Preparing for and responding to issues and crises is a commonly experienced task for all organisations around the world.
Whether these are small issues with little business impact or an economic and safety pandemic, whether it is predicted or unforeseen, every organisation needs to adopt a robust risk management system to remain competitive.
Organisations must have a process to identify, evaluate, and then manage their risks or barriers to success. There is no one-size-fits-all solution to risk management. Quality, risk and compliance managers need to assess the current level of risk maturity in the organisation to determine an appropriate approach.
Risk maturity can range from Pathological, there is no time for any kind of investment to improve processes; Reactive, an incident has occurred, and this is the response; Calculative, regulation has changed therefore business processes change; Proactive, value placed on continual improvement activities; and Generative, risk is included and embedded in everyday business processes.
A robust risk management process embraces risk management principles. It thinks of risk broadly to not only focus on sales and competition, but to consider all aspects that contribute to the overall success of the business. According to risk management principles, the most successful risk management programs are integrated into everyday business processes, and structured in a systematic and consistent way to be inclusive of all stakeholders (both internal and external). In other words, it needs to be nimble and sensitive to situational changes, reviewed on an ongoing basis to assess historical data and future assumptions to determine its currency and applicability. Following these principles ensures the organisation can eliminate weaknesses that impede growth and success.
Organisations should consider the following framework when developing their risk management process to ensure it continually meets their risk appetite:
Establish the Context
Risk management needs to be customised, aligning with the organisation’s context. This includes understanding the people, processes and technology needed to operate, as well as setting the threshold for risk tolerance and acceptance.
Taking this one step further, risk management should closely align with the organisation’s strategic direction, looking to protect the processes, resources, activities or systems that directly contribute to business success.
Conduct Risk Assessment
The risk assessment process should identify, analyse and evaluate risks. The organisation should apply their risk management system using a comprehensive methodology to identify the risks associated with their activities, products, and services. They should then objectively assess the risks and prioritise the actions required to prevent or mitigate risks to an acceptable level.
There are several sources of risks likely identified in any organisation. These risks can be grouped into four categories:
- Physical properties – premises; product; materials
- People elements – people; procedures; protection
- Actions or operations – processes; performance against target
- Management issues – policy and strategy; planning and organising
There are additional risks that might need to be considered according to the organisation’s context, such as the physical location of the organisation from a regulatory perspective and community influence, and potential product lifecycles waste management, recalls and expertise needed to maintain. All of these are factors to consider when the organisation is developing its risk profile.
The risk identification process is most effective when key stakeholders are involved in the process, and it can answer:
- What are the sources of risks or threats?
- What could happen, where could it occur, when could it occur and how often?
- What are the causes?
- What are the business consequences?
- Which business areas and stakeholders affected?
- What controls currently exist?
Factors associated with each of these topics are to be utilised as prompts to gain a full perspective of all the risks. Any risk not identified through a structured approach will be excluded from any further analysis and therefore may potentially be dropped.
There are many different risk identification techniques including brainstorming, interviews, checklists, structured “What If”, scenario analysis, fault-tree analysis, bow tie analysis, direct observations, incident analysis, and surveys. They vary in complexity and each method has its advantages and disadvantages to its use. No matter what technique is utilised, the organisation needs to evaluate the effectiveness of its application to determine if the analysis and the actions taken were effective. This should be an iterative process.
Creating a risk statement helps clearly define the risk, and avoids misleading information and misclassifying the risk. It should contain three components:
- Uncertain Event: what could occur?
- Its Cause: what is the trigger, source or factor contributing to risk occurring?
- Its Effect: the consequences and effect on strategic objectives.
Identified risks need to be analysed and evaluated for their potential impact on the organisation’s performance. A risk matrix is an efficient way of assessing the likelihood of risk against its severity. It visualises what risks are accepted and what requires treatment, accommodating for prioritisation.
Once risks are prioritised, the organisation can start looking to implement a treatment process. This means selecting the right measures to modify the organisation’s exposure to the risk, and therefore protecting or enhancing the organisations ability to achieve its objectives. A risk treatment process includes steps to develop a practical option for treatment, testing the options and developing a treatment plan.
