A to Z of Risk Management

 in Business Continuity / Business Skills / Information Security / Leadership / Management  tagged Horizon Scanning / Risk Assessment / Risk Management / Risk Treatment / Threats / Vulnerabilities by
Reading Time: 26 minutes

A to Z, Business Strategy, Business Continuity, Information Security, Marketing, Social Media, Business Transformation

All organisations, whatever their size or market, face a range of risks affecting the achievement of their objectives. While “risk” is commonly regarded as negative, risk management is as much about exploiting potential opportunities as preventing potential problems.

Risk management comprises a framework and process that enable organisations to manage uncertainty in an effective, efficient and systematic way from strategic, programme, project and operational perspectives, as well as supporting continual improvement. Risk management applies at all levels of an organisation and to all activities.

In this A to Z, I’d like to cover some of the key areas of Risk Management and Treatment and give you a better understanding of this broad topic that underpins multiple quality and ISO standards.

A – Appetite for Risk

Considering and setting a risk appetite enables an organisation to improve outcomes by optimising risk taking and accepting calculated risks within an appropriate level of authority.

The organisation’s risk appetite should be established and approved by Senior Management and effectively communicated throughout the organisation.

The organisation should prepare a risk appetite statement, which may:

  • Provide direction and boundaries on the risk that can be accepted at various levels of the organisation, how the risk and any associated reward is to be balanced, and the likely response
  • Consider the context and the organisation’s understanding of value, cost-effectiveness of management, rigour of controls and assurance processes
  • Recognise that the organisation might be prepared to accept a higher than usual proportion of risk in one area if the overall balance of risk is acceptable
  • Define the control, permissions and sanctions environment, including the delegation of authority in relation to approving the organisation’s risk acceptance, highlighting of escalation points, and identifying the escalation process for risk outside the acceptance criteria, capability or capacity
  • Be reflected in the organisation’s risk management policy and reported upon as part of the organisation’s internal risk reporting system
  • Include qualitative statements outlining specific risks the organisation is or is not prepared to accept
  • Include quantitative statements, described as limits, thresholds or key risk indicators, which set out how certain risks and their rewards are to be judged and/or how the aggregate consequences of risks are to be assessed and monitored.

B – Benefits of implementing Risk Management

Organisations often find that Risk Management provides a combination of both qualitative and quantitative benefits. Below I’ve highlighted five key benefits:

 

  1. Creation of a more risk focused culture for the organisation

Organisations that have implemented Risk Management note that increasing the focus on risk at the senior levels results in more discussion of risk at all levels. The resulting cultural shift allows risk to be considered more openly and breaks down silos with respect to how risk is managed.

As risk discussions develop into a standard part of the overall strategic business processes, functional units often find that addressing risk in a more formal way helps manage their part of the organisation as well. Communication and discussion of risk is recognised as not only a process to provide information to senior management, but a way to share risk information within and across operations of the company, and allow better insights and decision-making concerning risk at all levels.

  1. Standardised risk reporting

A formal Risk Management System supports better structure, reporting, and analysis of risks. Standardised reports that track enterprise risks can improve the focus of Senior Management by providing timely data that enables better risk mitigation decisions. The variety of data (status of key risk indicators, mitigation strategies, new and emerging risks, etc.) helps leadership understand the most important risk areas. These reports can also help leaders develop a better understanding of risk appetite, risk thresholds, and risk tolerances.

  1. Improved focus and perspective on risk

A Risk Management System develops leading indicators to help detect a potential risk event and provide an early warning. Key metrics and measurements of risk further improve the value of reporting and analysis and provide the ability to track potential changes in risk vulnerabilities or likelihood, potentially alerting organisations to changes in their risk profile.

  1. Efficient use of resources

In organisations without Risk Management, many individuals may be involved with managing and reporting risk across functional units. While developing a Risk Management System does not replace the need for day-to-day risk management, it can improve the framework and tools used to perform the critical risk management functions in a consistent manner. Eliminating redundant processes improves efficiency by allocating the right amount of resources to mitigating the risk.

