Risk Management's 3 Basic Steps

In order to be effective, risk management must involve three phases:

  1. Risk identification & assessment
  2. Mitigation design & implementation
  3. Active monitoring of mitigation activities

If an organization misses any of these steps or does not directly link them to one another, it is not fully managing risk. Here’s what can happen if a step isn’t fully executed:

  1. Improper risk identification often results from identifying a risk’s symptom instead of its root cause. When this happens, controls don’t neutralize the root cause (even if they are designed well), leaving the organization vulnerable. If the management does not reach out to supervisors on the front lines, the individuals who can take effective action may not be apprised.
  2. Mitigation activities can be ineffective either because they’re directed at a symptom (see #1) or simply because they’re not designed well. In either case, threats aren’t neutralized and the organization remains at risk. When risks are identified by one department but aren’t communicated to those who need this information, unnecessary collateral damage results.
  3. If internal controls procedures exist but are not used or updated, the organization is vulnerable not just to existing risks, but to an increased chance of negligence charges. If mitigation activities are not linked to risk, how is it possible to monitor the control? When controls are not linked to a root cause, people responsible for the control, or the business policy, monitoring does not meet compliance requirements. This leaves the enterprise open to class action suits for negligence.

Below, we’ll explore how Nordion Inc., a global health science company, missed phase three and paid the consequences:


Even though Nordion self-reported to and cooperated fully with the SEC, it was still forced to pay $375,000 in penalties.

This would have been avoided if the organization had adhered to its own internal controls procedures.

Internal Controls Procedures Could Have Shielded Company from Embezzlement Scheme

8028244082?profile=originalBetween 2004 and 2011, one of Nordion’s employees reportedly “arranged improper payments” from the company to bribe Russian authorities, according to theRisk & Compliance Journal. Although Nordion was never complicit, the fact that it didn’t discover the scheme made it liable.

Here’s an important detail: The employee in question was very thorough in his deception. He kept the plan secret “by preparing multiple drafts of documents and by misrepresenting how the agent would use the funds received from Nordion, the SEC alleged.”

Even though Nordion didn’t know about the scheme, it could have better prepared itself for such scenarios. Specifically, the company could have trained its employees on its adapted operational procedures for branches in more corruption-prone regions. Additionally, the company “didn’t do any due diligence on the agent or follow its internal controls procedures in place at the time.”

On the bright side, the company earned no profit from the embezzlement scheme, and once the situation came to light, fired the employee and cooperated fully with the investigation. For this reason, the company avoided more severe penalties. Those good-faith actions, however, still didn’t save it from the initial $375,000 penalty.

An ERM solution would have prevented Nordion from making any headlines. Risk-based, enterprise-wide systems support all three phases of risk management. In this case, the company had performed phases one and two by merely having internal controls procedures in place. The slipup was letting the process go slack – not devoting a constant resource flow toward maintaining and monitoring those procedures.

LogicManager provides robust risk monitoring capabilities designed specifically to provide insights into how effective controls are (or, in this case, if they’re even being performed). Certain parties can also be made accountable for specific components of the controls. Customizable surveys, tasks, and emails can all be automated to recur at particular intervals, making internal controls easy to plan and prioritize.


For more specific information on ERM software’s proven return on investment, download our free eBook: The ROI of ERM and ERM Software.

Votes: 0
E-mail me when people leave their comments –

Steven Minsky, CEO and Founder of LogicManager, is a recognized thought leader in risk management. Steven is well known for his precinct abilities to guide organizations through future risk events. Steven is a frequent speaker in the Energy, Financial Services and Cyber industries. While the first wave of COVID-19 caught many organizations by surprise, Steven predicted the pandemic impacts in January of 2020 and swiftly published action plans to help organizations prepare.

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!