Building a Risk-Intelligent Enterprise

Former Pennsylvania Governor Tom Ridge reveals what a risk-intelligence enterprise is and divulges strategies on how to create value, while mitigating loss.

April 6, 2009
by Sandra McMahon

What is a risk-intelligent enterprise? Should you consider it for your firm? How do you go about setting up such a system? What strategies should businesses and their leaders use to create value and develop a true risk-intelligent enterprise? Sandra McMahon, a senior project manager at the AICPA, recently caught up with the Honorable Tom Ridge, former governor of Pennsylvania and first U.S. Secretary of the Department of Homeland Security (DHS) to find out the answers to these and other queries that keep C-level executives and CPA professional up at night.

McMahon:  Secretary Ridge, in the current uncertain economy, industry leaders are challenged to balance long-term investments in security with the short-term requirement to produce profits. How can leaders address this tension?

Ridge: It is important for corporate leaders to view risk management, profitability and productivity as being intertwined and not as separate entities. Dealing with risk in an appropriate way has value for an enterprise. When managed correctly, risk can add value to a corporate enterprise. It is certainly not a trade-off.

Leaders should not ignore risk simply because the economy or a corporate enterprise is struggling. They should not segregate security and value or profit. It is important to minimize risk and reduce exposure to create value. When leaders segregate security from value, they make a mistake. It’s better to manage risk before it manages you.

Reader Note: Don’t miss the Honorable Tom Ridge’s keynote address at the AICPA’s upcoming National CFO Conference in La Jolla, CA, May 14-15.

McMahon: What are the major issues a company must consider over the next 12 months?

Ridge: Businesses — large and small — that are confronted with the challenges posed by today’s difficult economic circumstances must focus on fundamentals, such as customer relations, quality service and eliminating risk. Economic challenges should stimulate a fresh look at fundamentals as well as a new approach toward finding innovative and creative ways to do traditional things in a more effective way.

Given the economy’s global nature, in both good times and bad, the enterprise can’t ignore the reality of how interconnected we are. These connections have been recently demonstrated in the financial and security sectors. Today, business leaders need to not only continue to work on fundamentals, but also focus on managing risk more effectively in an interconnected, interdependent world.

McMahon: What is a risk-intelligent enterprise?  

Ridge: A risk-intelligent enterprise effectively manages risk, in the broadest possible terms, within the enterprise. The enterprise considers risk management as a core business function, embedded in the organization to the same extent as quality.

The enterprise realizes that, in an interconnected world, business professionals face a multitude of potential risks that can impair and undermine the enterprise brand — and also undermine their relationship with existing customers. Also, a risk-intelligent enterprise is proactive concerning risks, rather than reactive.

McMahon: Which threats or risks have the capability to produce the largest losses?

Ridge: The impact of threats depends upon the nature of the  business. There is no “one size fits all.” Threats, such as cyber attacks, fraud, supply-chain disruptions, accidents, weather, geopolitical upheavals, energy availability, energy costs, labor strikes, terrorism, legal issues or disease affect organizations differently.

For example, if companies are heavily energy dependent, they will plan accordingly by preparing for the extreme risks posed by rising fuel costs. Labor-intensive businesses may counter the spread of injury with protective gear to prevent harm  among employees or they may prepare for massive labor strikes.

It is critical to anticipate and prepare for a myriad of risks, including currency fluctuations that could impact an organization’s financial viability and issues of non-compliance that cause equity value to drop and the brand to be tarnished, which was the case with Mattel.

To deal with the wide range of risks facing enterprises, it is important to have a risk-intelligent enterprise conversation at the C-level. An organization must first determine its points of “interconnectedness,” identify the greatest current risks to the enterprise today and then set priorities and manage aggressively.

McMahon: Are there any new risks that have recently surfaced that you would like to highlight?

Ridge: No, but risks ebb and flow.

When I was at the White House, I spoke with a group of security executives in New York City who, given the anthrax events, were worried  about the threats of biological attacks. They were also concerned about pandemic that could be generated by Mother Nature. What happens when 40 percent of your workforce is out with SARS?

In response to a biological attack, the executives were working on procuring protective gear for operations, building a list of alternate employees and moving to different sites.

Risk can be something that surfaces within the environment at a particular time or something that business leaders deal with throughout the entire life of the organization.

McMahon: You advocate a proactive strategy for business in identifying and mitigating threats. How important is strategic planning in the risk-management process?

Ridge: Businesses need to evaluate their vulnerabilities and the impact of risks. How deep is the supply chain? Are there redundancies? Is the enterprise compliant with regulations? These are key issues to be considered.

A broad strategy and effective security protocols are needed to address a wide variety of risks that can adversely affect an organization. Leaders should engage in a process to evaluate the impact of risks associated with infrastructure, credit, transportation, construction and other issues.
McMahon: What are your views on how leaders can address key leadership challenges by “doing more with less”?

Ridge: There is a tendency in most organizations for inertia to set in and for people to become accustomed to doing things in a traditional way. I think now is an ideal time for innovative and creative leaders within any business organization to consider changing the paradigm.

This approach extends to the way they look at different responsibilities within an organization and their approaches to dealing with issues. As governor, my budget secretary had a sign in his office that read: “Nothing stimulates the imagination like a budget cut.”

The solution may be to take a different approach. Most business leaders have limited dollars and tight budgets. They can create value by asking: Can we achieve greater outcomes with the same amount of money by doing things differently? I think the answer in most cases will be “yes.”

McMahon: In closing, would you like to offer some general observations for enterprise leaders?

Ridge: Everyone can cut ribbons when times are good, but true leadership is about dealing with challenges while under adverse circumstances. Current economic times present great challenges. It is possible to find opportunities in these challenges. Now is the time to rethink processes and outcomes that are business leaders’ responsibility.

Also, view security as adding value and as an investment rather than an expense. Think of security and risk in broader terms and create a lifetime of security protocols.


Well there you have it. As former Governor Ridge said: as a business leader or owner, if you want to see a high return on investment (ROI), you’d best manage your risk intelligently because it will not only create value and greater efficiency, but it will also add to profitability and ultimately lead to a solid, risk-intelligent enterprise.

Rate this article 5 (excellent) to 1 (poor).
Send your responses here

Sandra McMahon is senior project manager for AICPA Conferences. With twenty years of experience and demonstrated success in industry and academia, McMahon is a published author of several books, chapters and articles. Prior to working at the AICPA, she worked as senior analyst at Science Applications International Corporation (SAIC), where she developed leadership and mentor-protégé training programs, led proposals to secure multi-million dollar project awards, developed strategic partnerships, managed large and complex client projects, and coordinated key internal programs.