  1. Effective coordination of regulatory and compliance matters

Financial statement auditors, Insurers and regulatory examiners, have begun to inquire about, test, and use monitoring and reporting data from Risk Management systems. Since Risk Management data involves identifying and monitoring controls and mitigation efforts across the organisation, this information can help reduce the effort and cost of such audits and reviews.

Through all of the benefits noted above, Risk Management can enable better cost management and risk visibility related to operational activities. It also enables better management of market, competitive, and economic conditions, and increases leverage and consolidation of disparate risk management functions.

C – Context

Before starting the design and implementation of a risk management framework, it is important to evaluate and understand both the external and internal context of the organisation, since these can significantly influence the framework design.

Evaluating the organisation’s external context may include:

a)      The social and cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local

b)      Key drivers and trends having impact on the objectives of the organisation

c)       Relationships with, and perceptions and values of, external stakeholders

Evaluating the organisation’s internal context may include:

a)      Governance, organisational structure, roles and accountabilities

b)      Policies, objectives, and the strategies that are in place to achieve them

c)       Capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies)

d)      Information systems, information flows and decision-making processes (both formal and informal)

e)      Relationships with, and perceptions and values of, internal stakeholders;

f)       Organisational culture

g)      Standards, guidelines and models adopted by the organisation

h)      Contractual relationships with suppliers

D – Documentation

Documenting an organisation’s risk management framework and recording each step of the risk management process is critical for a number of reasons, including:

  • Demonstrating to stakeholders that the process has been conducted properly
  • Providing evidence of a systematic approach to risk identification and analysis
  • Enabling decisions or processes to be reviewed
  • Providing a record of risks and to develop the organisation’s knowledge database
  • Providing decision makers with a risk management plan for approval and subsequent implementation
  • Providing an accountability mechanism and tool
  • Facilitating ongoing monitoring, review and continuous improvement
  • Providing an audit trail
  • Sharing and communicating information

The following areas of your organisation’s risk management framework need to be documented:

  • Objectives and rationale for managing risk
  • Accountabilities and responsibilities for managing and overseeing risks
  • Processes and methods to be used for managing risks – i.e. how the Risk Management process will be applied in the organisation
  • Commitment to the periodic review and verification of the risk management framework and its continual improvement
  • The way in which risk management performance will be measured and reported
  • Resources available to assist those accountable or responsible for managing risks
  • Organisation’s risk appetite translated into risk rating criteria
  • Links between risk management and the organisation’s objectives
  • Links between risk management and other processes and activities
  • Scope and application of risk management within the organisation
  • Requirements for recording and documentation of the risk management process (e.g. communication plan, stakeholder analysis, risk register, risk profile, and risk reporting)

E – Evaluating Risks

Risk evaluation involves comparing a risk’s overall exposure against the organisation’s risk appetite. This allows the determination of whether further controls are required to bring the risk within a level acceptable to the organisation. The output of the risk evaluation phase is a prioritised list of risks.

The following key steps are involved in evaluating risks:

1. Rank the risks based on the outcome of the risk analysis process

Risks can be ranked either qualitatively or quantitatively. Applying qualitative analysis, you can rank the risks using a heat map. The heat map is a colour-coded matrix with each colour indicating the level of risk. This heat map represents the tolerance level of your organisation. This would have been developed in the earlier phase of “Establish Context”, as it is a part of the organisation’s risk management context.

Based on the control effectiveness rating, likelihood of the risk occurring and potential consequences identified in the earlier phase, plot the risks against the matrix. The completed matrix is your risk profile.

Applying semi-quantitative analysis, the organisation can also rank the risks based on their numerical value. The numerical value is a combination of the values assigned by the organisation to control effectiveness, likelihood and consequence.

The most common approach to visually recording risk is using a 3 by 3 or 5 by 5 heat map as illustrated below. A risk heat map is sometimes referred to as a risk matrix.

