29
A to Z of Risk Management © Mark Conway - Oak Consult 2014

A to Z of Risk Management

Embed Size (px)

DESCRIPTION

All organisations, whatever their size or market, face a range of risks affecting the achievement of their objectives. While “risk” is commonly regarded as negative, risk management is as much about exploiting potential opportunities as preventing potential problems. Risk management comprises a framework and process that enable organisations to manage uncertainty in an effective, efficient and systematic way from strategic, programme, project and operational perspectives, as well as supporting continual improvement. Risk management applies at all levels of an organisation and to all activities. In this A to Z, I’d like to cover some of the key areas of Risk Management and Treatment and give you a better understanding of this broad topic that underpins multiple quality and ISO standards.

Citation preview

Page 1: A to Z of Risk Management

A to Z of Risk

Management

© Mark Conway - Oak Consult 2014

Page 2: A to Z of Risk Management

Introduction

All organisations, whatever their size or market, face a range of risks affecting the achievement of their objectives. While "risk" is commonly regarded as negative, risk management is as much about exploiting potential opportunities as preventing potential problems.

Risk management comprises a framework and process that enable organisations to manage uncertainty in an effective, efficient and systematic way from strategic, programme, project and operational perspectives, as well as supporting continual improvement. Risk management applies at all levels of an organisation and to all activities.

In this A to Z, I’d like to cover some of the key areas of Risk Management and Treatment and give you a better understanding of this broad topic that underpins multiple quality and ISO standards.

Page 3: A to Z of Risk Management

Appetite for Risk

Considering and setting a risk appetite enables an organisation to improve outcomes by optimising risk taking and accepting calculated risks within an appropriate level of authority.The organisation's risk appetite should be established and approved by Senior Management and effectively communicated throughout the organisation.The organisation should prepare a risk appetite statement, which may:– Provide direction and boundaries on the risk that can be accepted at various levels of the

organisation, how the risk and any associated reward is to be balanced, and the likely response

– Consider the context and the organisation's understanding of value, cost-effectiveness of management, rigour of controls and assurance processes

– Recognise that the organisation might be prepared to accept a higher than usual proportion of risk in one area if the overall balance of risk is acceptable

– Define the control, permissions and sanctions environment, including the delegation of authority in relation to approving the organisation's risk acceptance, highlighting of escalation points

– Be reflected in the organisation's risk management policy and risk reporting system– Include qualitative statements outlining specific risks the organisation is or is not prepared

to accept– Include quantitative statements which set out how certain risks and their rewards are to be

judged and/or how the aggregate consequences of risks are to be assessed and monitored.

Page 4: A to Z of Risk Management

Benefits of implementing Risk

Management

Organisations often find that Risk Management provides a combination of both qualitative and quantitative benefits. Creation of a more risk focused culture for the organisation

Organisations that have implemented Risk Management note that increasing the focus on risk at the senior levels results in more discussion of risk at all levels. The resulting cultural shift allows risk to be considered more openly and breaks down silos with respect to how risk is managed.As risk discussions develop into a standard part of the overall strategic business processes, functional units often find that addressing risk in a more formal way helps manage their part of the organisation as well. Communication and discussion of risk is recognised as not only a process to provide information to senior management, but a way to share risk information within and across operations of the company, and allow better insights and decision making concerning risk at all levels.

Standardised risk reportingA formal Risk Management System supports better structure, reporting, and analysis of risks. Standardised reports that track enterprise risks can improve the focus of Senior Management by providing timely data that enables better risk mitigation decisions. The variety of data (status of key risk indicators, mitigation strategies, new and emerging risks, etc.) helps leadership understand the most important risk areas. These reports can also help leaders develop a better understanding of risk appetite, risk thresholds, and risk tolerances.

Improved focus and perspective on riskA Risk Management System develops leading indicators to help detect a potential risk event and provide an early warning. Key metrics and measurements of risk further improve the value of reporting and analysis and provide the ability to track potential changes in risk vulnerabilities or likelihood, potentially alerting organisations to changes in their risk profile.

