Corporate risk comes in many forms: regulatory compliance rules, hackers, rogue employees. These risks can potentially penetrate every level of an organization, making communication of the threats -- and the strategy to offset them -- vital to business success.
I think it's important that people understand it's not a static situation, it's a dynamic situation -- any risk is going to be dynamic.
William J. Montanez,
director of risk management, Ace Hardware Corp.
William J. Montanez, director of risk management at Ace Hardware Corp., says communicating risk strategy to the entire organization is "absolutely essential" to overall corporate risk management success. The head of Ace Hardware's risk management strategy, Montanez last month was featured on a panel discussion on the importance of communicating risk to boards of directors at the Marcus Evans Enterprise Risk Management Conference in Chicago.
In this Q&A with SearchCompliance.com Editor Ben Cole, Montanez discusses how companies can improve this communication, and how other current corporate risk management trends are influencing business operations at most companies today.
How can a company foster communications throughout the organization to ensure the risk management strategy is on the right track?
William J. Montanez: It has to be repeated often, it has to be a simple and concise message, and it also has to be done in different media: newsletters, emails, informal comments to employees, and more formalized presentations to the board and management. I think it's a variety of different methods and strategies.
Every company has different levels and different generations in the workforce. Some generations are more comfortable with electronics, some of them are more comfortable with print, and some of them learn better by communicating face to face. We all communicate in different ways and are more comfortable with different media, so it's important that we try to use as many of them as possible.
Are there any universal characteristics of a solid risk management strategy, or does every company have different risks, making it difficult for a one-size-fits-all approach?
Montanez: When you get down to the granular level, you do have to know the company and its products, its philosophy, its culture. But I think at the 50,000-foot view, there is a framework you can use for risk management strategy. It's really going back to the traditional management process: First you identify what the risks are, you assess what the risks are, you evaluate what the risks can be. You monitor it and identify the results to see if it is working or not. It's really a circle, but I think it's important that people understand it's not a static situation, it's a dynamic situation -- any risk is going to be dynamic. You have to monitor the results.
Is there a way to measure the effectiveness of a risk management strategy, or is it just a matter of 'nothing is going wrong, so we must be OK'? In other words, are there risk management metrics or ROI characteristics that can be put into practice?
Montanez: It depends on the risk you are trying to measure and trying to control. If it's financial risk, there are key risk indicators that you can use. Depending on the individual company, there are key risk indicators peculiar to that company.
More on risk management strategy
Do your homework to prepare for cloud security risks
Risk management, compliance increasingly vital to business success
Some of the risks that are a bit more challenging to put a number on are more strategic, such as technology innovations, regulatory changes, changes in social media -- you can put metrics around it, but it is much more challenging. On a more strategic level, you can measure the trends but not necessarily the trigger points of them. Sometimes it's difficult to determine whether that change is just a trend, or whether it's going to have any real impact on your company.
With some many regulatory compliance mandates out there right now, do you think that is having a big influence on risk management processes?
Montanez: Definitely. Some industries more than others -- obviously the financial industry is drowning in controls right now. The insurance industry is going through some changes as well, as they try to conform more to international standards. Some sections of manufacturing are also going to have some challenges when it comes to consumer advocacy, consumer information and recalls. Regulation is going to come fast and furious, and that could have a significant impact on companies.