Risk Assessment, Risk, Likelihood, Business Continuity, Risk Management

2. Consider the overall risk profile

Once the initial risk profile has been developed, the organisation may need to consider how each risk ranks in relation to the other risks. This step allows the organisation to conduct a “sanity check” of the risks that have been placed on the heat map to ensure that risks are rated correctly when compared to each other (e.g. “Risk manager may be off sick with flu” is not rated the same as “Project objectives may not be met”).

Possible outcomes of this step include:

  • The organisation may reassess the rating of some of the risks if it is felt that the overall spread of the risks relative to each other is not a true reflection of reality
  • The organisation may recognise that some risks are similar to the other risks, or are contributing factors to other risks. Hence they may be incorporated into the risk description of other risks within the risk register
  • The organisation may consider the interdependencies between the risks and consider the consequence on the organisation if more than one risk occurred at the same time. This may result in changes to the overall risk ratings.
3. Develop a list of priority risks

The primary objective of evaluation is to prioritise risks. This helps to inform the allocation of resources to manage risks, both non-financial and financial.

The priority list can be categorised by a number of criteria dependent on what is most relevant for the organisation e.g. risk rating, functional area or by type of impact (i.e. strategic or operational). This will further refine the focus for risk treatment.

F – Frequency of risk reporting

At a minimum, an organisation should update and report on its risk profile on an annual basis. While an annual reporting and update cycle may meet statutory requirements, effective risk management typically requires more frequent reporting on risk.

The frequency of risk reporting should reflect the cycle of the organisation’s regular internal reporting. Where the Executive receives monthly or quarterly progress reports on Financial, Operational, Health and Safety or IT matters, they may wish to receive similar risk reports.

G – Governance

Risk management is an important element of how Senior Management discharges its responsibilities to stakeholders in the governance of the organisation; the organisation’s risk management framework should have the following features:

  • Risk management as part of the organisation’s overall approach or framework for governance
  • Risk being recognised as a Senior Management matter, with the Board ultimately accountable for risk management
  • Risk management objectives designed to support and achieve the organisation’s risk appetite and the approach to recognising risk in decisions, providing achievable goals for risk management
  • Ownership and accountability for managing and reporting on risk throughout the organisation
  • Roles, accountabilities and responsibilities for managing risk, which are communicated and understood, and a clear distinction between those who have:

a)      Direct responsibility for the management of risk, e.g. management and staff working within each functional unit

b)      Responsibility for development, implementation, maintenance and oversight of the effectiveness of the risk management framework, e.g. a risk committee

c)       responsibility for providing independent assurance, e.g. internal audit

d)      Ultimate responsibility for obtaining assurance and thereafter driving improvement

  • A defined, effectively communicated and understood policy, which sets out the requirements for managing risk;
  • Defined processes and procedures for managing the organisation’s risks and for managing the development of risk management across the organisation
  • A method of assessing, leading and monitoring the organisation’s risk management culture
  • Defined parameters around the level of risk that is acceptable to the organisation, and thresholds which trigger escalation, review and approval by an authorised person/body
  • A defined approach to recognising risk in decisions
  • An appropriate flow of risk information around the organisation
  • A commonly defined and agreed terminology for describing key risk management concepts and practices

The risk management framework should include objectives for risk management, plans for developing risk management across the organisation, and designs for elements such as processes and tools. These should be contained in a risk management strategy and a risk management policy.

H – High-Level Risk Management Framework

Risk Management Framework, Establish Context, Identify Risks, Analyse / Quantify Risks, Assess & Prioritise Risks, Treat / Exploit Risks, Monitor & Review

 

I – Individual’s role within Risk Management

The organisation should embed risk management by incorporating it into each individual’s responsibilities. People should understand:

  • The risks that relate to their roles and their activities
  • How the management of risk relates to the success of the organisation
  • How the management of risk helps them to achieve their own goals and objectives
  • Their accountability for particular risks and how they can manage them
  • How they can contribute to continuous improvement of risk management
  • That risk management is a key part of the organisation’s culture
  • The need to report in a systematic and timely way to senior management any perceived new or emerging risks, near misses or failures of existing control measures within the parameters agreed

J – Joined-up Risk Management

No organisation or function within an organisation works in true isolation when it comes to risk management.

