by Alfonso Esteban
•
11 Jun, 2020
Many Boards and business owners perceive risk management to be the purview of middle management as it is a ‘technical discipline’ that is part of operations management. The reason for this perception is the focus of risk management teams, or front line management if you are lucky, to develop complex risk registers with colourful risk matrices, key risk indicators that are meaningful to them and nobody else, all driven by operational risk concerns (and following to the letter the principles of ISO 31000). So how do you reframe the risk discussion so that your Board or governing body sees risk as something that they need to own and understand, without being pressured by a regulator? A good starting point is to change the discussion from operational risk management, or if you are lucky, strategic risk management, to “strategic management of risk” and “operational management of risk”, as shown in the diagram below. Strategic management of risk is long term and works hand in hand with the strategic vision and intent. It is externally focused and assists in determining the level and type of risk that an organisation is willing to take in the achievement of its strategic objectives. The Board is then the owner of the organisational risk appetite and is tasked with understanding the external risks that can impact on the achievement of strategic vision. The Board can also decide which risks that they are willing to take to hasten the achievement – the enhanced reward from taking risks. Strategic risk management is performed as part of, or even preceding, strategic planning. Risk based scenario analysis can then be done on elements of the strategic plan to help in prioritisation, refinement of the plan elements and even removal of plan elements deemed to be outside of appetite. Operational management of risk reframes the risk discussion away from technical risk management to being part of operational management at all levels of an organisation. Operational management of risk is short term and is internally focused. It is guided by the risk tolerance of the organisation – the boundary that the Board sets for each risk category (defined by operational management in line with strategic plans) within which risk based operational decisions are allowed. The technical aspects of risk management can then be undertaken – creating the risk registers, developing and measuring controls, key risk and key control indicators, etc. Reframing the risk discussion often results in an “ah ha!” moment for Boards who now better understand why risk management is important to them and the organisations that they govern. For assistance on reframing the risk discussion in your organisation, contact Alf Esteban at StratEdge Consulting.