131 / 148
CBIZ, INC.
BIZGROWTH STRATEGIES – SUMMER 2016 |
3
MICHAEL GALLAGHER
CBIZ Risk & Advisory Services
Houston, TX
713.562.1154 •
mgallagher@cbiz.comRisk identification can be done at the Board level,
management level or individual business unit level. Some
strategies to consider integrating into your enterprise risk
identification program are:
n
Facilitate a brainstorming session with key stake-
holders to share risks and current procedures. Invite
key stakeholders, such as Board members, manage-
ment and business unit leaders, to share the risks
they are aware of that may be unknown to others.
n
Conduct a SWOT (strengths, weaknesses,
opportunities and threats) Analysis to map
out current weaknesses and threats to your
organization.
n
Use information technology resources to scan for
potential digital threats against your organization.
n
Hire a third party to review your operations,
exposures and current strategies and identify ways
to improve them.
2. What emerging risks are we currently aware of?
Mitigation plans that are developed based on
identified enterprise risks need to remain flexible to
account for emerging risks. These risks can evolve
quickly and often destroy businesses that are not
prepared to face them. Some key risks companies may
face in 2016 include:
n
cyber-related risks and attacks
n
rules and regulations in foreign markets
n
growth and volatility in the global economy
n
talent management and succession planning
n
risks associated with third-party vendor
relationships
3. Does our existing reporting structure meet industry
standards?
How effective your risk management program
is depends on how effectively your organization
communicates. Risk reporting should be used to illustrate
success, failure and opportunity to key stakeholders.
These communications should be interactive, with time
built in for questions and discussion. If your organization
does not have a reporting structure in place, consider
establishing one to drive transparency. If you have a
reporting structure, you could benefit from benchmarking
your process and frequency against industry peers.
Enterprise risk management is an ongoing process.
Identifying and reporting risks a single time is not
sufficient to prepare an organization for potential
disruptions. It is important that Board members are
well-versed on the ongoing enterprise risk management
program so they can effectively provide guidance and
oversight to the organization. When a Board of Directors
takes an active interest in the company’s internal
controls, that organization is better equipped to meet the
challenges in its current environment.