Some would say that risks have changed dramatically over the past decade or more. While the risks may have changed, what hasn’t is the practice of how risks are managed.
What I witnessed as ‘risk management’ in the early 1990s is much the same today, though much is touted about the value added that comes from effectively managing risk.
What is perplexing about the ‘value add’ of such claims is that no evidence indicates how and if value is actually being created.
I come at this from the perspective that I’ve been teaching, training, coaching, and consulting on practices in risk management for 30 years. Each time I have a new client, a new class, or a new executive, I cannot help but notice that they don’t have a ‘process’ or are using outdated, unreliable methods. Oh sure, they have dashboards that we didn’t have 10, 15 or 20 years ago – but they tell nothing about what is being managed, how effectively and with what outcomes.
Management wants different results. They want something different that no technology, insurer or regulator will help them achieve.
The following is a brief of what I’ve seen as the stagnation of risk management.
I follow each observation with what I help companies to change and dramatically alter the value they get from risk management.
Based on the following points, ask yourself – – How is the risk management process working in your organization?
-
Risk to objectives
The common lexicon links these two as though nothing separates the risk from the objectives. There is not a direct link between the objectives and the risk.
One must consider the ability to execute the strategy as a form of risk. If the strategy cannot be executed, the objectives will not be achieved regardless of the identified risks.
The primary focus of the risk identification process must be the strategy and the outcomes that define what will be achieved as the organization attains its top objectives.
Without the link between strategy, outcomes, and objectives – both the risk indicators and performance indicators will lend little value to the meaning of risk. It leads one to wonder what exactly is being managed – do you know?
One of the most visible risks in many registers these days is Climate Change. That is not a risk – it is a fact – it has created problems and costly ones.
It is a problem that will not be solved any time soon. Climate change continues to affect businesses in different ways. Downstream risks must be identified using methods that have not been used before.
-
The Risk Register
No methodical or consistent process exists across the organization that supports why risk is being identified as known or emerging. The most important element that is usually missing to give credibility to the risk register is the ‘indicator’ of risk. The indicator answers the ‘why’ a risk is being identified.
Half the items (and sometimes more) reported in the register are problems. It may as well be called the ‘issues’ or ‘problem’ register. They are previous risk events that have come to pass and are now a problem that needs to be solved.
A risk register is the end product of a sustainable and consistent process that must reflect the business circumstances.
It must be evaluated for its value as a key management tool.
-
The Risk Assessment
This assessment is based on historical events. No risk ever repeats the same way twice.
As an example, consider every market crash there has been in the past 100 years – not a single one had the same indicators or contributors to a crash. There were economic similarities, granted, but the trigger was always different. Understanding the indicators requires ‘anticipation’ of a trigger. This is inescapable.
There is little evidence that risks outside an organisation’s or its people’s control are supported by awareness, preparedness, and responsiveness to a potential event. When uncontrollable external factors drive risk, then the only response is with internal strength.
The risk assessment process is designed to ensure that sufficient ‘capabilities’ (skills + capacity + action) exist to ensure that the proposed mitigation can, in fact, be executed.
An assessment must reflect the effectiveness and ‘fit for purpose’ of controls. It is the central tool for accountability for identifying and mitigating the risks.
-
Strategy – Change – Risk
While health & safety protocols and avoidance of hazards are of great importance, most organizations meet the standards in these areas – which can be audited. However, the links between Strategy, Change and Risk are inseparable. What often escapes decision-makers’ attention is the link between the strategy, changes, and risks.
Consider –
- Developing a new strategy is usually prompted due to necessary changes. Change brings risk. How do these three elements connect in your planning process? It is not only relevant for strategic planning, but also essential for operational, program, project, and all forms of planning, short and long-term.
- Planning to make significant business or organizational changes requires a robust and well-thought-out strategy. Invariably, a strategy to create change involves risk. How do these three elements connect in your change management process?
- Does the risk register indicate risks that are not tied to the business strategy? In such an event, I’m compelled to ask . . . Why are they there?
The foregoing four points are only a small sample of where risk management continues to be a mundane practice that is dreaded by many organizations and provides little value than often state the obvious. It is, nevertheless, essential to have a methodology that creates value, not a methodology that is outdated, insurance-based or regulator-driven.
Looking at what uncontrollable catastrophe may befall and avoiding that however possible is not what managing risk is meant to be. That stronghold remains. It is my objective to change that.
How is risk management working in your business?
Is it generating value? How do you really know?
Risk management is not complicated if it is designed to be a management tool that creates value.
I help companies simplify the process of managing risks in their business so that its implementation is not onerous, yet adding capacity, impact and measurable value to the organization.
Ask me how your business can benefit from effective risk management.
#newrisks