Efficient use of resourcesIn organisations without Risk Management, many individuals may be involved with managing and reporting risk across functional units. While developing a Risk Management System does not replace the need for day to day risk management, it can improve the framework and tools used to perform the critical risk management functions in a consistent manner. Eliminating redundant processes improves efficiency by allocating the right amount of resources to mitigating the risk.

Effective coordination of regulatory and compliance mattersFinancial statement auditors, Insurers and regulatory examiners, have begun to inquire about, test, and use monitoring and reporting data from Risk Management systems. Since Risk Management data involves identifying and monitoring controls and mitigation efforts across the organisation, this information can help reduce the effort and cost of such audits and reviews.

Through all of the benefits noted above, Risk Management can enable better cost management and risk visibility related to operational activities. It also enables better management of market, competitive, and economic conditions, and increases leverage and consolidation of disparate risk management functions.

Page 5: A to Z of Risk Management

Context

Before starting the design and implementation of a risk management framework, it is important to evaluate and understand both the external and internal context of the organisation, since these can significantly influence the framework design. Evaluating the organisation's external context may include:

a) The social and cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local

b) Key drivers and trends having impact on the objectives of the organisationc) Relationships with, and perceptions and values of, external stakeholders

Evaluating the organisation's internal context may include:a) Governance, organisational structure, roles and accountabilitiesb) Policies, objectives, and the strategies that are in place to achieve themc) Capabilities, understood in terms of resources and knowledge (e.g. capital, time,

people, processes, systems and technologies)d) Information systems, information flows and decision-making processes (both formal and

informal)e) Relationships with, and perceptions and values of, internal stakeholders;f) Organisational cultureg) Standards, guidelines and models adopted by the organisationh) Contractual relationships with suppliers

Page 6: A to Z of Risk Management

Documentation

Documenting an organisation’s risk management framework and recording each step of the risk management process is critical for a number of reasons, including:

Demonstrating to stakeholders that the process has been conducted properlyProviding evidence of a systematic approach to risk identification and analysisEnabling decisions or processes to be reviewedProviding a record of risks and to develop the organisation’s knowledge databaseProviding decision makers with a risk management plan for approval and subsequent implementationProviding an accountability mechanism and toolFacilitating ongoing monitoring, review and continuous improvementProviding an audit trailSharing and communicating information

The following areas of your organisation’s risk management framework need to be documented:

Objectives and rationale for managing riskAccountabilities and responsibilities for managing and overseeing risksProcesses and methods to be used for managing risks i.e. how the Risk Management process will be applied in the organisationCommitment to the periodic review and verification of the risk management framework and its continual improvementThe way in which risk management performance will be measured and reportedResources available to assist those accountable or responsible for managing risksOrganisation’s risk appetite translated into risk rating criteriaLinks between risk management and the organisation’s objectivesLinks between risk management and other processes and activitiesScope and application of risk management within the organisationRequirements for recording and documentation of the risk management process

Page 7: A to Z of Risk Management

Evaluating Risks

Risk evaluation involves comparing a risk’s overall exposure against the organisation’s risk appetite. This allows the determination of whether further controls are required to bring the risk within a level acceptable to the organisation. The output of the risk evaluation phase is a prioritised list of risks.

The following key steps are involved in evaluating risks:

1. Rank the risks based on the outcome of the risk analysis processRisks can be ranked either qualitatively or quantitatively. Applying qualitative analysis, you can rank the risks using a heat map. The heat map is a colour-coded matrix with each colour indicating the level of risk. This heat map represents the tolerance level of your organisation. This would have been developed in the earlier phase of “Establish Context”, as it is a part of the organisation’s risk management context.Based on the control effectiveness rating, likelihood of the risk occurring and potential consequences identified in the earlier phase, plot the risks against the matrix. The completed matrix is your risk profile.Applying semi-quantitative analysis, the organisation can also rank the risks based on their numerical value. The numerical value is a combination of the values assigned by the organisation to control effectiveness, likelihood and consequence.The most common approach to visually recording risk is using a 3 by 3 or 5 by 5 heat map as illustrated below. A risk heat map is sometimes referred to as a risk matrix.

