How one thinks about risk management in broad terms can determine what specific actions are taken. In the author's experience,
broad misconceptions can work against creating the mindset required to effectively implement integrated risk management. These
Risk management should focus on dire consequences only. Risks such as patient and environmental safety can involve significant financial costs, and avoiding them requires unequivocal
"must-do" decisions. But most corporate decisions are far more ambiguous and require a complex balancing of risk with cost,
revenue, and other issues.
All risks are bad. This belief often leads one to focus on risk elimination rather than risk management. In the end, however, nothing happens
without a risk being taken, and not all types of risk demand action. Risk management should focus on understanding risks and
establishing parameters for tolerance—that is, how much risk the organization is willing to accept.
Risk management applies primarily to cGMP concerns and regulatory audits. Risk management is crucial for cGMP and audits; there is a clear application to legal and financial risk. But this narrow
view can lead one to overlook other key issues such as cost-of-resolution.
Risk management ends at ranking and tracking. Many organizations use risk management to identify and quantify risks, once or periodically, and specify action as the responsibility
of business leaders. Essentially, such risk managers create a portfolio of risks, not actions. As a result, business leaders
are often left wondering what to do with the data given to them. This approach can lead to risk managers being viewed as distracting
employees from "doing business."
The communication of risks requires complex formulas. Risk managers often become immersed in the "science" of their analyses. The most effective communication of risks should
mirror how an organization reviews its expenditures. The risk analysis becomes a part of the business case, including return
on investment (ROI), thereby presenting a clearer case for action.
Risk management should be an independent corporate process. Understanding risk is a fundamental part of running a business but large organizations often take that to mean that risk management
must have a strong, independent role in the organization. A corporate risk-management group can track and communicate high-level
risks, define processes, track activities, advise colleagues, and lead other risk-related activities, but in the end, the
group is subordinate to the decision-making processes of the company. When functioning at its best, risk management is an
integral part of most decision-making processes throughout the business.
ROI and risk mitigation are separate considerations. Laboring under this belief, organizations can fail to see that investments in proposed mitigation actions have a calculable
return. An effective risk-assessment approach combines these concepts into a single portfolio review.
The misconceptions outlined here are deeply rooted in much of today's corporate thinking. Correcting them is essential for
putting risk management into proper perspective and practice.