“A ship in harbor is safe, but that is not what ships are built for” – John A. Shedd, Salt from My Attic, 1928.
Effective risk management provides an environment for calculated risk taking and innovation. Good risk management contributes to institutional success. To be effective it requires strong leadership and organization-wide ownership.
Innovation is critical to strong business performance as organizations seek to enhance product and service offerings, lift efficiency, upgrade technologies and increase their resilience and adaptability.
Without innovation, organizations wither and customers and business owners suffer. Becoming ideas constrained is fatal, but there are risks in innovating. As Machiavelli said centuries ago, “Never was anything great achieved without danger.” Risk and reward are inextricably intertwined. Leaving the boat safe in its harbor will not yield progress.
Good risk management is imperative for managing successful change. It involves anticipating and diminishing threats; protecting sources of value; and enabling value-creating risks to be taken in a calculated way, with reduced likelihood of failure or loss. Done well, it enables an organization to seize opportunities to create and protect value for all its stakeholders.
Good risk management enables an organization to move forward, because the downside risks of change are contained, and risk management provides a forward-looking orientation. It allows organizations to focus their competencies on value creating activity. Done well, it informs strategy, investment prioritization and business decision-making. It drives organizational direction and positioning.
A second key benefit is that it reduces the likelihood and costs of adverse events that may damage organizational reputation, financial or business viability, and distract the organization from achieving its goals.
Good risk management fosters both adaptability and resilience, two crucial aspects of enduring organizational performance.
Types of risk
Generally, three categories of risks are identified: strategic, operational and project risks.
Strategic risks describe the impact on the business of possible changes in the wider environment, such as political, international, demographic, social, etc., and the dangers of business strategies not being adequately aligned to their operating environment. They also entail risks to the accomplishment of key business goals through loss of focus, inappropriate investment or resourcing, and reputational and communication risks.
Mitigations of strategic risks tend to be strategic choices and business model approaches; investment prioritization decisions during planning processes, often resulting in project initiations; and communications and stakeholder management. Strategic risks are often perennial, yet may be volatile due to changes in the external environment.
Operational risks relate to the achievement of business plans and “business as usual” results. They entail risks of failure to business operating systems, quality or service failures, integrity and conduct risks, security, operator error, incident or business continuity threats, etc.
Operational risks are managed and mitigated through measures such as process design, process controls, policies and discretion limits, back-up and redundancy measures, quality assurance processes and review/feedback cycles, alignment of skills and resources with requirements, and investment in research and development and capital equipment.
Operational risks, be they security, business continuity or service delivery, are most effectively managed through a risk management approach that is integrated into the business and culture of the organization.
Project risks are sometimes treated as a subset of operational risks and are linked to the achievement of project outcomes. They relate to benefits not being achieved, perhaps because of delivery failure, key assumptions not being met, scope being poorly defined, delays in project completion, cost escalation, disruption from extraneous events etc.
Typical risk controls for projects include: the establishment of a project risk register with risks identified, evaluated and controls determined, project planning, resourcing, and monitoring mechanisms, and governance arrangements.
Risks often eventuate during change processes because existing processes were not fully understood and the number of unknowns is allowed to be greater than it should through inadequate planning, trialling and risk management.
Components of risk management
There are a number of core components in any risk management regime. We identify the key elements as follows:
- Risk identification – risk awareness is a valuable trait that is sharpened with practice, but various disciplines are valuable to ensure risks are anticipated effectively. Risk identification is something every employee should do. The risks identified will be influenced by role and perspective. Senior management must focus on identifying strategic risks, while applying their assessment to operational and project risks identified by others.
- Risk assessment – evaluation of likelihood and potential impact. Risks are pervasive but not all risks matter. It is critical to evaluate the significance of risks for the business and for a specific time horizon. Even if unimportant now, they may be significant later. Likelihood can change, as may impact. Risk severity shapes the nature and extent of management action.
- Risk tolerance – what residual risk would be acceptable? Generally, risk cannot be eliminated but can be reduced. Management must decide what level of risk reduction is required and what adverse outcomes might be accepted. Sometimes risk appetite statements may be developed.