2. Consider the overall risk profileOnce the initial risk profile has been developed, the organisation may need to consider how each risk ranks in relation to the other risks. This step allows the organisation to conduct a “sanity check” of the risks that have been placed on the heat map to ensure that risks are rated correctly when compared to each other (e.g. “Risk manager may be off sick with flu” is not rated the same as “Project objectives may not be met”).Possible outcomes of this step include:The organisation may reassess the rating of some of the risks if it is felt that the overall spread of the risks relative to each other is not a true reflection of realityThe organisation may recognise that some risks are similar to the other risks, or are contributing factors to other risks. Hence they may be incorporated into the risk description of other risks within the risk registerThe organisation may consider the interdependencies between the risks and consider the consequence on the organisation if more than one risk occurred at the same time. This may result in changes to the overall risk ratings.

3. Develop a list of priority risksThe primary objective of evaluation is to prioritise risks. This helps to inform the allocation of resources to manage risks, both non-financial and financial.The priority list can be categorised by a number of criteria dependent on what is most relevant for the organisation e.g. risk rating, functional area or by type of impact (i.e. strategic or operational). This will further refine the focus for risk treatment.

Page 8: A to Z of Risk Management

Frequency of risk reporting

At a minimum, an organisation should update and report on its risk profile on an annual basis. While an annual reporting and update cycle may meet statutory requirements, effective risk management typically requires more frequent reporting on risk.The frequency of risk reporting should reflect the cycle of the organisation’s regular internal reporting. Where the Executive receives monthly or quarterly progress reports on Financial, Operational, Health and Safety or IT matters, they may wish to receive similar risk reports.

Page 9: A to Z of Risk Management

Governance

The organisation's risk management framework should have the following features:Risk management as part of the organisation's overall approach or framework for governanceRisk being recognised as a Senior Management matter, with the Board ultimately accountable for risk managementRisk management objectives designed to support and achieve the organisation's risk appetite and the approach to recognising risk in decisions, providing achievable goals for risk managementOwnership and accountability for managing and reporting on risk throughout the organisationRoles, accountabilities and responsibilities for managing risk, which are communicated and understood, and a clear distinction between those who have:a) Direct responsibility for the management of risk, e.g. management and staff working within each functional unitb) Responsibility for development, implementation, maintenance and oversight of the effectiveness of the risk management

frameworkc) responsibility for providing independent assurance, e.g. internal auditd) Ultimate responsibility for obtaining assurance and thereafter driving improvement

A defined, effectively communicated and understood policy, which sets out the requirements for managing riskDefined processes / procedures for managing the organisation's risks and the development of risk management across the organisationA method of assessing, leading and monitoring the organisation's risk management cultureDefined parameters around the level of risk that is acceptable to the organisation, and thresholds which trigger escalation, review and approval by an authorised person/bodyA defined approach to recognising risk in decisions and an appropriate flow of risk information around the organisationA commonly defined and agreed terminology for describing key risk management concepts and practicesA risk management strategy and a risk management policy containing the objectives and plans for risk management across the organisation

Page 10: A to Z of Risk Management

High-Level Risk Management

Framework

Page 11: A to Z of Risk Management

Individual’s role within Risk

Management

The organisation should embed risk management by incorporating it into each individual's responsibilities. People should understand:

The risks that relate to their roles and their activitiesHow the management of risk relates to the success of the organisationHow the management of risk helps them to achieve their own goals and objectivesTheir accountability for particular risks and how they can manage themHow they can contribute to continuous improvement of risk managementThat risk management is a key part of the organisation's cultureThe need to report in a systematic and timely way to senior management any perceived new or emerging risks, near misses or failures of existing control measures within the parameters agreed

Page 12: A to Z of Risk Management

Joined-up Risk Management

No organisation or function within an organisation works in true isolation when it comes to risk management.

Internal Risk Management

Many organisations handle risk management within functions and submit risks and risk matrices to senior management based upon their evaluation of their functional area risks. The same risks may exist elsewhere in an organisation but their impact and subsequent treatment recommendations may differ. It is therefore hugely important for senior management to collectively review risk matrices to ensure that risk levels and their treatment are agreed upon from an organisational perspective.

