, only about one in four (27%) considered them cost-effective, suggesting an opportunity for them to identify better options for managing and controlling identified risks.
7. Reinforce the importance of risk management through regular communications. Establishing a regular timetable of communication on ORM performance is an effective way of maintaining engagement on the subject. Communications should be tailored to specific levels and functions of the organisation to address different priorities and focus areas.