As a Risk Management professional, I am lucky to be exposed to a constant stream of new companies, some in industries I am familiar with, others new. This builds on my earlier life in the banking sector where my credit roles gave me a similar exposure. I’ve enjoyed a constant stream of new opportunities, new challenges, new risks, new people, new processes, new ideas and thinking. Having become accustomed to these new things, I have also developed a weakness for status quo, as my long list of employers would suggest. I find it more than a little challenging to work in a role or an organisation where we aren’t always pushing the boundaries to create challenges and opportunities.
Perhaps more notably, I get frustrated by “old” thinking. That isn’t to suggest that just because something is old it isn’t optimal, but more so by the by the failure to embrace the opportunities of change – to consider that things might be done differently, better. I don’t presume to be right about everything, which is one reason I love the challenge of change.
Risk Management is constantly challenged to justify its existence. I’ve lost count of the number of conversations I’ve had over the years in which the value of risk management has been challenged. It’s frustrating, because generally (but not exclusively) these challenges come from those unwilling to consider how risk management might work effectively to deliver the value they question. Put another way, it’s not unusual for risk management to fail to add value in organisations where it isn’t encouraged and / or empowered to do so.
Risk Management presents us with some very simple concepts – understand your risks (be they upside opportunities or downside threats), have confidence in your controls, and make effective “risk based” decisions. Good risk management is about empowering an organisation to take risk, not to avoid it. In organisations that understand this, embarking on a risk management journey, whether that be to develop and implement, or enhance risk management capability, is largely about change management. After all, risk is risk, and the underlying concepts apply equally to all organisations, across all industries.
The skill set required to develop, implement and embed risk management into an organisation is completely different to the skill set required to manage an established risk management function. Improving an existing risk management framework and capability may require wholesale change, or it may be a simple matter of refinement. The extent of the change should dictate the resources required to undertake that change. If developing from a low base, change will require the following:
Establishing a baseline against which change can be effectively measured – (Risk Maturity Survey)
Development and implementation:
Risk Management Framework – Policy, Principles, Standards
Risk Appetite
Risk Management Governance / Risk Reporting (including establishment of forums / committees)
The Assurance Framework
Risk analysis / profiling and resulting development of Risk Treatment Plans
Development of incident capture, analysis, management, and reporting
Potentially, the incorporation of:
the Compliance function and framework into the broader Risk Management Framework
HSE function into the Risk Management Framework (let’s face it, does it really belong in HR?)
Each of these activities requires extensive engagement with the key stakeholders across the business, including Directors, Executives, and Management. The ability to effectively engage, collaborate, communicate, influence, educate & inform, and manage, are fundamental to achieving the required change.
At ABM Risk Partnership we have a tag line that we like to apply – from risk comes opportunity. It goes somewhat without saying that change creates opportunity, and that opportunity creates change. Combine these together and you start to get close to the challenging environment I and others want to work in.
As Anthony Wilson and I (Brett Palmer) discussed in a recent Mastering Recent Management Podcast “What is Risk Management?”, risk is about threats and opportunities – the creation and protection of value.
After so many years it’s very hard to understand how opportunity risk still manages to be overlooked by so many organisations, frequently completely omitted from risk management frameworks, practices, and capability. Creation of value is a fundamental to an organisation’s raison d’etre. Undertaking an analysis of opportunities from concept through execution and delivery / transition to business as usual should be a natural part of the process of opportunity analysis. But it isn’t. It’s simple, it’s value adding, but to many organisations it’s different, it’s confronting, so it’s ignored.
The most recent Mastering Risk Management podcast drills down into Opportunity Risk in more detail, suggesting that its exclusion may reflect a legacy carried over from the earlier focus on safety incidents. We question why Risk Management is so often excluded / overlooked from strategic planning, and why organisations continue to overlook risk management in analysis of opportunities.
ABM has a tried and tested approach to Opportunity Risk that we develop and embed into organisational risk management capability. The application is simple, designed to confirm the enhancement / benefit and deliverability of the opportunity over a series of simple steps:
Determining and rating the primary value driver/s (benefits) and probability of the opportunity – is it rare, or does it arise regularly?
Consideration of the threats to the achievement of the opportunity
Identifying what must go right, as well as what can go wrong
Once an opportunity analysis has been undertaken it is important to consider the risks of delivering the opportunity successfully. Importantly, project risk analysis must consider risks arising within the project and the risk of the project. These are not the same things.
Assuming the opportunity has been confirmed, and the project risks have been analysed, consideration must turn to the risks that arise when the opportunity moves into business as usual.
Sound complex? It’s a very simple process that reflects the pragmatic approach ABM has to risk management that comes from the experience gained in leading risk management in many organisations, and helping many others develop their risk management capability.
ABM believe that from risk comes opportunity. If your organisation has achieved a mature risk management capability that includes consideration of opportunities, projects, and threats – congratulations! You’ve achieved what few other organisations have.
If you feel there is scope for improvement ABM can help.
From risk comes opportunity.