External Risk Management

Some risks and their associated treatments may require joint effort between organisations and third parties. This could involve negotiation with third-party suppliers, local / national government as well as emergency service organisations. Being prepared and being connected to the right stakeholders could mean the difference between your organisation becoming operational very quickly following a major incident and going out of business.

Page 13: A to Z of Risk Management

Keeping your Risk Register

up-to-date

The purpose of a risk register is to record details of all risks that have been identified, together with their analysis and plans for how those risks are to be treated. The risk register is an important component of the overall risk management framework. It will include ALL risks - not just operational risks, and can be focused either on the organisation as a whole, or on specific projects where it is used to maintain the register of project risks over the lifetime of the project.An important parameter recorded in the risk register is the 'owner' of each risk - the person who owns responsibility for actions relating to that risk.It is important to record when the risk item was identified and added to the register, when the entry was last updated, and for some items, when they were closed. However, closed items should be maintained for historical analysis purposes, perhaps being transferred to a separate 'closed risks' register table.Access to the risk register must be controlled to maintain its integrity and confidentiality. Some items recorded in the register may be very sensitive and thus not for wide publication. These confidential items can be 'flagged' by adding an extra field to the table record structure. The integrity of all item entries is also important, so you need a security policy for the register that defines who should be able to update the table and who can read it.

Page 14: A to Z of Risk Management

Likelihood and Impact of Risks

Events identified as potentially impeding the achievement of objectives are deemed to be risks and should be evaluated based on the likelihood of occurrence and the significance of their impact on the objectives. It is important to first evaluate such risks on an inherent basis—that is, without consideration of existing risk responses and control activities.

For example, an organisation with headquarters on the banks of a river may seek to assess its exposure to the risk of flooding. On an inherent basis, it would consider the likelihood and impact of a flood by considering external data (such as the historical and projected frequency of floods) and internal data (such as the estimated damage to its physical assets if a flood were to occur). An impact and probability rating should then be assigned using defined risk rating scales. These individual risk ratings should then be brought together in the form of an inherent risk map as I outlined in E.

Additionally, as risk assessments are refreshed over time, a risk map can allow analysis over time (e.g., upward or downward trend of risks, and the extent of positive or negative correlations between certain risks).

Page 15: A to Z of Risk Management

Monitoring and Review

Both monitoring and review should be a planned part of the risk management process and involve regular checking or surveillance. It can be periodic or ad-hoc.The organisation's monitoring and review processes should encompass all aspects of the risk management process for the purposes of:– Ensuring that controls are effective and efficient in both design and operation– Obtaining further information to improve risk assessment– Analysing and learning lessons from events (including near-misses), changes, trends,

successes and failures– Detecting changes in the external and internal context, including changes to risk criteria

and the risk itself which can require revision of risk treatments and priorities; and– Identifying emerging risks

Progress in implementing risk treatment plans provides a performance measure. The results can be incorporated into the organisation's overall performance management, measurement and external and internal reporting activities.The results of monitoring and review should be recorded and externally and internally reported as appropriate, and should also be used as an input to the review of the risk management framework.

Page 16: A to Z of Risk Management

No Risk, No Reward

“No risk, no reward; no guts, no glory!” In business, this mantra poses challenges, especially when dealing with compliance, security and risk management—organisations often need to take risks to get ahead of competition and take care to avoid overstepping their bounds. Organisations must address the point when something is no longer a risk, but an inevitable failure.When a large organisation takes a risk, it has to consider a wide range of people: its employees, customers, investors and other stakeholders. Do regulatory requirements drive all choices and should the company always play it safe? No risk, no reward, remember?Companies in the 21st century that play it safe are going to fall to the competition. “The bigger the risk, the bigger the reward” is becoming a culture rather than just a motivational poster. The businesses that push too hard, too fast will have less success, but the companies that remain calculated, deliberate, and informed when taking risks, are not really taking risks at all - they are making smart business decisions.What is vital to organisational survival, and their ability to thrive in a competitive industry culture, are the right tools and resources needed to make calculating risks easier and faster.

