Lessons for successful risk management

In 2018 we celebrate a decade of helping our clients with implementing, maturing and embedding risk management.  We have reflected on the elements that have characterised their success and believe there are lessons for leaders across all the sectors that we support.

In common across all our clients where risk management is embedded, the following ten principles have been applied to guide their approach:

1. Strategic Objectives

Risk management must be integral to the organisation’s purpose and strategic direction for it to be embedded over time.  In every case, the systemic approach to risk management was heavily tailored in proportion to the organisation’s risk environment.

2. Uncertainty and Opportunity

The evolution of risk management across these organisations has included addressing both uncertainty as well as opportunity.  Any organisation maturing its risk management approach should help to identify upside risk as well as clarify the nature of uncertainty, how this might affect decisions and how it might be treated.

3. Protecting Value

The goal of risk management in those organisations’ indicating success is to protect everything of value – risk management should contribute to the achievement of objectives and maximise benefits through integration with management processes, taking account of any legislative, regulatory and compliance requirements.

4. Common Language

Clients that start by ensuring they are operating under a common risk management language and nomenclature, ensure the building blocks for later adoption.  Any organisation beginning the journey to strengthened risk management should set out a common language upon commencement when identifying, assessing and responding to risks and establishing its risk management framework.

5. Management System

Investment in a management system for risk results in an approach that is systematic and structured, consistently applied within the organisation.  This helps ensure that the outputs of the risk management process are reliable and comparable giving managers confidence to make effective decisions.  The common language and nomenclature is a critical element to achieve this outcome.

6. Information Sources

The inputs to the risk management process in every case were based on relevant information sources, including for example: reported experience, subject knowledge, expert judgement and projected forecasts.

7. Decision Making

Risk management only becomes embedded when it is part of normal day-to-day decision making.  Risk management should support informed decision making by helping to understand risks. This requires the organisation to confirm its risk appetite and informs its ability to manage risks effectively.

8. Stakeholder Management

The organisation’s managers ensured all stakeholders were identified, informed and involved in risk identification, assessment and control.  Risk management was both transparent and inclusive.  Risk management for these clients is both a top-down and bottom-up process to realise the full value of those with the day-to-day know-how.

9. Risk Culture

A robust risk management process of itself was not enough, without due consideration to organisational culture, human factors and behaviours.  The organisation’s risk management process should consider the capabilities, perceptions and intentions of its people and other relevant stakeholders who impact achievement of the organisation’s objectives.  A solid robust process relies on people for its implementation after all!

10. Continuous Improvement

Finally, being systemic implied the need for an approach that was dynamic, iterative, and responsive to change, driven by continuous improvement.  Our clients confirmed that their organisations ensure that risk management continually identifies and responds to changes affecting their operating environments.  The policy and framework of those clients reporting success directs annual activity toward renewal, ensuring relevance and that the system stays fresh, current and valuable.  There are ongoing improvement actions, both documented and implemented!

In summary, if you are holding responsibility for managing risk in your organisation, what advice do we have for you to aid you in implementing the above principles and achieving success in your role?

We would recommend starting with the principle that the organisation’s strategic objectives provide the context for risk management.  Their connection to risk management must be communicated widely across the organisation, including sharing the relevant part(s) of the strategic plan that inform the annual business plan.

The risk management policy should focus, at a high level, on providing the basis for organisational focus on risk management and guiding risk-based decision making.  The detail of how the risk management process is undertaken should be documented in the procedures’ framework.  Then both communication and training should ensure the information is cascaded and embedded into the organisation.  It is essential to not be the lone voice beating the risk management drum: create a leadership group with broad organisation-wide representation, paying specific attention to departments that are critical to achievement of strategic objectives.

As the engineer of the risk management system and with responsibility for the efficient operation of that system, we see your role as including consulting with the business for new and emerging risks, as well as in supporting the devolved development of departmental risk registers.  You will also align risk reporting schedules with any governance and oversight committee timetable.  This will ensure that the oversight committee adequately performs its governance role with access to complete risk information.

Finally, given the continually changing risk environments faced by organisations, the benefit of a systemic approach enables their risk management to evolve and mature, thereby remaining relevant to strategic objectives.

Brett Dorney & Grant Organ

Directors, Aretai Risk Management Consulting Limited

October 2018

• Consulting
• Financial Services
• Legal Services
• Professional Services
• Risk Management