Cutter Consortium
30 October 2007

Setting Up a Full-Service Risk Practice

by Carl Pritchard, Senior Consultant, Cutter Consortium

Today's Cutter Edge is excerpted from Cutter's Enterprise Risk Management & Governance advisory service. For more information, please contact Dennis Crowley at +1 781 641 5125 or e-mail dcrowley@cutter.com

A few tenets of faith on risk management:

  1. Risk management is a comprehensive evaluation of what may or may not go right within an organization, and a series of actions related to that evaluation.

  2. Risk management is the challenge of establishing a common vision of when and how an organization should react and respond.

  3. Risk management is a full-service business.

The implications of "full service" are not limited or limiting. They open the door for interpretation and for inclusiveness.

Think about the last time that you went to an auto repair shop. You may have gone to an oil change shop for an oil change, or a tire warehouse for a set of tires. You did not expect them to charge the air conditioner, replace the tires, change the oil, and fix the leak in your window. Full service is a rarity in today's service environment. In an economy of specialists, fewer and fewer organizations and individuals take pride in a "do-it-all" kind of attitude. And those who do try to do it all often find themselves in the quandary of not doing it all well.

Enter risk management. There's financial risk management, project risk management, organizational risk management, and security risk management. There are qualitative and quantitative approaches. There are different flavors of risk management blended with quality, such as DMAIC and FMEA (failure modes and effects analysis). Does any organization need all of those addressed at full force at once? Probably not. Nevertheless, it's a nice thought that we might be able to address them to a reasonable degree on an as-needed basis. It's also a positive when we can take a more holistic perspective on risk, rather than a specialty-by-specialty perspective.

Creating a full-service risk practice does not mean that specialties in risk are surrendered. My wife, Nancy, is a certified public accountant. She's the financial brain of our organization. When someone has a question about the implications of things financial, I turn them over to her. Similarly, when my full-service auto shop explained that Ted would be doing my tires but they had to wait for Bill to recharge the air conditioning, it made perfect sense. In risk, we need to identify our resident specialists so that we can become full-service operations.

In order to be truly full service, however, there must be some elements of commonality. Common vision, common understanding, and common tolerances for risk need to be clearly established. Perhaps more important, common modes of communication need to be instituted to ensure that the varying perspectives on risk don't serve to muddy the waters with our personnel, our peer organizations, and our customers.

The worst-case scenario is reminiscent of a trip to the auto shop where the front desk tells you that you need tires, the back office says you need a balance and new valve stems, and the technician tells you that someone used the wrong product the last time your tires were changed. Oddly enough, all three are telling you the same thing, but you're not hearing it that way.

Risk "full service" is best achieved when there is a single face (or at least a common voice) to the customer, communicating the information from our specialists. That person has to be well informed as to the language of the various risk areas and needs to be able to ask the right questions of the specialist. Beyond that, the face to the customer needs to be able to translate the technical aspects of risk into plain language.

Setting up a full-service risk practice means that specialists need to know who they are and the customer interface needs to know their role as well. Each person has his or her specific duties and should be cautious not to step over the line. The process is one that takes full advantage of some of the other risk practices discussed through the past few years in this column.

  1. Establish a risk language

    Come up with a language that others can understand. This doesn't mean "dumbing down" the risk language, but it does mean that it should be something with a common set of plain language terms, still adding a sense of the quantitative to the qualitative issues of risk. Be sure that when people say "high, medium or low" risk that they have a common understanding.

  2. Establish the lines

    Clarify the boundaries for risk behavior. Ensure that those around you have a common understanding of the conditions that will cause you consternation and those that are not worth worrying about.

  3. Establish the communications channels

    We all have to learn to take bad news. The problem is when it comes in eight different forms from nine different sources. If we have ensured that the "risk voice" of our project is one that is somewhat sterile, easy to accept and understand, and a voice of authority, there's less likelihood that those receiving the message will misinterpret it. There's also less of a chance that those receiving the message will believe it can be adjusted based on how hard they push for a change in interpretation.

Envision your last customer service experience of any type with those conditions. Imagine that everyone in the organization had the same information, the same message, the same understanding of the limitations, and the same data to share. It's a clear enhancement. It's also the epitome of "full service."

I welcome your comments on this Advisor and encourage you to send your insights on the market in general to me at cpritchard@cutter.com.

-- Carl Pritchard, Senior Consultant, Cutter Consortium

Setting Up a Full-Service Risk Practice