Page 17: A to Z of Risk Management

Owners of Risks and Responses

Where the risk management process identifies any risks that need to be actively managed, each risk and each response should be assigned an owner who is responsible and accountable for:– In the case of a risk, owning the organisation's

assessment of the risk, monitoring it, and reporting its status

– In the case of a risk response, responding to the risk, contributing to the development and maintenance of an appropriate control environment, and reporting on the status of the response

Risks and their responses may be owned by the same person.

Page 18: A to Z of Risk Management

Policy

The organisation's risk management policy may include:Governance, outlining how risk management is governedPolicy scope, describing the purpose of the policy and who it is aimed at; describing the high level principles and the benefits of implementing risk management; setting out the objectives, including legal and regulatory requirements, and what it intends to achieve; and providing an explanation of the relationship with other policiesPolicy applicability, setting out to whom and to what the policy appliesRisk management process, providing a high level overview and description of the risk management process adopted by the organisationRisk appetite, outlining the organisation's risk appetite, thresholds and escalation procedureReporting, describing the purpose, frequency and scope of reportingRoles, accountabilities and responsibilities, describing the high level roles, accountabilities and responsibilities in respect of risk managementVariations and dispensations, stating whether variations or dispensations from the policy are allowed and, if they are allowed, describing the process for requests for this

Page 19: A to Z of Risk Management

Qualitative and Quantitative

Risk Analysis

Quantitative Risk AnalysisIn short, Quantitative risk analysis is by far the most exhaustive, costly and time-consuming method of doing a risk assessment. However, its primary benefit is identification of your greatest risk based on financial impact. Assigning a value to loss associated with vulnerability is often the best way to obtain corporate buy-in and a true understanding of impact to the organisation.Quantitative is the only option if your Senior Management requires numeric figures and findings that can be measured against budgets from year to year.

Quantitative Risk Analysis - Key Points:Yields results in terms of financial impactAll findings are expressed in monetary values, percentages, and probabilitiesAllows for more control and understanding regarding procurement and budgetingRequires larger organisational cooperationBetter protection against litigation riskVery time intensive

Qualitative Risk AnalysisQualitative risk analysis is more common than quantitative due to the time and cost involved. In Qualitative analysis, the assets are discovered and reviewed for known vulnerabilities against a database of potential vulnerabilities. The risk is then measured against relative scales to determine the probability of a threat exploiting the vulnerability. Threat impact, probability of threats, and vulnerabilities used in the analysis are very subjective between analysts conducting the analysis. It is not uncommon in a qualitative risk analysis to have two experts with differing conclusions. If an organisation is strapped for time or can't afford the resources to dedicate to understanding your risk in detail, qualitative is the best methodology

Qualitative Risk Analysis - Key Points:Requires less time and is less costlyFindings are simple in natureFocus is on specific vulnerabilities to the affected assetsValues of loss are perceived and not quantifiedVulnerabilities are rated subjectivelyFocus is on understanding the risk and often include recommendations for mitigation based on analysts knowledge and expertise

Page 20: A to Z of Risk Management

Risk Management Process

The organisation's risk management process should, as a minimum, comprise the following steps:

Context

Identification

Assessment

Response

Reporting

Review

Page 21: A to Z of Risk Management

Senior Management

Responsibilities

The responsibilities of the senior management of the organisation in respect of risk management should include:

Ensuring that there is a fit-for-purpose and up-to-date risk management framework and process in place and that risk management is adequately resourced and fundedProviding strategic direction on the appropriate recognition of risk in decisions and setting risk appetite and associated authorityApproving the risk management policy and setting the "tone" and culture for managing risk and embedding risk managementEnsuring the key risks facing the organisation are properly assessed and managed;Evaluating the risk implications of changePlanning for how the organisation will respond to risks that could arise, including the management of a crisisProviding direction and receiving assurance on the effectiveness of risk management and compliance with the risk management policyReporting on risk management to stakeholders and signing off public disclosures

Page 22: A to Z of Risk Management

Treatment of Risks

Risk Treatment is the process of selecting and implementing measures to modify risk. Risk treatment measures can include avoiding, optimising, transferring or retaining risk.