Internal Risk Management

Many organisations handle risk management within functions and submit risks and risk matrices to senior management based upon their evaluation of their functional area risks. The same risks may exist elsewhere in an organisation but their impact and subsequent treatment recommendations may differ. It is therefore hugely important for senior management to collectively review risk matrices to ensure that risk levels and their treatment are agreed upon from an organisational perspective.

External Risk Management

Some risks and their associated treatments may require joint effort between organisations and third parties. This could involve negotiation with third-party suppliers, local / national government as well as emergency service organisations. Being prepared and being connected to the right stakeholders could mean the difference between your organisation becoming operational very quickly following a major incident and going out of business.

K – Keeping your Risk Register up-to-date

The purpose of a risk register is to record details of all risks that have been identified, together with their analysis and plans for how those risks are to be treated. The risk register is an important component of the overall risk management framework. It will include ALL risks – not just operational risks, and can be focused either on the organisation as a whole, or on specific projects where it is used to maintain the register of project risks over the lifetime of the project.

An important parameter recorded in the risk register is the ‘owner’ of each risk – the person who owns responsibility for actions relating to that risk.

It is important to record when the risk item was identified and added to the register, when the entry was last updated, and for some items, when they were closed. However, closed items should be maintained for historical analysis purposes, perhaps being transferred to a separate ‘closed risks’ register table.

Access to the risk register must be controlled to maintain its integrity and confidentiality. Some items recorded in the register may be very sensitive and thus not for wide publication. These confidential items can be ‘flagged’ by adding an extra field to the table record structure. The integrity of all item entries is also important, so you need a security policy for the register that defines who should be able to update the table and who can read it.

L – Likelihood and Impact of Risks

Events identified as potentially impeding the achievement of objectives are deemed to be risks and should be evaluated based on the likelihood of occurrence and the significance of their impact on the objectives. It is important to first evaluate such risks on an inherent basis—that is, without consideration of existing risk responses and control activities.

For example, an organisation with headquarters on the banks of a river may seek to assess its exposure to the risk of flooding. On an inherent basis, it would consider the likelihood and impact of a flood by considering external data (such as the historical and projected frequency of floods) and internal data (such as the estimated damage to its physical assets if a flood were to occur). An impact and probability rating should then be assigned using defined risk rating scales. These individual risk ratings should then be brought together in the form of an inherent risk map as I outlined in ‘E’.

Additionally, as risk assessments are refreshed over time, a risk map can allow analysis over time (e.g., upward or downward trend of risks, and the extent of positive or negative correlations between certain risks).

M – Monitoring and Review

Both monitoring and review should be a planned part of the risk management process and involve regular checking or surveillance. It can be periodic or ad hoc.

The organisation’s monitoring and review processes should encompass all aspects of the risk management process for the purposes of:

  • Ensuring that controls are effective and efficient in both design and operation
  • Obtaining further information to improve risk assessment
  • Analysing and learning lessons from events (including near-misses), changes, trends, successes and failures
  • Detecting changes in the external and internal context, including changes to risk criteria and the risk itself which can require revision of risk treatments and priorities; and
  • Identifying emerging risks

Progress in implementing risk treatment plans provides a performance measure. The results can be incorporated into the organisation’s overall performance management, measurement and external and internal reporting activities.

The results of monitoring and review should be recorded and externally and internally reported as appropriate, and should also be used as an input to the review of the risk management framework.

N – No Risk, No Reward

“No risk, no reward; no guts, no glory.” In business, this mantra poses challenges, especially when dealing with compliance, security and risk management—organisations often need to take risks to get ahead of competition and take care to avoid overstepping their bounds. Organisations must address the point when something is no longer a risk, but an inevitable failure.

