Get 10% off GOAT RM ToolkitTM with vouchercode LINKEDIN10. Offer end 31 May

Why risk management is important for your business

The worldwide economy is changing at a rapid pace

Covid 19 has shaken worldwide markets and could be the catalyst for the next phase of our global economy. Given the impact on society, and the pace of technological developments in fields such as biotechnology, AI, processing power, data, space, alternative fuels, and batteries – a new dawn is at hand. So why is risk management important? Because we are entering a time of profound change. Our lives, as we know them, will be transformed shortly.

We have no idea what advice to give our children about their future career choices, since all we know is that they won’t be the same as what we’ve encountered in our lives. The best we can do is provide them with transferable skills such as creativity, communication, leadership, team-working, and instilling a work ethic and personal resilience that will help them flourish in whatever it is they do.

What can we learn from our experience?

Before we leap into a future marked by hyper-change, there are important lessons to be learned from our recent past, which witnessed the most rapid economic growth and technological progress in the history of humanity.

The fascinating video above indicates just how much the business world has transformed in the last 25 years. This isn’t about who the 10 biggest firms on earth are, and their market value. Instead, it’s about how change affects all businesses, regardless of size or sector.

It’s not just about single businesses either. We’ve seen entire sectors develop while others fade away. The most dangerous threats aren’t necessarily from established rivals. Instead, they might be a well-resourced mega-corporation like Google or Amazon, or an unknown startup concept that can grow to unicorn status in the blink of an eye.

How are we dealing with change?

Whilst change is the unifying theme, the skill required to navigate, pivot, or adapt is risk management. Risk management capability is a fundamental requirement in all businesses. It is a board responsibility, yet conducted at the coal face. Most regulators and standards require it, and every business faces it, takes it, and must manage it.

Given its importance, it’s unfortunate that most organisations still struggle to make risk management a dynamic, engaging, and valuable process. Instead, the majority of approaches fall into one of two categories:

i) Risk management through intuition

Most startups and small businesses manage risk by gut instinct. They know it’s not ideal, but it’s the easiest option when lacking professional risk expertise. Unfortunately, this is entirely dependent on an individual’s instincts, and is done on an ad-hoc basis. Given the counter-intuitive and complicated nature of risk (i.e. risks are bad for business, but they must be taken), and the many decisions that business executives must make, a negative outcome is practically unavoidable.

It’s a matter of luck which mistakes occur and what their ramifications are for a business. This, in turn, contributes to the overall statistics showing why most start-ups/projects/change programs/marketing campaigns have a high failure rate. Intuition will only take you so far. Sooner or later, your luck will run out.

ii) Risk management in place, but ineffective

Large, or regulated businesses, often formalise their risk management procedures, with some even hiring risk management experts and deploying software solutions. Yet, the overwhelming majority believe these protocols still fall short of delivering expected returns.

The most typical criticism we hear from business leaders, is that the risk discussions seem too high-level, risks never alter, updates are too anecdotal, the procedure is more of a reporting exercise, and that there is a need to modify the culture and ’embed’ process and thinking.

Ultimately, risk management isn’t leading to changes that support business decisions. Instead, the real decisions are taking place outside the process and in other forums. Many of these larger organisations therefore, spend a lot of time creating risk reports and documentation, but are in effect managing risk separately, often by intuition much like their smaller counterparts.   

Why are even ‘best practices’ falling short?

Despite many organisations adopting well-accepted best practice frameworks and guidance for risk management such as COSO ERM and ISO31000, many are still seeking ways to obtain greater returns through better-engaged culture and an increased consideration of risk in decision making.

Putting culture aside, a more detailed investigation and analysis of risk register reports shows them to be:

  • Too generic, high level or static. 
  • Subjective (scoring methods), with no real decision-making data. 
  • Anecdotal, out of date, and lacking incremental thinking.
  • Unengaging e.g. spreadsheets tools.
  • Manually created, time-consuming, and of limited value, particularly with regards to reporting.

We’ve spoken with hundreds of business executives and heard that the risk management process must be easy and useful to appeal to stakeholders who have other ‘day jobs’. It must therefore deliver value at every interaction, especially with senior stakeholders. Regularly asking them for updates turns the process into a chore and is a recipe for disaster.  

What can we do to better adapt to change?

We propose a more practical approach to risk management, viewing it as a problem-solving process. This simple paradigm shift makes risk management far more action-oriented, delivering profound, beneficial impacts and results. In practice, the process evolves into the very things leaders need to do to proactively manage their teams, projects, business, and goals:

  • When identifying risks, the starting point is to understand the business model. The number one risk organisations face, but are sometimes unwilling to admit, is whether they are still relevant, now and in the next 5 years.
  • Instead of describing risks and gaps to expectations as broad areas like IT Security or Supply Chains, try describing them as a problem statement.
  • Distribute accountability to solve, rather than own, problems and risks. This will encourage stakeholders to talk about actions that address the gaps, and to discuss roadblocks and solutions, making the entire process more action and outcome-oriented.
  • Prioritise problems and risks (acknowledging you can’t solve them) using a simple, intuitive risk assessment process.
  • Introduce a control framework that guides the thinking process towards the actions that need to be taken to deliver desired results. Business leaders tend to be natural problem solvers, but this control framework can really help operationalise solutions.
  • Measure and manage your issues and risks, so you have facts to help you make decisions and assess results. Most risk management procedures, particularly those that employ spreadsheets, are light on fact-based information.

A process to drive culture, so that culture can drive the process

Culture is a vague and complex topic combining behaviours, mindsets and tendencies. This is made more challenging when your business has its own culture agenda, and the risk team speaks separately about risk culture. These need to be aligned and intertwined.

The practical process improvements described above already start to influence organisational culture. We can further articulate risk culture using the acronym ETCHED. When prompted to think objectively about each aspect of ETCHED, Boards and Leaders will soon recognise there are gaps and journeys to each element. Addressing these promotes the risk process as a critical driver for more effective behaviours, mindsets, and tendencies across the business.

  • Empowered
  • Transparent
  • Challenging the status quo
  • Holistic thinking
  • Embedded risk management
  • Data-led decisions

This is the 1st of a 4 part series helping you to think broadly about the risks you face. Subscribe to our Blog today to never miss an update.

About the author

Danny Wong is the Founder and CEO of GOAT Risk Solutions. He is a thought leader in risk maturity, having engaged with hundreds of leaders and professionals in extensive market research. He has first-hand experience of supporting major corporates in a +20 year career specialising in Enterprise Risk Management. Danny saw a market opportunity for a simple, low-cost risk software solution to help organisations improve risk management capability, and launched GOAT in 2018.

Find out more about GOAT Risk™

Scale risk with confidence