Over on Commitment Matters, Tim Cummins recently penned a rather useful biographical post based on his time at IBM. The subject matter focuses on building accountability and transparency around risk ownership and accountability. One of Tim's key tenets is that risk must be everyone's responsibility -- and it should be distilled to a level where everyone in the company understands it. In Tim's words, "Executive management must de-mystify risk and ensure that all employees and trading partners understand their responsibility for its assessment and management. Ignorance is not an excuse." Nor should risk management process become a complicated consultant leave-behind. Rather, Tim argues, "Businesses must introduce risk management techniques that do not depend on experts and outsiders, but which every employee can understand and use."
Perhaps most important, Tim believes, "Responsibility and accountability for making good decisions -- and learning from bad ones -- applies equally to everyone in the company and its selected trading partners. And that accountability starts at the top." Unfortunately, many of the risk management programs that I see start off as executive-driven efforts that involve a broader group within an organization which might include procurement, finance, operations and, occasionally, internal audit types (especially around compliance risk). But if these programs survive, they rapidly become siloed efforts, run by a handful of individuals. Another challenge I see and hear about all too often involves those companies that have put a systematic process in place to manage contracting and supply risk that don't know what to do when they detect a potential issue. The process "science" stops with risk identification, but beyond that, it's an art. Not exactly a recipe for results -- or accountability.
- Jason Busch