When a large organisation takes a risk, it has to consider a wide range of people: its employees, customers, investors and other stakeholders. Do regulatory requirements drive all choices and should the company always play it safe? No risk, no reward, remember?

Companies in the 21st century that play it safe are going to fall to the competition. “The bigger the risk, the bigger the reward” is becoming a culture rather than just a motivational poster. The businesses that push too hard, too fast will have less success, but the companies that remain calculated, deliberate, and informed when taking risks, are not really taking risks at all—they are making smart business decisions.

What is vital to organisational survival, and their ability to thrive in a competitive industry culture, are the right tools and resources needed to make calculating risks easier and faster.

O – Owners of Risks and Responses

Where the risk management process identifies any risks that need to be actively managed, each risk and each response should be assigned an owner who is responsible and accountable for:

  • In the case of a risk, owning the organisation’s assessment of the risk, monitoring it, and reporting its status
  • In the case of a risk response, responding to the risk, contributing to the development and maintenance of an appropriate control environment, and reporting on the status of the response

Risks and their responses may be owned by the same person.

P – Policy

The organisation’s risk management policy may include:

  • Governance, outlining how risk management is governed
  • Policy scope, describing the purpose of the policy and who it is aimed at; describing the high level principles and the benefits of implementing risk management; setting out the objectives, including legal and regulatory requirements, and what it intends to achieve; and providing an explanation of the relationship with other policies
  • Policy applicability, setting out to whom and to what the policy applies
  • Risk management process, providing a high level overview and description of the risk management process adopted by the organisation
  • Risk appetite, outlining the organisation’s risk appetite, thresholds and escalation procedure
  • Reporting, describing the purpose, frequency and scope of reporting
  • Roles, accountabilities and responsibilities, describing the high level roles, accountabilities and responsibilities in respect of risk management
  • Variations and dispensations, stating whether variations or dispensations from the policy are allowed and, if they are allowed, describing the process for requests for this

Q – Qualitative and Quantitative Risk Analysis

Quantitative Risk Analysis

In short, Quantitative risk analysis is by far the most exhaustive, costly and time-consuming method of doing a risk assessment. However, its primary benefit is identification of your greatest risk based on financial impact. Assigning a value to loss associated with vulnerability is often the best way to obtain corporate buy-in and a true understanding of impact to the organisation.

Quantitative is the only option if your Senior Management requires numeric figures and findings that can be measured against budgets from year to year.

Quantitative Risk Analysis – Key Points:
  • Yields results in terms of financial impact
  • All findings are expressed in monetary values, percentages, and probabilities
  • Allows for more control and understanding regarding procurement and budgeting
  • Requires larger organisational cooperation
  • Better protection against litigation risk
  • Very time intensive

Qualitative Risk Analysis

Qualitative risk analysis is more common than quantitative due to the time and cost involved. In Qualitative analysis, the assets are discovered and reviewed for known vulnerabilities against a database of potential vulnerabilities. The risk is then measured against relative scales to determine the probability of a threat exploiting the vulnerability. Threat impact, probability of threats, and vulnerabilities used in the analysis are very subjective between analysts conducting the analysis. It is not uncommon in a qualitative risk analysis to have two experts with differing conclusions. If an organisation is strapped for time or can’t afford the resources to dedicate to understanding your risk in detail, qualitative is the best methodology

Qualitative Risk Analysis – Key Points:
  • Requires less time and is less costly
  • Findings are simple in nature
  • Focus is on specific vulnerabilities to the affected assets
  • Values of loss are perceived and not quantified
  • Vulnerabilities are rated subjectively
  • Focus is on understanding the risk and often include recommendations for mitigation based on analysts knowledge and expertise

R – Risk Management Process

The organisation’s risk management process should, as a minimum, comprise the following steps:

  • Context
  • Identification
  • Assessment
  • Response
  • Reporting
  • Review

