Guest Post by Patrick Ow (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
Smaller organisations, especially those with less than 100 people, often struggle with putting in place the right-size effective risk management practices that do not take up too much of their time and resources.
What I have often seen and experienced is that small-size organisations implement the ‘standard’ risk management practices that are commonly found in larger organisations without much thought as to whether it is fit-for-purpose to enable better organisational performance given their unique context or operating environment.
Unfortunately, many of these smaller organisations, especially not-for-profits, adopt these risk management ‘standard’ practices without fully understanding the essence of risk management, which is to increase the likelihood and extend of their organisational success, and to achieve their objectives within clear boundaries of acceptable risk-taking and opportunity-seeking.
Instead, smaller organisations should implement a fit-for-purpose right-size risk management system that enables better organisational performance.
Take a strategic approach to risk management
To overcome many of the issues and challenges faced by small-size organisations in implementing a robust but effective risk management system that does not take up too much time and effort, I have developed a strategic risk management approach that enables better organisational performance.
I am conscious that these small organisations do not have dedicated staff to do dedicated risk management work. Instead, identifying and managing risk, whilst it is an important management practice, is only a tiny portion of many other management actions that they must do as part of their everyday work.
Having a ‘complicated’ or ‘off-the-shelf’ risk management practice is like using a mallet to kill a fly. And I see it all the time.
Resourced-constrained organisations should take a strategic top-down approach to identify, manage, and report their risks to the appropriate governance committees including management teams and boards.
Develop your unique risk universe
A risk universe is the full range of risks that could impact your organisation’s ability, either positively or negatively, to achieve its long-term objectives.
I have inventoried all possible risk types that a typical organisation can be faced with. Using this generic risk universe as a ‘checklist’ of potential issues and risks that your organisation can experience or be faced with, you can quickly determine which ones are specifically relevant for your organisation, without going into the details of each risk event.
This will enable you to take a strategic view that focuses your decision and discussion on things that matter most to your organisation.
Intuitively, you would already know the type of risk events associated with each risk category of your risk universe. You may want to give some examples of the types of organisational specific risk events that are associated with each selected risk category of the risk universe, but this is not necessary.
Implement proper board and management risk governance
At this juncture, it would also be good to identify the governance arrangements between the board and management in overseeing the different types of strategic and operational risk.
Generally, strategic risks should be oversight by the board, whilst operational risks are managed by the management team. When this occurs, the separation line of accountability and responsibility is clear.
Strategic risks must be linked to the achievement of your organisation’s strategic objectives. Likewise, operational risks must be linked to the achievement of cascaded operational objectives, which indirectly supports the achievement of strategic objectives.
Having a clear understanding of the types of strategic risks that the board is responsible for and the types of operational risks the management team is responsible for will help significantly in your corporate governance arrangements. There will not be any ambiguity and confusion as to who does what and when.
Your customised risk universe will effectively group your risk categories either as strategic or operational. Any matters arising under each of these categories will be dealt with by the appropriate governance committee.
Information is escalated or cascaded between the governance committee when there are clear business rules and triggers developed and implemented via their terms of reference and governance arrangements.
Rate your risk at the category level
Once you have shortlisted the types of risks that your organisation is facing or may face in a form of a customised risk universe, rate the level of risk at the category level. Keep your rating system simple but strategic.
While it is tempting to ‘over-engineer’ your risk management process and describe all risk events under each selected category of your risk universe in greater detail, the critical success factor for an effective risk management system is to focus your efforts on identifying and implementing effective controls and treatments that are aligned with your organisation’s risk appetite and tolerance.
Focus on action-taking
The critical success factor for risk management is action-taking.
Implement all planned or additional treatments to mitigate the risks, commencing with those treatments that are related to the highest level of risk. It requires organisations to ruthlessly implement mitigation actions and religiously track the implementation progress of all proposed treatments, especially those that relate to issues, or known events that are currently in play.
It is pointless to document proposed mitigations actions in risk registers when there is no discipline in completing their implementation within agreed timeframes. The level of risk will not be reduced with poorly executed treatment actions.
Additionally, organisational risk registers should document only effective controls that matter most to either mitigating a downside risk or maximising an upside risk or opportunities. These controls must also be actionable or controllable for the organisation to achieve its objectives.
Create a clear boundary for risk-taking and opportunity-seeking
With your customised risk universe that sets out what risks matter most to the organisation, you can also set clear boundaries for risk-taking and opportunity-seeking, which is your risk appetite and risk tolerance.
This simplified approach to risk-taking and opportunity-seeking gives clear performance guidance for your employees when they are performing their work to achieve your organisational objectives.
From a definitional perspective, risk appetite is the amount and type of risk that your organisation is willing to pursue or retain, and risk tolerance is your organisation’s or stakeholder’s readiness to bear the risk after risk treatment to achieve its objectives. Your risk tolerance can be influenced by legal or regulatory requirements.
Be successful in creating an effective risk management system
Create an effective risk management system that enables your organisation to achieve its objectives within the boundaries of risk-taking and opportunity-seeking.
If you are expecting a better outcome for your risk management activities, think strategically without wasting any more time and effort. Develop something implementable for your organisation, rather than seeing risk management as a compliance exercise.
Effective risk management will enable you to be successful. It will help you achieve your objectives by implementing the right-sized actions to keep you on track to achieving your objectives.
Note: Patrick’s “Implement a Simplified But Effective Risk Management System” Udemy course can be found here – https://bit.ly/3nhYOcX.
As a Chartered Accountant with over 25 years of international risk management and corporate governance experience in the private, not-for-profit, and public sectors, Patrick helps individuals and organizations make better decisions to achieve better results as a corporate and personal trainer and coach at Practicalrisktraining.com.
He is also the co-founder of Skillsand.org, an organisation dedicated to helping people acquire in-demand job skills and preparing them for the future of work. The goal is to create a convenient learning experience that’s as easy as making any other purchase on Amazon.
Patrick has authored several eBooks including Strategic Risk Management Reimagined: How to Improve Performance and Strategy Execution.