Blog

The above graphic was taken from a recent article published by VISUAL CAPITAL (see https://www.visualcapitalist.com/whats-at-risk-an-18-month-view-of-a-post-covid-world/) which summarises the findings of a World Economic Forum COVID-19 Risks Outlook survey of 347 risk analysts. Of the top 10 risks based on likelihood of occurrence, 7 are economic with the remaining 3 being societal, technological and environmental. Regardless as to how you would rank the full list, I believe that the risks identified are valid for all organisations to consider. What also needs to be considered is the impact of your ranked list against your organisation's objectives, with those higher rated risks having a fully developed mitigation plan. Also needing to be developed is a view of what opportunities do these risks open up for your organisation. StratEdge Consulting can provide assistance to you in assessing these risks based on your organisation's strategic objectives and context, as well as using a proven risk management framework in pursuing those opportunities that are arising from the current pandemic.

Those who know me know that I wear hearing aids as I suffer from severe to profound hearing loss in the mid to high range frequencies, which is typically the voice range of women and young children. I realised I had hearing loss when I was not able to understand anything my then young son was saying, and I could not hear what people were saying to me in noisy situations. My hearing aids have been a blessing that has enabled me to participate in normal conversations. But what does this have to do with risk management? Hearing aids are my reactive control to the risk event of deafness. There were several causes to the risk event and partial deafness impacted on several of my life objectives. So the hearing aids play a role in the risk story, which is the theme of this blog. Many risk registers that I have reviewed over the years do not contain actual risks. During my time at Protecht, David Tattam taught me the benefit of using a risk story to differentiate risk events from causes, controls and impacts. Educating front line managers in the use of the risk story will assist in ensuring that your risk register actually contains real risks and not failed controls. So what is the risk story? A risk story can be written as: “The risk of (risk event name) is caused by (risk causes) and impacts (objectives); and can be controlled by preventative, detective and reactive actions.” In my case, the risk event is deafness, caused by a number of factors that I was able to control (but didn’t!) at the time, leading to the impact of not being able to participate in normal conversations. The hearing aids used during waking hours are a reactive control to reduce the impact on the objective of participating in normal conversations. I recall reviewing a risk register of a mining and exploration company that had over 6,000 entries in its risk register. Most of the so called risks were in fact failed controls – easily detected as the risk event was called “failure to…“ – as well as impacts – again easily detected as they were called “non-compliance with licence condition / regulatory obligation”. Once cleaned out, this risk register was reduced to around 400 risks, which was still too high as the risk events were too granular (they included risk events such as “inability to source xyz branded truck tyres” where xyz was one of many types of truck tyres). How many risks are in your risk register and can they be stated as a risk story? Stratedge Consulting can assist in reviewing your risk register to make sure that you are accurately capturing risks that are impacting on your objectives.

Many Boards and business owners perceive risk management to be the purview of middle management as it is a ‘technical discipline’ that is part of operations management. The reason for this perception is the focus of risk management teams, or front line management if you are lucky, to develop complex risk registers with colourful risk matrices, key risk indicators that are meaningful to them and nobody else, all driven by operational risk concerns (and following to the letter the principles of ISO 31000). So how do you reframe the risk discussion so that your Board or governing body sees risk as something that they need to own and understand, without being pressured by a regulator? A good starting point is to change the discussion from operational risk management, or if you are lucky, strategic risk management, to “strategic management of risk” and “operational management of risk”, as shown in the diagram below. Strategic management of risk is long term and works hand in hand with the strategic vision and intent. It is externally focused and assists in determining the level and type of risk that an organisation is willing to take in the achievement of its strategic objectives. The Board is then the owner of the organisational risk appetite and is tasked with understanding the external risks that can impact on the achievement of strategic vision. The Board can also decide which risks that they are willing to take to hasten the achievement – the enhanced reward from taking risks. Strategic risk management is performed as part of, or even preceding, strategic planning. Risk based scenario analysis can then be done on elements of the strategic plan to help in prioritisation, refinement of the plan elements and even removal of plan elements deemed to be outside of appetite. Operational management of risk reframes the risk discussion away from technical risk management to being part of operational management at all levels of an organisation. Operational management of risk is short term and is internally focused. It is guided by the risk tolerance of the organisation – the boundary that the Board sets for each risk category (defined by operational management in line with strategic plans) within which risk based operational decisions are allowed. The technical aspects of risk management can then be undertaken – creating the risk registers, developing and measuring controls, key risk and key control indicators, etc. Reframing the risk discussion often results in an “ah ha!” moment for Boards who now better understand why risk management is important to them and the organisations that they govern. For assistance on reframing the risk discussion in your organisation, contact Alf Esteban at StratEdge Consulting.