Management or treatment options for risks expected to have positive outcome include:– Starting or continuing an activity likely to create or maintain a positive outcome– Modifying the likelihood of the risk, to increase possible beneficial outcomes– Trying to manipulate possible consequences, to increase the expected gains– Sharing the risk with other parties that may contribute by providing additional resources which could

increase the likelihood of the opportunity or the expected gains– Retaining the residual risk

Management options for risks having negative outcomes look similar to those for risks with positive ones, although their interpretation and implications are completely different. Such options or alternatives might be:– To avoid the risk by deciding to stop, postpone, cancel, divert or continue with an activity that may be

the cause for that risk– To modify the likelihood of the risk by trying to reduce or eliminate the likelihood of the negative

outcomes– To try modifying the consequences in a way that will reduce losses– To share the risk with other parties facing the same risk (insurance arrangements and organisational

structures such as partnerships and joint ventures can be used to spread responsibility and liability)– To retain the risk or its residual risks

Page 23: A to Z of Risk Management

Understanding the types of Risk

Assessment

Risk assessment can be conducted at various levels of an organisation. The objectives and events under consideration determine the scope of the risk assessment to be undertaken. Examples of frequently performed risk assessments include:

– Strategic risk assessment– Operational risk assessment– Compliance risk assessment– Internal audit risk assessment– Financial statement risk assessment– Fraud risk assessment– Market risk assessment– Credit risk assessment– Customer risk assessment– Supply chain risk assessment

The examples described above are illustrative only. Every organisation should consider what types of risk assessments are relevant to its objectives. The scope of risk assessment that management chooses to perform depends upon priorities and objectives. It may be narrow and specific to a particular risk, as in some of the examples above. It may be broad but high level: e.g., an enterprise-level risk assessment or a top-down view that considers the broad strategic, operational, reporting, and compliance objectivesA more full explanation of the examples above can be found here

Page 24: A to Z of Risk Management

Vulnerabilities & Threats

Assessment

Vulnerability

It's common to define vulnerability as "weakness" or as an "inability to cope". Both of these definitions are completely wrong (from a security and risk management perspective).A better definition of vulnerability is "exposure".If you give a presentation at a conference it might open you to criticism or even ridicule. Plenty of people have a fear of public speaking for this very reason. However, the act of giving a speech isn't a weakness it's an exposure.Connecting a system to the internet can represent a vulnerability. For example, it exposes a system to a DDoS attack. However, connecting a system to customers via the internet isn't likely to be considered a weakness from a business perspective.

Threat

A threat is something bad that might happen. It's as simple as that. A more complex definition wouldn't be any more helpful.From a security perspective the first threat that pops to mind is a security attack. However, a threat can range from innocent mistakes made by employees to natural disasters.

Risk

Risk is a chance that something unexpected will happen. It's the combination of threats and vulnerabilities:

Risk = Threat x Vulnerability

Page 25: A to Z of Risk Management

Why bother with

Risk Management?

In difficult times most organisations adopt a back-to-basics approach, scrutinising overheads and new projects to ensure that costs do not rise to unacceptable or unsustainable levels. Whether we are experiencing falling revenues now, or are fearful of what the future holds, focus on Risk Management can fade and not be a priority.But there is a certain irony in this. Risk Management is intended to help management identify risks that could threaten the organisation and take action to mitigate or eliminate material risks. Risk Management provides management with confidence that unplanned disruption can be handled effectively and the organisation has the best chance to survive, whatever the circumstances.In poorer economic times, businesses are more threatened by more risks and potential disruption than is the case during more prosperous periods. For one thing financial resources are likely to be more constrained, providing less flexibility in your response to realised threats and disruption.For another, your organisation will be leaner, with fewer facilities, equipment and staff. You often have to downsize to cope with difficult economic circumstances. The organisation will be working in a lean manner and that lack of spare capacity can make recovery from unplanned disruption difficult to manage.And then there is the competition who, in more difficult times, will be chomping on the bit to take your clients and your business away. If risks materialise and you are inadequately prepared, or your business faces unplanned disruption without the necessary plans in place, your competition will have the best opportunity to take bite sized chunks out of your business portfolio.Client goodwill is something we all work hard for and is difficult enough to maintain in good times. In more challenging times your business has to be ready, willing and able to service clients when they require it, no matter what events transpire.There is no need to advocate that all professional firms spend fortunes on Risk Management. Many of our financial institutions have done that for years and look where they have found themselves. But developing a sensible approach to managing risk, documenting key risks in a Risk Register (with appropriate mitigation noted) and preparing sensible and pragmatic Treatment and Business Continuity Plans should not cost the earth. It will however help you protect the value and goodwill you have created in your business and should not be ignored, despite the current circumstances.

