Ten years have passed since the Sarbanes-Oxley Act was passed, creating a need for better corporate governance, compliance, and risk management. In that time, many steps forward have been taken in the name of better and more transparent business practices. However, despite this recent push, it seems to some that this effort has only created more risk management issues down the road. The main problem in most of these cases seems to be the lack of clear success on the part of these companies to adequately define risk. Instead of considering these threats on the broad, global basis that they should, they choose to focus too specifically on just a few select subsets. For example, those culprits can focus entirely on compliance issues and operational risks, both of which only represent a small portion of all risks, ignoring much larger threats at their peril.
It would seem then that, to be truly effective, companies should develop a comprehensive risk management strategy that tries to anticipate and prepare for risks in all possible areas and not just those that seem most likely, so that they do not end up unprotected in the face of a degree or another, this, however, would also be a tremendous mistake, another drastic problem that many risk management programs face is that they seek to be too extensive and end up being too spread out, being unable to adequately maintain enforcement of those areas that really matter more to a given company. If this were to happen, a company’s risk management program would essentially invalidate itself by overstretching its capabilities to the point of being useless.
A recent study looking at risk management in over a thousand companies found that the highest risk area that organizations should be concerned about, the one that has caused the most damage to most companies, is strategic risk issues. Ironically, this has also become one of the least considered threat areas among many companies. To correct this problem, companies will need to start by re-evaluating how they define risk factors by taking a closer look at how their organization is managed and which areas may present the biggest possible problems in the future.
Ultimately, the answer is moderate, thoughtful, and careful planning. The central tenet of any good risk management program, and the one that most companies seem to often overlook, is that such programs are a full-time responsibility that must be constantly monitored. and maintained. This will mean that a risk management team will need to be in charge of keeping track of all possible mitigating factors, to assess their relevance, severity and proximity, taking everything into consideration while being decisive and staying focused on those factors that They represent the greatest possible threat to the company. Done correctly, risk management is far from a simple matter, however the benefits it can provide by strengthening a company’s corporate governance practices and protecting it against any amount of undue loss are invaluable.