Risk Management Project: Where Do I Start?

Thomas Frénéhard

Part 6 in the “Controls and Risk Management” series

Whenever I talk to customers who decide to embark on a risk-management project, wherever they are in the world, one question always kick-starts the conversation: So, where do I start?

As a matter of fact, when writing this post, I was kicking myself: Why didn’t I start my blog series with this topic? I think it’s because we all want to see the results of a project and invite people to the housewarming party before we even lay its foundations.

For all risk-management projects (or any strategic project where information is the outcome), I believe that there are defined phases that must happen in the following order to be successful.

1. Assess your current situation

This first step is fundamental. This quote from Abraham Lincoln sums it up well: “If I had eight hours to chop down a tree, I’d spend six sharpening my axe.”

For risk management specifically, I think this can be summed up by understanding the current maturity level of your organization. Is this process being managed informally, are risks identified and mitigated in an ad hoc manner, and reporting happening manually? Is the process already at a basic stage where identification is formalized and accountability assigned for risks and mitigation strategies? Or is the process structured or even optimized, where remediation is workflow-driven, losses and indicators are tracked, automation used for aggregations and reporting, and so on?

2. Formalize your requirements and priorities

Once you know where you are, you can decide where you need to go. Here, I like to use the intelligence cycle, as I find it very appropriate.

  • The first step is to define the requirements and the planning to ensure that all stakeholders have shared their interests and the associated timeline describing the scope of the project.
  • Then you can progress to defining the collection of information – how will the information be gathered? By whom? And so on.
  • Once both these steps are formalized, I suggest progressing to defining the analysis and exploitation – who are the experts to be involved in the analysis?
  • Last but not least, dissemination – what types of reports are required, who will receive them, and how frequently?

3. Communicate the scope and road map

Now that you know what information is required, by whom and when, and also how it will be collected and analyzed, it’s time to design the process and ensure that it flows continuously.

If you’re thinking about a software solution, this is typically the stage where you define the modules and the workflows that will be used immediately and the ones that will be activated later.

4. Deliver the expected result, and get on the success highway!

If your communication is clear and the expectations are set, then you should be on the best path to a successful project.

If I could summarize my recommendations into a few bullet points, they would be:

  • Plan, plan, and then plan some more
  • Understand the needs of the different stakeholders
  • Identify where you are today, and where you want to be in the future
  • Define a clear road map with set success milestones
  • Keep an open communication channel with stakeholders to keep them informed and onboard continuously

Can you think of any projects that failed in your organization? What steps were missed? I’d like to hear from you about additional ways to improve project management and manage project risk. Contact me on Twitter @TFrenehard

If you are interested in hearing more about this or just having an open discussion, please come see me at the SAP Conference on Internal Controls, Compliance, and Risk Management in Copenhagen March 3–4, which will explore the theme “Connected Controls and Risks.”

This article originally appeared on SAP Community and is republished by permission

Follow SAP Finance online: @SAPFinance (Twitter)  | LinkedIn | FacebookYouTube


Thomas Frénéhard

About Thomas Frénéhard

Thomas is part of the Global Centre of Excellence for Finance and Risk solutions where he has a focus on Governance, Risk, and Compliance topics. Prior to that, he was a Senior Director in the Governance, Risk, and Compliance Solution Management team. His particular responsibility was with Risk Management but other functional areas of focus were in Internal Control & Compliance Management and Audit Management. He is also a regular contributor on social media and presenter at various SAP and non-SAP conferences on GRC matters.