Risk management, governance and compliance requirements are becoming increasingly complex with statutory requirements and ever changing risk registers. They are an increased burden to the organisation operationally and financially.
Businesses often approach risk management via silos leading to ineffective, timely and inconsistent risk management processes. The best approach to risk management is a lifecycle, with one step logically leading on to the next. And it’s important to note that risk is evolutionary, and therefore these steps must be continuously repeated.
By being aware of the risks you face, you make it more likely that you will achieve your objectives and, should a risk occur, be better placed to deal with it.
An individual’s needs within a risk management process will vary depending on their function in the organisation:
- Senior executives need to know where the higher rates risks are, and who is managing them, such as ensuring that there is not a shortage of skilled experienced staff.
- Line and project managers need to help identify, assess and manage higher rated risks for example ensuring factory floor staff are aware of Health & Safety risks.
- Service heads need to understand and manage the operational risks that exist within their business area, for example a lack of space within the office which could lead to staff not being able to carry out their work, or even a cramped working environment causing hazards.
- And the Board has an increasing need to be aware of it all, not only to have a clear view that the organisation is on target to achieve their overall objectives, but also to ensure they are compliant to regulatory standards in order to not lose accreditation, incur financial loss, or damaged reputation.
Here's a basic outline of each critical step of the risk management lifecycle.
Identification: You can’t manage your risks if you don’t know what they are, or if they even exist. The first step is to uncover the risks and define them in some detailed, structured format i.e. identify the events that influence your ability to achieve your objectives, define them and assign ownership.
Assessment: Once the risks are identified they need to be examined in terms of likelihood and impact. It is important to assess the probability of a risk, and the consequences in case of risk occurrence. This will then identify which risks are priorities and merit the most attention. You need to have some way of comparing risks relative to each other, sometimes referred to as risk appetite.
Treatment: Once the risk has been assessed, an approach for treating each risk must now be defined. After assessment some risks may require no actions, and just to be monitored, but those that are seen as not acceptable will require an action or mitigation plan to prevent, reduce, or transfer that risk.
Monitoring: Once the risk is identified, assessed and a treatment process defined, the risk cannot be left. It requires an on-going review process; remember a risk is evolutionary and can always change. The review process is essential for proactive risk management.
Reporting: Reporting at each of the four stages above is a core part of driving decision making in effective risk management. Therefore the reporting framework should be defined at an early point in the risk management process, by focusing on report content, format and frequency of production.
This brief outline only scratches the surface of the stages within risk management. Each of these steps seems logical, but the importance is in the detail. Organisations may follow this process, but few effectively execute on all of these at any given time, in our experience. This is most likely due to not being able to carry out all stages from one location, with the risks located in one silo, the treatment plans in another, and monitoring and reporting elsewhere, all without any actual ownership.