Consider the painter propping up a ladder to paint a wall: once the ladder has been placed in the right position, the painter will give it a good shake from side to side.
By bombarding the ladder with physical forces, the painter is simulating how stable the ladder will be when he climbs up to paint. The same is true in business. Check some of your stable business platforms and give them a good shake: are there any new risks that fall out?
There is more to risk than what you can see. The notion of enterprise risk is that it occurs at each of your organisation's touch points. This would include: strategic, compliance, financial, operation, environmental and reputation.
Consider risk as opportunity
Standards Australia defines risk management as: "The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects".
In many organisations today, risk has been separated from all positive connotations.
When risk is viewed purely as negative, the management of risk is limited to controlling its adverse effects. If your environment or marketplace is peppered with legitimate risk, it's quite likely therein lies untapped opportunities.
Choosing to approach risk management as nothing more than an expenditure of time / money shuts down a more creative approach to managing risk.
If your organisation chooses to take a positive point of view on risk, or at least a more constructive viewpoint, how would staff then begin to manage risk in their own areas of responsibilities - even in the face of complete uncertainty?
The key questions that the CEO and the Board need to be aware of regarding risk
- What are the potential risks from the points of view of those people who know our organisation (including stakeholders)?
- Are the risks higher or lower than in the past, what has changed and do we have to do anything about it?
- What would it take for our organisation to reduce or avoid the occurrence of the identified risks, and how can we turn this to our strategic advantage?
- Are the risks being monitored on an ongoing basis?
How to create a risk management plan that can generate revenue and expose innovative ideas
- Identify all potential risks
Identifying risks involves not having a fixed point of view of what constitutes risk. To mitigate your own biases, enlist the help of internal and external stakeholders.
Proceed to identify the risks that are identified in your:
- Classes of assets in your Asset Register
- Profit and loss statement line items
- Strategic and business plan
- Health and safety reports
- Benchmark against other organisations (swap risk registers / plans)
- Rank risk according to its potential to occur and possible impact
After the relevant stakeholders have been identified, proceed to identify and compile the relevant risks through surveys, phone interviews, focus groups or other mechanisms.
A Board-approved set of definitions of levels of risk is essential.
Each risk identification in the Risk Library should be analysed for its potential to occur, and simultaneously be analysed for its impact to the organisation if it does occur. Reference this against the quality of the existing controls for that risk. The best way to ensure that everyone is on the same page is to create a list of agreed definitions for each of the potential, impact and control components.
It is essential for the Board's risk management committee or equivalent - (e.g. Finance and Audit committee) sign off on these definitions, as they form the basis of identifying the key risks, and therefore the focus of the Board.
Identifying those risks that will have the greatest impact on the ability of your organisation to deliver against your strategic objectives then becomes much simpler. They are those risks with the highest scores - i.e., high potential to occur, high impact if they do occur and ineffective existing controls.
These risks are then put into a risk system (most common is a spreadsheet or 'Risk Library').
- Create a risk treatment plan
From there, each key risk needs to have a 'treatment' plan (effectively meaning: what are we going to do about the risk?). Most treatment plans only focus on reducing the risk, but risk management should not only be about reduction or mitigation, it should consider how strategic advantage can be derived from understanding and managing that risk.
The risk committee (or equivalent) can then develop treatment plans for each of the identified risks, starting with the highest rated risks. A risk treatment plan should follow the principles of good project management.
Taking your treatment plan to the next level
The one thing that will make your risk management plan create true value for your organisation is if you also include a section for each risk in the plan that explores 'Strategic Advantage'.
Ask the question: "How can we turn this risk and our treatment of it into strategic advantage?"
Each key risk is, in fact, something that will impact on your ability to deliver against your strategic objectives. Therefore, key risks will have key strategic impacts and major strategic advantages if managed well. Your job is to identify these advantages and leverage off them.
What is the Board's role in managing risk?
- Agree on and monitor the 3 or 4 critical risks facing the organisation
- The Board is responsible for approving and monitoring the risk management policy
- Establish key performance indicators (KPIs) for the CEO
- Embed risk into the strategic discussions and analysis of the Board
When deliberating on decisions at the Board meeting, ask the risk question: "What are the risks inherent in this proposal, and how can we turn these risks into strategic advantage?" It is your responsibility to ensure managing risk is an ongoing strategic process, not a compliance issue.