S – Senior Management Responsibilities

The responsibilities of the senior management of the organisation in respect of risk management should include:

  • Ensuring that there is a fit-for-purpose and up-to-date risk management framework and process in place and that risk management is adequately resourced and funded
  • Providing strategic direction on the appropriate recognition of risk in decisions and setting risk appetite and associated authority
  • Approving the risk management policy and setting the “tone” and culture for managing risk and embedding risk management
  • Ensuring the key risks facing the organisation are properly assessed and managed;
  • Evaluating the risk implications of change
  • Planning for how the organisation will respond to risks that could arise, including the management of a crisis
  • Providing direction and receiving assurance on the effectiveness of risk management and compliance with the risk management policy
  • Reporting on risk management to stakeholders and signing off public disclosures

T – Treatment of Risks

Risk Treatment is the process of selecting and implementing measures to modify risk. Risk treatment measures can include avoiding, optimising, transferring or retaining risk.

Management or treatment options for risks expected to have positive outcome include:

  • Starting or continuing an activity likely to create or maintain a positive outcome
  • Modifying the likelihood of the risk, to increase possible beneficial outcomes
  • Trying to manipulate possible consequences, to increase the expected gains
  • Sharing the risk with other parties that may contribute by providing additional resources which could increase the likelihood of the opportunity or the expected gains
  • Retaining the residual risk

Management options for risks having negative outcomes look similar to those for risks with positive ones, although their interpretation and implications are completely different. Such options or alternatives might be:

  • To avoid the risk by deciding to stop, postpone, cancel, divert or continue with an activity that may be the cause for that risk
  • To modify the likelihood of the risk by trying to reduce or eliminate the likelihood of the negative outcomes
  • To try modifying the consequences in a way that will reduce losses
  • To share the risk with other parties facing the same risk (insurance arrangements and organisational structures such as partnerships and joint ventures can be used to spread responsibility and liability)
  • To retain the risk or its residual risks

U – Understanding the types of Risk Assessment

Risk assessment can be conducted at various levels of an organisation.

The objectives and events under consideration determine the scope of the risk assessment to be undertaken. Examples of frequently performed risk assessments include:

Strategic risk assessment

Evaluation of risks relating to the organisation’s mission and strategic objectives, typically performed by senior management teams in strategic planning meetings, with varying degrees of formality.

Operational risk assessment

Evaluation of the risk of loss (including risks to financial performance and condition) resulting from inadequate or failed internal processes, people, and systems, or from external events. In certain industries, regulators have imposed the requirement that companies regularly identify and quantify their exposure to such risks. While responsibility for managing the risk lies with the business, an independent function often acts in an advisory capacity to help assess these risks.

Compliance risk assessment

Evaluation of risk factors relative to the organisation’s compliance obligations, considering laws and regulations, policies and procedures, ethics and business conduct standards, and contracts, as well as strategic voluntary standards and best practices to which the organisation has committed. This type of assessment is typically performed by the compliance function with input from business areas.

Internal audit risk assessment

Evaluation of risks related to the value drivers of the organisation, covering strategic, financial, operational, and compliance objectives. The assessment considers the impact of risks to shareholder value as a basis to define the audit plan and monitor key risks. This top-down approach enables the coverage of internal audit activities to be driven by issues that directly impact shareholder and customer value, with clear and explicit linkage to strategic drivers for the organisation.

Financial statement risk assessment

Evaluation of risks related to a material misstatement of the organisation’s financial statements through input from various parties such as the controller, internal audit, and operations. This evaluation, typically performed by the finance function, considers the characteristics of the financial reporting elements (e.g., materiality and susceptibility of the underlying accounts, transactions, or related support to material misstatement) and the effectiveness of the key controls (e.g., likelihood that a control might fail to operate as intended, and the resultant impact).

