Are you a business leader navigating the complexities of today’s ever-changing landscape? Whether you’re in a regulated or non-regulated industry, implementing a robust risk management process is paramount for sustainable growth and resilience. In this guide, tailored for non-risk management professionals, we’ll demystify the process and equip you with the tools to effectively manage risks within your organisation, project, or workplace.
This article is designed for business leaders in small to medium-sized enterprises who may not have a background in risk management. Whether prompted by inquiries from stakeholders, regulatory requirements, or simply a proactive stance towards safeguarding your enterprise, this guide will provide valuable insights and practical steps to initiate and streamline your risk management efforts.
In today’s dynamic business environment, uncertainties abound. From increased competition to changing customer preferences, supply chain and operational disruptions, to unexpected costs and financial setbacks; the consequences of unforeseen risks can be severe, potentially jeopardising growth and even survival. Thus, establishing a formal risk management process is not just a prudent choice; it’s a strategic imperative, irrespective of your industry, organisational size, or lifecycle stage.
In the realm of business, risk isn’t merely about the downside. It encapsulates anything capable of impacting our objectives, whether positively or negatively. It encompasses everything that impedes our progress and captures the opportunities essential for growth and prosperity. Rather than fixating on every conceivable scenario, our focus should lie on identifying and addressing the most significant risk factors – the ones pivotal to our success, or intolerable on our watch.
This prioritisation is based on a combination of the likelihood of a risk materialising and the potential severity of its impact. By discerning these critical elements, we navigate the landscape of risk with clarity and purpose, fortifying our endeavours against potential pitfalls, while embracing the pathways to advancement.
For many, lists serve as lifelines, providing structure and clarity. Yet, for others, a lengthy list can induce feelings of overwhelm and anxiety. We often see risk registers containing 100+ risks.
So, gain immediate value by compiling a risk register and identifying the critical factors for your business; around 8 to 12 items that could genuinely jeopardise success.
With this focus, value then lies in driving accountability and proactive management. By assigning specific risks to team members, we ensure they receive due attention, prompting thoughtful consideration, necessary action, and effective oversight. This approach transforms potential threats into manageable challenges, empowering us to navigate our ventures with confidence and resilience.
Despite the evident necessity for robust risk management practices, reinforced by the existence of comprehensive frameworks such as ISO3100, COSO, and guidance from reputable bodies like The Institute of Risk Management (IRM), the reality is sobering. Across the spectrum of organisations – from nimble start-ups to sprawling publicly listed corporations equipped with dedicated risk management teams – the challenge persists.
Too often, risk management efforts falter. They may be non-existent, sporadic, or, at best, formalised into mere reporting rituals, typically confined to an Excel spreadsheet that’s dusted off once or twice a year.
Unfortunately, these conventional approaches fall short of delivering substantive management insights, fostering constructive dialogue, instilling accountability, and facilitating informed decision-making processes. Despite the wealth of guidance available, organisations continue to grapple with the effective implementation of risk management practices, highlighting a critical gap between theory and application.
The uneasy juxtaposition of external uncertainty and our collective shortcomings in risk management forms an uncomfortable truth that many organisations grapple with – or, often, endeavour to avoid altogether.
Achieving successful risk management doesn’t have to be complex or expensive. By leveraging best practice frameworks like ISO and COSO, any organisation can establish a simple yet effective approach. This typically revolves around three core components: Process, Culture, and Governance.
At its core, the risk management process entails a straightforward sequence: the identification, assessment, treatment, and monitoring of risks.
This methodology is applied to a select number of well-defined risks, typically numbering between 8 to 12, each with clear ownership.
Consistency is key in risk assessment, usually gauging impact, and likelihood. A typical narrative involves a Gross score or rating (inherent or worst-case scenario) and then, once controls are factored in, bringing the risk down to a Net position (residual or current state). Subsequently, discussions may revolve around acceptance of the risk, or the need for action to mitigate or optimise it to a desired Target.
To further simplify this process, consider interchanging the word “risk” with “problem“. By identifying and prioritising the most significant problems facing the business – whether they involve overcoming challenges, navigating obstacles, or averting potential pitfalls, we align our risk management efforts with the core objectives of success and sustainability.
1. Overloading with Theoretical Risks: It’s easy to get lost in a sea of theoretical or generic risks that may not directly impact our current operations. Instead, focus on identifying risks that align with our ongoing projects or concerns. Describe them in terms that resonate with the Board or CEO by linking them to the problems solved by major projects or investments.
2. Lack of Accountability: Without named owners, risks often fall by the wayside. While senior leaders may be ultimately accountable, they aren’t always directly involved in managing specific risks. Assign risks, controls, and actions to team members, empowering them to take charge. Utilise the risk register as a tool for tracking progress and providing team members with a platform to voice their concerns.
