Businesses have historically perceived risk as something that should be eliminated or minimised whenever possible. Increased legislative and regulatory requirements have been evidenced due to recent corporate collapses and the global recession. Organisations have been forced to allocate more resources to manage risks and stakeholders are scrutinising businesses more closely.
The need to identify, manage and exploit risk has become increasingly important to an organisation’s success and longevity.
A risk management framework provides organisations with a process to identify those risks which it is exposed to. A robust process will be focused on the organisation’s risk appetite and forms the basis for deciding risk treatments. When applied consistently, the process empowers management to identify, assess and exploit the right risks, whilst maintaining an appropriate balance of internal controls.
A handful of key principles need to be followed for risk management to deliver meaningful outcomes. A risk assessment should focus on an organisation’s objectives. These objectives offer the foundation for measuring the likelihood and consequences of risk evaluations. Strong governance and oversight mechanisms should be developed to encourage a portfolio or holistic view and align risk treatment with the organisation’s risk appetite.
Organisations that analyse results from risk management activities lay a solid platform for developing an effective enterprise wide risk management (EWRM) programme. They are better placed to exploit opportunities and survive today’s volatile business environment.
What is risk?
Many risk definitions exist and many are established to address specific industry needs. It’s widely acknowledged that if we know, with absolute certainty, that an event will happen, it has no risk attached to it. If there’s any element of doubt or uncertainty, then a risk exists.
AS/NZS ISO 31000 defines risk as the “effect of uncertainty on objectives”
AS/NZS ISO 31000 distinguishes two types of risk – strategic & operational.
Strategic business risks are directly associated with an organisation’s strategic planning and management activities. They are risks that might significantly inhibit an organisation’s ability to achieve its vision and strategic goals. They are high level and have the ability to close an organisation down and need to be identified, evaluated, treated, monitored and communicated by the Board and executive team. Strategic risks often need to be managed holistically and by more than one business unit for risk treatments to be effective.
Operational risks are those that might inhibit and organisation’s ability to achieve its objectives in the ordinary course of its business at a functional or process level. They are generally associated with risks arising from failed internal controls, policies, processes, systems and people. Operational risks are typically managed by the management responsible for the business unit, process or project. Generally, only in extreme cases, are operational risks escalated to a Board or executive management.
I would add a 3rd set of risks…project risks.
Project risks relate to particular projects. Projects typically follow a life-cycle that generally includes: concept, initiate, plan, execute and close. Project related risks exist throughout each stage in the life-cycle and need to be identified and managed to enable the project to achieve its objectives.
What is risk management?
Risk management represents an organisation’s risk appetite and culture for taking prudent risks. It is the process of identifying, analysing, evaluating, treating, monitoring and communicating risks to the right audiences at the right time.
AS/NZS ISO 31000 defines risk management as:
“Co-ordinated activities to direct and control and organisation with regard to risk”
Managing risk is central to good management discipline and habits. A direct correlation exists between opportunity and risks in most organisations’ activities. To achieve their objectives and exploit business opportunities, organisations need to identify and manage all sorts of risks.
Risk management is a systematic set of activities that helps to identify & understand business risks and any associated internal controls that exist to manage them.
The ultimate goal is to leverage the risk management process to determine if a risk, in context of a strategy, process or business unit, is acceptable or whether it needs additional treatment. Risk management activities shouldn’t foster an environment that’s risk averse. They should be designed to increase people’s confidence to balance risk & reward by exploiting opportunities & managing risk to acceptable levels.
A risk averse culture will introduce unnecessary barriers, obstacles or inflexibility to achieve an organisation’s objectives. Alternatively, organisations that accept disproportionate levels of risk increase their chances of failure.
Risk management adds significant value when it is fully embedded in an organisation’s activities. Like any good management discipline, it’s more effective with a top-down approach and when it’s accepted as everyone’s responsibility. An organisation’s Board, executive leaders and management have individual and collective responsibility to show commitment to its risk management activities.