Nonfinancial risk has typically been addressed by one-off showcase initiatives based on a specific regulation or requirement, and left to experts in each field. What principles exist typically focus on adhering to formal standards and providing evidence that appropriate controls are in place. They are usually not embedded into the business but are instead delegated to risk and compliance departments, which have a limited understanding of how to manage risk and compliance within the business context.
In other cases, the business takes all the responsibility for managing risk, but without any link to the company’s formal compliance, risk, and control framework. Quality control, for example, is embedded in the day-to-day management of manufacturing organizations, but those responsible are not involved in determining enterprise risk, leaving a major gap.
Both shortfalls have led companies from all sectors to be caught off guard when failures occur.
Authors: Joseba Eceiza, Piotr Kaminski, Thomas Poppensieker
Source: McKinsey Quarterly
Subject: Risk Management
Click to Add the First »