Organisations must understand whether or not they are taking the right risks, whether risk is being managed effectively, and how to monitor risk-taking. A cavalier and uncontrolled approach to risk is a result of a poorly-defined corporate culture around risk, and may lead to disaster.
There are organisations that acquire a lot of information, but without transforming this information into knowledge by understanding the context of their business risks, they fail to make better business decisions. Risk is often completely disconnected from business strategy, objective, and performance management.
Questions organisations should ask include:
- Does the business know its risk exposure at the business process level and operations level, as well as its aggregation to the enterprise level?
- How does the business know it is taking and managing risk effectively to achieve optimal operational performance and hit strategic objectives?
- Can the business accurately gauge the impact of risk-taking and loss on business strategy?
- Does the business have the information it needs to take timely action to alleviate risk exposure, and to seize opportuni¬ties while avoiding or mitigating negative events?
- Does the business monitor key risk indicators (KRIs) across key systems and processes?
- Is the business optimally measuring and modeling risk?