Paul McDowell, senior risk management consultant for USAID and Walton MBA alumnus, describes the enterprise risk management process and how it enables corporations to achieve their strategic objectives in the face of uncertainty.
Businesses today face rapidly changing environments and numerous uncertainty factors, including new ways of working, shifts in consumer demand, challenges within the supply chain, and political and economic risks.
“Everyone wants to be able to achieve their strategic objectives, but there are threats and opportunities out there that make achieving these objectives more uncertain. What we’re trying to do is minimize and mitigate things that impact that uncertainty in order to achieve mission objectives,” McDowell said.
McDowell has over 20 years of experience in risk management and international development in both public and private sectors. He has worked on stabilization projects in Libya, sourced fresh fruits and vegetables for the U.S. military in Afghanistan, and delivered projects in Iraq, Kosovo and Russia. His wide-ranging experience includes finance, information technology, economic recovery, socio-cultural analysis and logistics. While the framework he describes is used by the United States Agency for International Development (USAID) and their missions in frontier markets and fragile transitional countries, it also applies to businesses operating in challenging and uncertain environments.
USAID operates in more than 100 countries and runs missions focused on global health, stability, humanitarian assistance, innovation and partnership, and disaster relief assistance efforts. McDowell works on their enterprise risk management system, which spans across all project and risk factors to strengthen risk management practices on a broad, strategic-level scale.
The process begins with the agency’s risk appetite statement. USAID has the highest tolerance for programmatic risk factors, because that’s the mission – working in fragile transitional countries like Afghanistan, Iraq, Syria, Libya and West Africa. Low tolerance risk areas include security, legal and information technology (due to cybersecurity threats), as well as fiduciary responsibilities, where, as a government program, they must demonstrate appropriate use of funds. These factors are reviewed periodically; they are currently considering the addition of new factors such as partnership risks, climate change and anti-corruption.
The interplay between the risk appetite statement, strategic planning and the enterprise risk management is critical. The risk appetite statement provides broad-based guidance on the amount and type of risk the agency is willing to accept in order to achieve its mission and objectives. This guides the strategic plan – an ideal place to find and respond to strategic risks before they manifest. An effective enterprise risk management then illuminates this wide spectrum of risks that can impact the mission.
The enterprise risk management is developed during the planning process and informs the agency’s strategic objectives. Risk profiles are elevated using a bottom-up process, where field-level risk level profiles are completed and sent to the regional bureau for a compilation of common trends and risks. enterprise risk management implementation happens through a seven-step process:
- Establish context. Understand the mission, its objectives and potential risk factors representing both threats and opportunities.
- Identify risks using if/then statements.
- Analyze, evaluate and prioritize risks based on the probability of occurrence and the impact they risk could have on activity performance.
- Develop risk mitigation strategies to address all identified risks.
- Respond to risks through a risk mitigation plan and a capacity building plan.
- Monitor and review. USAID has a strong measurement and learning focus and is constantly reviewing projects and their risk mitigation plans.
- Communicate, learn and adapt. Understand what has been learned and share those lessons in order to foster partnership, manage expectations and inform future policy.
what has been learned and share those lessons in order to foster partnership, manage
expectations and inform future policy.
While the bureau manages enterprise risk management and strategic planning, only a
small portion of USAID employees work at headquarters — most USAID workers are frontline
managers out in the field. It is important for enterprise risk management to be a
successful part of the strategic planning cycle so that it can be used as a tool for
making difficult decisions under uncertain circumstances. Frontline workers use this
guidance to determine whether a situation is an opportunity that can be exploited,
enhanced, shared or ignored, or a threat to be avoided, mitigated, transferred or
accepted. Ultimately, as McDowell states, it “should encourage us to be bolder in
areas where risk tolerance is higher, such as seeking out new partners and innovative
procurement opportunities, while remaining vigilant in low-risk areas like cybersecurity
and fraud.”
When managed as part of a continuous review process and especially when automation is used for implementation and analysis, risk management processes can be key to alerting frontline workers about risks and opportunities that are critical to the mission, ultimately allowing organizations to address aspects of uncertainty more quickly in order to achieve objectives in places where most businesses would be afraid to operate.
*The Walton MBA Learning Series is open to the public and provides continuous learning opportunities to alumni, students and anyone interested in business and management field.
McDowell was the featured speaker for the September learning series.