- Risk planning and mitigation actions are identified and established to achieve the desired residual risk level. Preventative and remedial actions should be considered. Risks may be prevented or rendered unlikely through various control measures, and impacts alleviated through appropriate plans and actions.
- Risk management is assigned – risks and their management require ownership within the business. When accountability is unclear, risks are less likely to be managed and more likely to materialize. Ownership should be assigned to the role or person who is best placed to manage the risk, acknowledging that impacts may be widespread. Even if the consequence for the organization would be severe, it is best to allocate and manage the risk in the business area that has greatest scope for risk control.
- Monitoring and review of risks – regular risk review is required, to evaluate any changes in the risk or control environment. Likelihood and impact vary as political, social and technological factors evolve, and in response to changes in the business and the mitigations put in place. Incidents occur and provide insight into risk assessment. The monitoring-feedback loop is a critical part of keeping risk management in focus.
- Reporting and escalation procedures – as risk severity changes, incidents occur, and risks materialize into issues, it is important that reporting and escalation processes exist. These enable broader perspectives and judgement to be applied in the evaluation and management of risks. A risk management committee may be established as one way of reinforcing the review processes.
There is of course a need for sound methodology that allows for effective, repeatable, and consistent assessment and reporting of all risks. Standardized reporting provides a department-level risk profile snapshot and an aggregated whole-of-organization view. At the whole-of-organization level a risk trend and treatment summary maybe compiled specifying how every reported risk is being managed. This will provide the helicopter view in terms of where resources, spending and focus is being applied to manage specific risks. Importantly, this provides a level of comfort that we are knowledgeable about our risks and can consider opportunities and areas for innovation for the future.
Incident management is a key part. It may be called Proactive Problem Management or PPM in its short form, and see it as a continuous improvement mechanism. While the initial focus is on escalating and risk managing the incident, considerable value is derived from the phase that immediately follows; this being to understand root cause and insights from them. This typically drives various action plans to further strengthen processes and frameworks.
Monthly PPM summary reporting may promote discussions at the broader institutional level around matters such as opportunity to innovate and change the way we do things, risk culture and awareness, general robustness of process, and any trends or hot spots for follow-up. Staff are expected, encouraged and thanked for raising incidents in an open and transparent manner.
- Risks are more likely to eventuate when preparedness is inadequate.
- The adverse consequences when risks eventuate are generally worse when risk management is limited.
- Being risk aware and risk prepared (risk smart for short) supports innovation, rather than impeding it, as many fear. In many cases, opportunity and risk are shadows of one another. Both elements must be kept be in focus. When someone identifies an opportunity, we ask what risks exist, so that the gains will not be lost. When risks are raised, we ask what opportunity is there to move forward.
- Risk management is a whole of organization task or responsibility. It needs to be demanded and modeled by executive management, owned and applied by business managers, and supported and monitored by a specialist risk management function. Accountability for risks should be assigned but everyone is responsible for risk management. Leadership is crucial in setting the risk/innovation tone and leading the organizational dialogue.
- Risk management tends to atrophy if one is not careful. Successful risk management tends to undermine its own apparent value. A higher risk appetite can be sustained and greater risks may be taken, or complacency can set in because risks have been successfully, but almost unknowingly, averted. It is important to develop the culture, disciplines, processes, and learning mechanisms that keep risk management fresh, e.g. quasi-incidents can be useful reminders perhaps via BCP exercises, security penetration testing, and external review etc. Risk management committees have a place in maintaining the focus.
- Engagement and conversations are vital. Risks need to be talked about. This builds awareness and action. Developing a culture in which risks and risk-taking can be discussed, managed and accepted is a key leadership challenge.
Source: Address by Mr Geoff Bascand, Deputy Governor and Head of Operations of the Reserve Bank of New Zealand, and Mr Steve Gordon, Head of Risk Assessment and Assurance of the Reserve Bank of New Zealand, to the New Zealand Institute of Chartered Accountants, Wellington, 24 June 2014.