A large water utility decided to develop and implement a corporate risk management program that could identify and manage the top twenty-five risks across the organization considering three focus areas: corporate, operational and asset risks. The team included internal leadership members and sponsors, including the chief operating officer and director of finance, and several consultant teams, including a university that specialized in corporate risk.
The team did some research on risk at various levels within most large organizations and often found no connectivity between these three areas of risk, but rather silos of risk management within them. It was quite interesting to see this, so the team went forward and developed a methodology to try and rank the three areas with a common risk allocation framework. They held a few individual interviews with folks from each of these three areas within the organization and found all were very interested in having a line of sight / alignment from the asset risk through to organizational and up to corporate risk. It was quite eye-opening that nothing had been done to this date. So, the team held upwards of eight group workshops with various departments within the company to test out the methodology around categorizing and scoring risk across those three main areas. The last few workshops were held to review the data and then go back to test assumptions with various team members. All agreed that the framework was generally useful and could make a big difference. The organization then identified a risk leader and a risk management team, including a monthly management framework where risks would be reviewed and come on and off the list so there would always be a list of twenty-five that was being actively managed.
A formal report was developed, communications performed, and roles / responsibilities assigned. They were off to a great start. Unfortunately, and within a few months of each other, the owner of the new corporate risk management program submitted for early retirement and the chief operating officer resigned for a new job opportunity. Due to these changes, the program came to a halt and has never been resurrected. While loss of key customers was captured as a high corporate risk, loss of key staff was never captured as a risk! So, an important lesson learned is to ensure that key staff and appropriate succession planning are part of a corporate risk management program.