The first step is to determine how the organisation should respond to the risk by considering whether it will accept, actions to be determined as needed; avoid, eliminate the cause or threat; transfer, moving the risk to another party; mitigate, reduce the impact of a risk that can’t be removed; or exploit, pivot or add work to ensure the opportunity occurs.
Each response needs to be tested to consider factors such as direct and indirect costs and benefits, practicality and resource requirements, effectiveness of treatment, “checkability” and ease of maintenance and timing. When the appropriate risk treatment option has been identified a risk treatment plan should be developed to ensure that the implementation happens in a timely manner and to ensure it has the intended effect on the result otherwise, you must start the process again. Treatment plans should answer the following:
- Reasons for selecting a particular response.
- Critical assumptions, uncertainties and dependencies.
- Accountability for approval and recommendation.
- Actions required.
- Resource requirements including for contingencies.
- Performance requirements and constraints.
- Monitoring and reporting.
- Timing and schedule.
- Risk assessment of the risk treatment plan.
Similar to the identification process, key stakeholders must be engaged to provide relevant information to make evidence-based decisions on the level of risk and provide input into prioritising treatment plans. Treatment plans should be tested by considering risk at two levels:
- Without any controls in place to determine the magnitude of the inherent risk.
- Taking into consideration the current controls that are in place, and re-evaluating whether the residual risk is acceptable to the organisation
The result of this risk treatment process is to develop a risk register that tracks all the information and decisions made. While risk registers are an effective tool that can help meet documentation requirements, it can lead to ritualistic decision-making and create an illusion of control. In other words, risk management is not a task that has a finish.
Monitor & Review
Monitoring and measuring is a critical component to any business. It is also an integral component to the risk management process, yet unfortunately, is one that is most often overlooked. The organisation must identify the relevant metrics to determine if processes are in control and are providing the planned or intended results. It is more than collecting data, it must be analysed, evaluated and then reviewed to ensure that the organisation is progressing in the correct direction.
Monitoring and measurement process usually falls into one of three of the following categories:
- Regular Checking and Continuous Monitoring: real-time operational measurements used to check against criteria daily.
- Line Management Review Measurements: monthly or quarterly activities to determine all continuous monitoring is occurring, and self-assessments to confirm legal obligations and objectives are achieved.
- Internal and External Audits: determine whether there are non-conformances impacting the business through a less frequent audit plan with selective defined scopes.
The process also includes an action plan that ensures any situations or issues are corrected, and that new risks haven’t emerged.
Communicate & Consult
Underpinning the risk management process is communication. The purpose of risk communication is to improve risk awareness and perception and equip people to respond appropriately to an identified risk. It is an ongoing and multidirectional process as business landscapes constantly evolve and new risks can emerge.
To help guide the risk communication process, top management should answer the following three questions:
- What risks information needs to be communicated?
- Who needs to be communicated to?
- How can this risk information be effectively communicated?
Risk communication can be split into internal and external communications. Internal communication includes communicating with decision-makers, analysts and employees about risks to the strategic direction. Consulting internally provides decision-makers with accurate information to make risk-based decisions, while encouraging greater ownership of risk management by all employees. External communication includes communicating risks that can affect communities, external stakeholders, and partners, as well as meet regulatory requirements.
Developing a risk-based culture
The next step in developing a risk management process is to build a positive risk culture. Adopting a risk-based thinking culture helps achieve both top-down and bottom-up objectives, while aligning top management and “front-line” employees.
A risk-based thinking culture creates a mindset focussed on proactively achieving the organisation’s objectives while considering risks and opportunities. Similar to the critical success factors of a risk management process, embedding a risk-based culture starts at the top. Top management are responsible for business success by empowering employees and ensuring currency and applicability of supporting business processes in achieving its objectives.
The key to successful implementation is engaging individuals and ensuring they feel their contributions are helping improve the organisation. To do this, top management should implement appropriate information collection and reporting systems to make it easy for all levels of the organisation to escalate information appropriately.
Sustainable risk management programs shouldn’t stifle value creation but enable innovation as it aligns the organisation’s strategic direction to its risk management processes.