Fraud risk assessment

Evaluation of potential instances of fraud that could impact the organisation’s ethics and compliance standards, business practice requirements, financial reporting integrity, and other objectives. This is typically performed as part of Sarbanes-Oxley compliance or during a broader organisation-wide risk assessment, and involves subject matter experts from key business functions where fraud could occur (e.g., procurement, accounting, and sales) as well as forensic specialists.

Market risk assessment

Evaluation of market movements that could affect the organisation’s performance or risk exposure, considering interest rate risk, currency risk, option risk, and commodity risk. This is typically performed by market risk specialists.

Credit risk assessment

Evaluation of the potential that a borrower or counterparty will fail to meet its obligations in accordance with agreed terms. This considers credit risk inherent to the entire portfolio as well as the risk in individual credits or transactions, and is typically performed by credit risk specialists.

Customer risk assessment

Evaluation of the risk profile of customers that could potentially impact the organisation’s reputation and financial position. This assessment weighs the customer’s intent, creditworthiness, affiliations, and other relevant factors. This is typically performed by account managers, using a common set of criteria and a central repository for the assessment data.

Supply chain risk assessment

Evaluation of the risks associated with identifying the inputs and logistics needed to support the creation of products and services, including selection and management of suppliers (e.g., up-front due diligence to qualify the supplier, and ongoing quality assurance reviews to assess any changes that could impact the achievement of the organisation’s business objectives).

The examples described above are illustrative only. Every organisation should consider what types of risk assessments are relevant to its objectives. The scope of risk assessment that management chooses to perform depends upon priorities and objectives. It may be narrow and specific to a particular risk, as in some of the examples above. It may be broad but high level: e.g., an enterprise-level risk assessment or a top-down view that considers the broad strategic, operational, reporting, and compliance objectives

V – Vulnerabilities & Threats Assessment

Vulnerability

It’s common to define vulnerability as “weakness” or as an “inability to cope”. Both of these definitions are completely wrong (from a security and risk management perspective).

A better definition of vulnerability is “exposure”.

If you give a presentation at a conference it might open you to criticism or even ridicule. Plenty of people have a fear of public speaking for this very reason. However, the act of giving a speech isn’t a weakness it’s an exposure.

Connecting a system to the internet can represent a vulnerability. For example, it exposes a system to a DDoS attack. However, connecting a system to customers via the internet isn’t likely to be considered a weakness from a business perspective.

Threat

A threat is something bad that might happen. It’s as simple as that. A more complex definition wouldn’t be any more helpful.

From a security perspective the first threat that pops to mind is a security attack. However, a threat can range from innocent mistakes made by employees to natural disasters.

Risk

Risk is a chance that something unexpected will happen. It’s the combination of threats and vulnerabilities:

Risk = Threat x Vulnerability

W – Why bother with Risk Management

So much is happening in the world to pressurise. In difficult times most organisations adopt a ‘back-to-basics’ approach, scrutinising overheads and new projects to ensure that costs do not rise to unacceptable or unsustainable levels. Whether we are experiencing falling revenues now, or are fearful of what the future holds, focus on Risk Management can fade and not be a priority.

But there is a certain irony in this. Risk Management is intended to help management identify risks that could threaten the organisation and take action to mitigate or eliminate material risks. Risk Management provides management with confidence that unplanned disruption can be handled effectively and the organisation has the best chance to survive, whatever the circumstances.

In poorer economic times, businesses are more threatened by more risks and potential disruption than is the case during more prosperous periods. For one thing financial resources are likely to be more constrained, providing less flexibility in your response to realised threats and disruption.

For another, your organisation will be leaner, with fewer facilities, equipment and staff. You often have to downsize to cope with difficult economic circumstances. The organisation will be working in a lean manner and that lack of spare capacity can make recovery from unplanned disruption difficult to manage.

And then there is the competition who, in more difficult times, will be chomping on the bit to take your clients and your business away. If risks materialise and you are inadequately prepared, or your business faces unplanned disruption without the necessary plans in place, your competition will have the best opportunity to take bite sized chunks out of your business portfolio.

