Risk management is best done in-house. Why?
Because regardless of whether administrative risk management activities are contracted out to a third party or not, the practical management of risk will ultimately still have to be conducted by the organisation. However, this does not mean that companies should start from scratch where risk management is concerned, particularly if they have no experience of it. They may want to consider availing themselves of risk management consultants’ expertise if they want to establish risk management systems in their organisations. This inevitably begins with collecting information about the organisation; an activity which underpins risk management training and execution.
In order to understand the organisation’s risk management requirements, a clear picture of the organisation needs to be drawn up, indicating its aims, objectives, resources, challenges, strenghts and inadequacies. This necessitates a great deal of information, from as many areas as possible within the company, from Board level to pantry personnel, across departments and business units, from subsidiaries, contractors and suppliers up and down the chain. Feedback from stakeholder groups cannot be discounted, and the company needs to also be sensitive to what is trending in the general business environment.
Consultants can tell you what to look for, and maybe even where to find it, but how exactly to access it is another matter. Data gathering is crucial to the success of risk management but gathering it requires a certain level of human interaction that a consultant, with limited engagement with the organisation’s staff, may not have. Even with the best intentions, consultants may find themselves being thwarted at every turn. Data-gathering efforts may be further complicated by the silos which exist within the organisation. Staff who have been operating within silos may not even know how to operate outside them.
A major part of risk management also involves modifying organisational behaviour so that a risk management culture can develop in the long term. A consultant is inevitably viewed as operating outside this organisational culture. Because of the nature of risk management and the processes which it involves, a company has to “own” it, for it to be effective. Risk management is not a one-off exercise; it is an ongoing one that necessitates long-term commitment. For this reason, it is aligned with strategy, and has to provide the necessary support for the Board and management’s decision-making activities.
Some companies do outsource certain areas of risk management such as staff training in risk management frameworks and processes, or initial awareness-raising of the need for risk management but the company has to undertake its implementation and subsequent updating and improvement itself. This is a particularly useful thing because it allows the organisation to learn about itself in an organic way. The information which emerges comes from the parties directly concerned; it is not second-hand information – this is complete, concise data with integrity. It shows the organisation’s unvarnished realities, the challenges which confront it, and where its shortfalls lie.
Even in the best, most supportive environments, effective risk management takes time to develop. It isn’t something that happens overnight. The people who make it happen have to feel invested in what they do. They need to feel that they are making a difference, and that what they are doing has value. They cannot do this if risk management is outsourced. The organisation may experience another disadvantage eventually: no internal risk management talent will be successfully developed because the organisation’s people will not feel invested enough in it. Considering that risk management is a long-term proposition, the organisation may well be short-changing itself if it decides to outsource instead of doing things in-house.