“When considering any contribution that risk management can make to the organization, it is important to decide whether the contribution will relate to strategy, projects and/or operations. The decision will enable the risk management activities within the organization to be aligned with the other business operations activities and imperatives.” P. 292
Fundamentals of Risk Management: Understanding, Evaluating and Implementing Effective Risk Management (5th Ed.) by Paul Hopkin (Kogan Page, July 2018) provides a thorough and instructive foundation for anyone looking to increase their enterprise’s rigor around risk. By acknowledging and discussing critical contextual issues such as global finance, international regulations, corporate culture, and natural human responses to risk, this book sets the reader up for success - and empowers them to proactively and positively navigate the inevitable uncertainty we all work in the midst of.
In the Introduction, the author explains that the book was designed to support the curriculum of the Institute of Risk Management (IRM) certificate in risk management. That may explain any of the sections that read a bit ‘stiff’ or ‘cut and dry’ given the complexity and subjectivity of modern supply chain uncertainty.
Fundamentals of Risk Management makes clear that -like other enterprise initiatives and disciplines - risk management changes and evolves over time. In addition, there are multiple levels of risk, including the ‘everyday’ instability we deal with as individual professionals or encounter in our personal lives as well as overarching risks like the financial crisis or terrorism. How we deal with those risks require us to draw upon instinctive survival-based responses (flight) and also opportunistic (fight) reactions that allow our companies to benefit from risk situations with potential upside.
The sections from the book that I appreciated the most were those that addressed “risk culture”. This culture is a combination of shared perception, aligned behaviors, and commitment to the cause of risk management. A risk culture doesn’t just form; it requires active engagement from leadership. Be sure to review the table on p. 287 that reviews common risk management program implementation barriers and recommended actions.
There is a clear correlation between risk culture and risk maturity, and Hopkin defines four levels of risk maturity: naïve, novice, normalized, and natural. Communication plays a critical role in this maturity progression, and therefore establishing a shared or standard internal risk terminology to facilitate understanding ensures that the enterprise approach to risk management is consistent.
Also of particular interest is the discussion about Sarbanes Oxley in the chapter on risk reporting. It highlights the critical divide between requirements that increase the confidence of the public/investors and those that actually change the priorities of executive leadership.