Client goodwill is something we all work hard for and is difficult enough to maintain in good times. In more challenging times your business has to be ready, willing and able to service clients when they require it, no matter what events transpire.

There is no need to advocate that all professional firms spend fortunes on Risk Management. Many of our financial institutions have done that for years and look where they have found themselves. But developing a sensible approach to managing risk, documenting key risks in a Risk Register (with appropriate mitigation noted) and preparing sensible and pragmatic Treatment and Business Continuity Plans should not cost the earth. It will however help you protect the value and goodwill you have created in your business and should not be ignored, despite the current circumstances.

X – X-Ray Spectacles – Horizon Scanning

When conducting risk assessments organisations are increasingly being forced to explore risks and disruptive threats further into the future. Typically, most companies cannot realistically look more than six months into the future with any degree of confidence for strategic planning. Unprecedented events and the complications of globalisation make even six months too vague for many.

Strategic anticipation or foresight is becoming an important capability to assist decision-making when confronted with increasing global risks and economic/geopolitical turbulence. A degree of uncertainty has always been a business reality, but today it is the extent of the uncertainty and the potential consequences that make organisations cautious and apprehensive about directions and decisions. Uncertainty cannot be managed as by its very nature it is incalculable, but organisations can reduce their vulnerability to it. New approaches are now required; understanding the mistakes of the past can be informative, but hindsight will not necessarily inform or help with foresight.

As a result, businesses must make an effort to develop scenarios, consider likely future events and apply futures methodologies. Tools such as horizon scanning help generate new insights based on social and environmental monitoring, or distributed sensing capability, which allow one to make sense of an emerging threat, issue or trend. As a logical extension of scenario planning, horizon scanning can be used alongside techniques such as crowd sourcing, trend analysis, phase transition and experiential learning, amongst others, to generate ideas about likely future risks, issues and opportunities.

It is vital that corporations, when faced with continuous anxiety and uncertainty become skilled at spotting trends; they also need to acquire the techniques of pattern recognition and horizon scanning to generate strategic options and guide decision-making.

Y – Your Organisation and Risk

Whatever the size of your organisation, Risk Management should be a consideration. Ask yourself the following questions about your organisation:

  1. What are the organisation’s top risks, how severe is their impact and how likely are they to occur?
  2. How often does the organisation refresh its assessment of the top risks?
  3. Who owns the top risks and is accountable for results, and to whom do they report?
  4. How effective is the organisation in managing its top risks?
  5. Are there any organisational “blind spots” warranting attention?
  6. Does the organisation understand the key assumptions underlying its strategy and align its competitive intelligence process to monitor external factors for changes that could alter those assumptions?
  7. Does the organisation articulate its risk appetite and define risk tolerances for use in managing the business?
  8. Does the organisation’s risk reporting provide management and the board information they need about the top risks and how they are managed?
  9. Is the organisation prepared to respond to extreme events?
  10. Does the board have the requisite resources to provide effective risk oversight?

If you’re struggling to answer these questions or are uncomfortable with how you’re feeling about your answers, don’t panic! You’re not alone. But you should be doing something about it before a risk becomes a reality!

Z – Zurich to Accenture

Risk Management is big business, from consulting to insurance. There are literally thousands of organisations that you can engage with from the global players such as Zurich and Accenture to the smaller more regional consultancies and insurers.

Insurance will not reduce your business’ risks but you can use it as a financial tool to protect against losses associated with some risks. This means that in the event of a loss you will have some financial compensation. This can be crucial for your business’ survival in the event of, say, a fire which destroys a factory.

Some costs are uninsurable, such as the damage to a company’s reputation. On the other hand, in some areas insurance is mandatory. Insurance companies increasingly want evidence that risk is being managed. Before they will provide cover, they want evidence of the effective operation of processes in place to minimise the likelihood of a claim.

If you need support in implementing a cost-effective Risk Management system for your organisation we’d be delighted to help you. Give us a call or click here to get in touch!

email