Page 26: A to Z of Risk Management

X-Ray Spectacles

Horizon Scanning

When conducting risk assessments organisations are increasingly being forced to explore risks and disruptive threats further into the future. Typically, most companies cannot realistically look more than six months into the future with any degree of confidence for strategic planning. Unprecedented events and the complications of globalisation make even six months too vague for many.Strategic anticipation or foresight is becoming an important capability to assist decision-making when confronted with increasing global risks and economic/geopolitical turbulence. A degree of uncertainty has always been a business reality, but today it is the extent of the uncertainty and the potential consequences that make organisations cautious and apprehensive about directions and decisions. Uncertainty cannot be managed as by its very nature it is incalculable, but organisations can reduce their vulnerability to it. New approaches are now required; understanding the mistakes of the past can be informative, but hindsight will not necessarily inform or help with foresight.As a result, businesses must make an effort to develop scenarios, consider likely future events and apply futures methodologies. Tools such as horizon scanning help generate new insights based on social and environmental monitoring, or distributed sensing capability, which allow one to make sense of an emerging threat, issue or trend. As a logical extension of scenario planning, horizon scanning can be used alongside techniques such as crowd sourcing, trend analysis, phase transition and experiential learning, amongst others, to generate ideas about likely future risks, issues and opportunities.It is vital that corporations, when faced with continuous anxiety and uncertainty become skilled at spotting trends; they also need to acquire the techniques of pattern recognition and horizon scanning to generate strategic options and guide decision-making.

Page 27: A to Z of Risk Management

Your Organisation and Risk

Whatever the size of your organisation, Risk Management should be a consideration. Ask yourself the following questions about your organisation:

1. What are the organisation’s top risks, how severe is their impact and how likely are they to occur?2. How often does the organisation refresh its assessment of the top risks?3. Who owns the top risks and is accountable for results, and to whom do they report?4. How effective is the organisation in managing its top risks?5. Are there any organisational blind spots warranting attention?6. Does the organisation understand the key assumptions underlying its strategy and align its

competitive intelligence process to monitor external factors for changes that could alter those assumptions?

7. Does the organisation articulate its risk appetite and define risk tolerances for use in managing the business?

8. Does the organisation’s risk reporting provide management and the board information they need about the top risks and how they are managed?

9. Is the organisation prepared to respond to extreme events?10. Does the board have the requisite resources to provide effective risk oversight?

If you are struggling to answer these questions or are uncomfortable with how you are feeling about your answers, don’t panic! You’re not alone. But you should be doing something about it before a risk becomes a reality!

Page 28: A to Z of Risk Management

Zurich to Accenture

Risk Management is big business - from consulting to insurance. There are literally thousands of organisations that you can engage with from the global players such as Zurich and Accenture to the smaller more regional consultancies and insurers.Insurance will not reduce your business' risks but you can use it as a financial tool to protect against losses associated with some risks. This means that in the event of a loss you will have some financial compensation. This can be crucial for your business' survival in the event of, say, a fire which destroys a factory.Some costs are uninsurable, such as the damage to a company's reputation. On the other hand, in some areas insurance is mandatory. Insurance companies increasingly want evidence that risk is being managed. Before they will provide cover, they want evidence of the effective operation of processes in place to minimise the likelihood of a claim.If you need support in implementing a cost-effective Risk Management system for your organisation we would be delighted to help you. Give us a call or click here to get in touch!