3. Inaction Due to Perceived Insignificance: It’s common for organisations to overlook risks because they don’t believe they’re real problems, or because they feel powerless to address them. Every business and department face fundamental challenges that require attention. If the risks are genuine, the actions to mitigate them become tangible. Often, these actions require bold leadership, resource allocation, investment, and innovation to challenge the status quo.
4. Not All Risks Require Immediate Action: Understand that not every risk demands immediate action. Many risks may be in a stable state with well-defined controls. Some controls may already be undergoing continuous improvement. As a leader, focus on monitoring these areas effectively by asking: Are we excelling? Are we leaders in these areas? Utilise metrics and data to assess performance.
5. Effective Monitoring Techniques: Tailor monitoring techniques to suit the nature of the risks. Employ narrative monitoring for dynamic and emerging areas where qualitative analysis is crucial. For well-established, well-controlled, and mature risk areas, rely on data-driven monitoring to track progress effectively and ensure continued success.
Creating a risk-aware culture is the most challenging aspect of effective risk management. Many struggle to foster meaningful engagement, with risk registers becoming mundane chores and discussions lacking depth.
It’s a common issue we encounter among clients seeking assistance in revitalising their risk management processes.
As mentioned earlier, the key lies in capturing risks that truly resonate with the real issues and problems. When risks are genuinely transformative or require bold decisions and investments, attention naturally follows. Imagine a risk register brimming with the most impactful and transformative risks, offering narrative updates complemented by data-driven insights into the organisation’s critical areas. Such a resource demands serious consideration.
If you’re grappling with culture and engagement, start by evaluating the value, insightfulness, informativeness, and transformative potential of the content within your risk register. This introspection serves as a crucial first step.
Culture and the quality of risk information may seem intertwined, like the chicken and the egg. Therefore, we advocate for fostering a set of attitudes and behaviours encapsulated by ’ETCHED’:
1. Empowerment: Ensure that individuals entrusted with managing risks have the necessary resources at their disposal.
2. Transparency: Encourage openness about risks, empowering individuals to seek help when needed and facilitating effective risk management escalation.
3. Challenge: Encourage questioning of the status quo, as discomfort often signals the need for alternative risk management strategies.
4. Holistic Thinking: Promote a broader perspective among leaders, breaking down organisational silos and conventional viewpoints.
5. Embedded Risk Management: Integrate risk management seamlessly into day-to-day activities and decision-making processes.
6. Data-Led Approach: Emphasise the use of Key Risk Indicators and other metrics to foster a performance management mindset, particularly concerning well-established and data-rich operational risks.
By instilling these principles, organisations can cultivate a culture where risk management is not just a process, but a way of thinking that’s ingrained in the fabric of its operations and decision-making processes.
Just like culture, good governance in risk management revolves around people, clear roles, and responsibilities across all levels of the organisation, from team members to committees and the Board. It’s about embedding risk management practices throughout the organisation’s hierarchy, ensuring seamless communication and alignment.
While most organisations discuss top-level risks at the Board or Committee, often there’s insufficient activity behind the review of these. Given the complexity of organisations and the multitude of risks they face, it’s essential to adopt a structured approach. We propose that while the top 8-12 should be reviewed at the Board level, this doesn’t diminish the importance of other risks.
Instead, risks should be managed and reviewed at the appropriate level, with a clear escalation pathway. Before delving into top-level issues, it’s imperative to confirm that all lower-level risks have been adequately reviewed, providing an opportunity for escalation or discussion from within the organisation.
At the departmental or sub-board level, it’s vital to delegate responsibility so that team members own and update their respective risks. This enables department heads to receive updates and assurance about risk management within their areas and then communicate this intelligently as required. Collaboration is key here; when responsibility for updating risks is shared, the risk register becomes more valuable to both writers and readers.
In essence, effective governance in risk management requires a collaborative effort across all levels of the organisation, ensuring that risks are appropriately managed, communicated, and addressed in alignment with objectives and strategies.
We’ve outlined a clear roadmap to breathe life into your risk management process, emphasising simplicity and practicality. However, the linchpin lies in people, culture, and engagement – undoubtedly the most challenging aspects.
Bridging the gap between identifying the right risks and fostering meaningful engagement can be facilitated by adopting the behaviours defined in ETCHED.
Clear governance roles are essential to ensure risks are effectively owned, managed, reviewed, and challenged at the appropriate levels, with provisions for escalation when necessary. This collaborative, action-oriented, and data-driven approach to risk management simply cannot thrive within the confines of an Excel spreadsheet or other manual tools.
Enter GOAT Risk™ – an easy to use, low-cost risk management software tool designed specifically for non-risk experts. It offers a simple, cloud-based solution to help facilitate effective, value-adding risk management within your organisation.
If you’re interested in exploring our risk management platform, training programs, or consultancy services further, we’re here to assist. Don’t hesitate to reach out to us to learn more about how we can help elevate your risk management practices to the next level.
Find out more about GOAT Risk™Scale risk with confidence