Introduction
An effective Risk Management plan offers many benefits to an organisation, including supporting coherence between technical and operational pillars. But there are a number of tactical, operational, and strategic challenges that organisations face when conducting Risk Management activities. The easy win is to provide a tool, guidance for using it, and a way to demonstrate that the tool has been used successfully.
In this blog we will investigate how your organisation can tackle the more complex challenge of operationally embedding, improving and evaluating your Risk Management capability, and we will examine the core features of a typical Risk Management process and framework to highlight the open questions that remain for organisations.
What do we mean by Risk Management?
A simple definition: “Risk management is the identification, analysis and evaluation of risk, followed by the treatment and implementation of necessary actions.”
If we really strip Risk Management back to its foundation, it is a process for optimising the achievement of business objectives, identifying threats to these objectives, reducing the impact of the threats and exploiting opportunities.
Advantages of effective Risk Management
The benefits of effective Risk Management are centred on the increasing confidence and likelihood of delivering business objectives. However, as we will see, a holistic approach to Risk Management can accomplish even more.
By having an effective Risk Management process in place, an organisation has a comprehensive understanding of its risks and, crucially, that those risks are within its risk criteria. Risk Management sits at the heart of organisational decision making – personnel are actively engaged and risks are proactively managed with opportunities exploited. Maintaining an up-to-date risk register is not enough, Risk Management should be contributing to the achievement of organisational objectives.
What does a typical Risk Management process look like?
A typical Risk Management process begins by establishing the context – defining what you want to achieve and how to do so by identifying and setting business objectives. Following this is the identification, analysis and evaluation of perceived threats, a process which often engages many employees across different areas of an organisation. Risk identification requires the application of a systematic process to understand what could happen, how, when, and why, resulting in a list of candidate risks.
Analysis
Following this is a risk analysis process which is focussed on developing an appropriate understanding of each risk, its consequences and the likelihood of these. Readers will likely be familiar with expressions such as: “Risk is the product of probability and impact”. However, ISO 31000 advises that the confidence in the assessment and its sensitivity to assumptions is also considered. The international standard also acknowledges that the level of rigour applied to risk analysis should be tailored to the organisational context the risk resides within, the purpose of the analysis and the availability of data, information and resources.
Clear communication
Furthermore, effective communication of risks is key and too often risk registers are laden with jargon that hinders easy understanding. To combat this challenge, organisations may wish to use the following simple but powerful question to ensure risks are documents clearly: “have you used any terms that are confusing, open to interpretation, or likely to be contentious? If so, consider using simpler language.”
Evaluation
Risk evaluation is then the action of making an informed decision about the level of risk in relation to the organisation and its context and treating risks, or exploiting opportunities, through existing or new controls. Options must be analysed, including the potential for new risks or compounding risks, and courses of action should be prioritised and implemented in a controlled, systematic way.
Risk Management Framework
However, to achieve demonstrable value, a key consideration is currently missing. Namely, Risk Management must be integrated into an organisation’s decision making process and ISO 3100 advocates for accomplishing this via a framework. This framework includes guidance on the policies, arrangements, and structures to implement, sustain, and improve the overall Risk Management process. It’s easy to talk about this framework, but in reality it can be very difficult to successfully implement, which is where Risk Management experts can help. They can guide an organisation through the tactical process of Risk Management, up to the framework for embedding Risk Management operationally within an organisation, to the strategic principles and benefits that effective Risk Management should deliver.
Thinking about Risk Management in this way enables senior stakeholders to act deliberately at the strategic and operational layer to mature Risk Management from a periodic, superficial activity to a pervasive, value-adding activity.
Establishing a risk management culture in your organisation
In order to firmly establish Risk Management at the heart of organisational decision making it is recommended to introduce company-wide learning. This supports the implementation of risk management tools, user guides, policy, strategy, governance and, crucially, engaging people.
It is recommended that this training is documented, and established as a continuous process rather than a one-off, and includes: operational embedding, monitoring and review, continuous improvement, connecting evaluations to business outcomes, compiling and acting on lessons learned.
Questions that remain
The following questions remain for organisations who wish to mature and refine their Risk Management practice:
- How can your organisation guarantee that Risk Management Tools, Frameworks and Approaches are being implemented in the right way?
- How can your organisation ensure that Risk Management activity is adding value?
- Is your Risk Management process contributing differentially to the attainment of organisational objectives?
- How can you mature your approach to Risk Management and demonstrate adaptability, agility, robustness and resiliency?
The answers to these questions is partly sensitive to the individual context that organisations operate within, but also prevails in the attitudes, behaviours and beliefs of personnel that interact with Risk Management.
Here at SA Group, we can provide guidance to the more overarching, strategic questions of embedding Risk Management within an organisation to help you deliver the maximum value for money, drive coherence and integration across relevant areas of the business, and ensure that Risk Management is contributing differentially to decision making.
Conclusion
Despite guidance available from ISO standards, maturity models and the proliferation and prevalence of enterprise Risk Management tools, many organisations continue to experience challenges as to how such approaches can be operationally embedded into each area of the business.
In this blog we have laid the foundations of a process for managing risk, embedded this process within a wider framework for Risk Management, and highlighted the challenges that remain for organisations.
At SA Group we have proven success in helping organisations mature and enrich their approach to Risk Management and move from periodic, discrete evaluations, to a holistic, pervasive approach. Please get in touch for more information.
Case Study
SA Group were asked to deliver a Risk Assessment Plan for the Ambulance Radio Programme – a £390m Department of Health initiative, as part of a wider project to future-proof their security architecture. This included vendor Security Risk Assessments which were implemented within the delivery phase of the programme. These had been scrutinised, revised and managed to fulfil the requirements of the ARP. Click here to read the full case study.