From Risk Management to Risk Leadership

Almost daily we hear of new cyber security lapses, which are increasingly dangerous in our digital age and may affect all aspects of our operations from finances to employee records.  For this reason, it is imperative “to embrace risk leadership rather than just risk management,” said David O. Renz, in an article in Nonprofit Quarterly. Renz is the director of the Midwest Center for Nonprofit Leadership at the Department of Public Affairs in the Henry W. Bloch School of Management at the University of Missouri-Kansas City.

At an Institute of Risk Management (IRM) seminar this past June, various experts met to discuss just how “the role of the Chief Information Security Officer is evolving.” According to IRM, “risk management involves understanding, analyzing, and addressing risk to make sure organizations achieve their objectives.  It must be proportionate to the complexity and type of organization involved.”  They also point out that “risk is inherent in everything we do,” so the type of roles undertaken by risk professionals are incredibly diverse. They include insurance, business continuity, health and safety, corporate governance, engineering, planning and financial services.”  In other words, all aspects of our operations.

At The Fedcap Group we schedule regular, in-depth discussions about risk working to fully understand the nature and make up of our organizations’ risk profile.  Every discussion is intended to raise awareness and sensitivity to the potential risks in all areas of operations.  We have even devoted an entire module or our Leadership Academy to the concept of Risk Management with board members serving as guest faculty.

Our staff is the first line of defense, so risk awareness training means that with their daily dilligence, they are helping to protect the entire operation.  Our mantra has become “If you see something, do something or say something!”  Just as every person within the organization is a leader—every person plays a pivotal role in understanding and managing risk. 

MITRE CORP has developed a detailed risk management plan of “21 Musts” including a management culture that must encourage and reward identifying risk by staff at all levels of program contribution that I found very helpful.  (See link below).  In it the authors stress, and I agree, that risk considerations must be a central focus of program reviews, risk management must never be outsourced, and technology maturity and its future readiness must be understood.

As pointed out by David Renz, “delay or failure in responding to risk, positions an organization for an even riskier course.”