Despite being around as a standalone management tool for a long time, many businesses still don’t really understand risk management – what it is, who is responsible for it, and how it can contribute to business success.
Whilst some business go out of their way to promote the fact that they manage risk well, we still find time to we blame a lot of our corporate failing on the lack of, or inadequate, risk management.
So why the disconnect? Some say it is because a lot of businesses don’t think they need help managing risks, “because they just do it”, whereas others have invested in standalone risk management functions without a clear understanding of what their role is, or without empowering them to do it properly.
In this article, we revisit some of the basic risk management principles and discuss the difference between risk analysis and risk management.
The importance of risk management
Risks are the main cause of concern and uncertainty for many businesses. Businesses that have good risk management disciplines embedded into their culture have been shown to act more confidently and make better business decisions than those that don’t.
In ever changing and uncertain times, like we are facing now, risk management can be used to protect the business and help it take advantage of the opportunities that will happen when restrictions are lifted and trading conditions improve.
What are risks?
In its simplest form, a risk is an event or circumstance that could have a negative effect on a business. The effect on a business is usually determined by how likely the risk will occur (likelihood), the impact it could have on the business (consequence), and how much of the risk can be mitigated (residual risk).
The fact of the matter is that every business has risk. Businesses face many different risks, and they generally involve events that can impact on:
- short, medium or long-term business objectives (strategic);
- financial structure, transactions, and performance (financial)
- operations, systems, processes and procedures (operational);
- fulfilling laws, regulations, standards and codes of practice (compliance);
- things the business has little or no control over (environmental); and
- brand and goodwill of the business (reputational).
Depending on the business, other risks can include health and safety, project, security, technology, innovation, business continuity and service delivery – reinforcing the fact that each business needs to conduct their own risk assessment.
A failure to manage certain risks in Australia, for example health and safety, can also have significant consequences for business owners and directors (in the form of fines and jail time) – making this something that every business owners and director should take seriously.
What is risk management?
Despite all the rhetoric, risk management is often treated as a compliance issue that can be solved by:
- drawing up lots of rules and making employees follow them; and
- recording and reporting risks in business tools like risk registers.
When done well, risk management is much more than this.
Risk management are the policies, procedures, systems, tools, and decision-making processes that are embedded into the culture of a business that help it achieves its strategic objectives by successfully identifying and managing the risks.
A key element often overlooked in risk management is making sure the culture supports the business in this regard. When risk management is embedded into the business, and everything it does, identifying and managing risk becomes part of what people do rather than a standalone process.
What is the risk management process?
To be effective, the risk management process needs to be part of a broader risk management framework. This framework determines things like:
- what risks the business needs to focus on, and why (the risks);
- how much risk the business is prepared to take accept (risk appetite);
- who is responsible and accountable for managing risk (ownership); and
- how the risks and the risk framework will be reviewed and documented.
A key element of the risk framework is deciding on how much risk the business is prepared to take on. Some risk taking may be critical to the success of the business, however, exposing the business to the wrong risk can be detrimental.
Using the parameters set out in the risk management framework, the risk management process is ultimately a structured approach to identifying, assessing, managing, monitoring, reviewing, and documenting the risks in a risk management framework.
During the process, each risk should be identified, recorded (usually in a risk register) and given a risk rating. This rating – which is based on a likelihood, consequence, and control analysis – helps identify the risk that the business might need to focus on.
Once this is done the business can deal with the risks in several ways, including:
- stop doing the active that creates the risk (avoid);
- change something to achieve a similar outcome but with less risk (reduce);
- shift the risk to another party, like an insurer (transfer); or
- acknowledge that you must take the risk (accept).
Effective risk management must also include a continues improvement element. Meaning the business must regularly, and systematically, review and update the risk management framework – including its risks process, plans, register, ratings, and management.
Who is responsible for risk management?
In recent years, companies have added risk management capability to their team – usually in the form of a dedicated risk manager. Larger organisations, which more complex risks, will have a more sophisticated approach including teams for risk professionals and risk management tools.
The role of this person, or team, is ultimately to help the business identify risks, come up with and execute strategies to manage the risk, and to motivate all members of the business to support the firms efforts to manage its risk and help the business achieve its strategic objectives.
Whilst these specialist resources have their place, the role management and staff play in risk management cannot be underestimated. Without their support and buy-in, the risk professional cannot do their job and the business cannot manage its risk.
In short, successful businesses have risk management embedded into their culture with everyone from the top to the bottom taking responsibility, and being accountable, for helping the business identify and manage its risks.
Whilst risk analysis is important, it is simply one part of the risk management process. To successfully identify and manage risk, a business needs to have much more comprehensive approach – including a risk management framework and a risk aware culture.
By Jamie Timmins
Jamie is an experienced General Manager having held senior strategic and operational leadership roles in accounting engineering and law. He has an MBA, majoring in risk management, and former Chief Risk Officer at Minter Ellison (Australia’s largest law firm). Having worked with a range of roles and businesses, Jamie brings a unique commercial approach to risk management by looking at the business objectives first and then developing strategies to manage the risk . To further understand the importance of risk management and how it can improve your business, contact us to discuss further.