An organisation without adequate risk management capability exposes itself to existential threats and is ill-equipped to identify and capitalise on new and emerging opportunities.
In this article, we will cover the following themes:
Corporate Risk Management - The Why and The How
Risk Management is an Enabler of Business Growth and Operational Transformation
Incentivise and Reward Proactive Risk Management
Operational Risk Management (ORM) Framework
Risk Management Maturity Model
Protection of Strategic Organisational Objectives
Risk Response Strategy
Organisational Resilience
Risk Visibility and Reporting Dashboard
Lessons Learned and Continuous Improvement Culture
Corporate Risk Management - The Why
The world is experiencing extraordinary volatility, uncertainty, complexity and ambiguity (VUCA); therefore, organisations must develop greater awareness and readiness for the unexpected to thrive.
Operational risk management (ORM) customises best practice risk management and governance framework to enable organisations to manage critical risks effectively.
Here are some helpful definitions to support this conversation
Risk
A risk is the perceived threat (uncertainty) to organisational objectives. It is also an opportunity that, if maximised or exploited, can lead to the realisation of additional corporate benefits.
Risk management
Applying best practice risk management approach to protect and create value in response to risks to organisational objectives.
Organisational resiliency
The capacity and capability to proactively adapt or transform in the face of adversity and to thrive during uncertainty.
Business continuity assurance
The establishment of viable plans for organisational response to address catastrophic events.
Corporate Risk Management - The How
Implement the following recommendations to ensure risk management evolves to reasonable maturity within your organisation.
Risk identification:
Empower everyone to identify and capture threats and new and emerging opportunities aligned to their business unit’s objectives.
Opportunity identification:
Encourage all employees to actively scan the internal and external environments for potential opportunities to realise and enhance corporate strategic objectives.
Risk assessment:
Assess risks against corporate risk appetite to determine which risks exceed predefined risk tolerance.
Prioritise identified risks and assess the net effect of the risk exposure on corporate objectives.
Risk solution analysis:
Become competent at developing solutions to the top critical risks, supported by their correlating cost-benefit analysis.
Undertake a thorough examination of the merit of each risk response proposition before implementing the most viable option that will yield positive ROI.
Purpose of risk management:
Effective risk management provides an internal governance control mechanism and supports decision-making at all management levels of the organisation. It enables the assessment of the threats and opportunities to corporate objectives and the cost-benefit analysis of each critical risk response strategy.
To not leverage risk management capability is to:
operate with a blind spot
increase adverse exposure to the impact of VUCA
inadvertently forfeit valuable opportunities
be ill-prepared to manage uncertainties effectively
inadvertently put the long-term viability of your organisation at risk
Risk Management is an Enabler of Business Growth and Operational Transformation
Corporate risk management is evolving into a centralised and unified internal service to support corporate governance and informed decision-making across most sectors and industries; and at every decision hierarchy.
Many environments consider risks within the projects, products and programmes context. Strategic (existential threats) and operational (business-as-usual) risks don't always receive the proper attention they deserve. Instead, incidents and crisis management are the norms.
However, in 2022, environmental concerns and disruption to the global supply chain exacerbated by conflicts, geopolitical tensions, high inflation and scarcity of certain commodities have significantly contributed to business instability and uncertainty. These factors make high volumes of incident and crisis management costly and unsustainable. Therefore, operational risk management is imperative to manage and mitigate uncertainties.
In an unpredictable global context, effective risk management has to be integral to corporate growth strategy and business operations transformation; alongside the highest standards of health and safety, employee wellbeing, environmental protection and ethical behaviour.
In the evolving model of effective corporate risk management, suppliers, customers and partners can better achieve their strategic goals through data transparency and integration, collaboration and open dialogue to the threats (and opportunities) within their respective and collective ecosystems. In short, they are stronger together.
Incentivise and Reward Proactive Risk Management
Effective risk management starts with organisation-wide education and a new culture of incentivising and rewarding proactive risk identification and mitigation.
Crisis management is a necessary and valuable approach to ensure business continuity in response to significant incidents and operational calamities.
However, unless organisations evolve and become adept at preempting and mitigating risks (threats) as an intentional strategy to deal with the rise of volatility, uncertainty, complexity and ambiguity, incidents and crises will proliferate. It will inevitably erode customer trust and profitability.
Furthermore, training and equipping your organisation to identify and capitalise on risks (opportunities) proactively can lead to incremental, organic and exponential growth.
Many new businesses are born during global economic uncertainties, changes and adversities. Therefore, a risk (threat) may be perceived negatively by some, while to others, risk signals a tantalising opportunity to disrupt the market and gain a competitive advantage.
Operational Risk Management (ORM) Framework
The ORM framework is straightforward. It distils best practice risk management into easy-to-implement steps.
Here are the four steps to establishing it within your organisation.
These are:
Protection of Strategic Organisational Objectives
Risk Response Strategy and Organisational Resilience
Risk Visibility and Reporting Dashboard
Lesson Learned and Continuous Improvement Culture
Read on for an in-depth analysis of each area.
For the ORM framework to work, first, establish a risk governance model across all leadership layers.
Business operations teams should focus on BAU threats/opportunities and only escalate risks to senior management that exceed predefined tolerance. Managers and teams should feel empowered, supported and equipped to manage risks within their predefined tolerance.
Executive leaders should focus on escalated and strategic risks - existential threats and opportunities to the organisation. Risk management should be an agenda item within management and leadership meetings. Set time aside to review aggregated risk exposure, their progress and the effect of any agreed mitigation and contingency plans.
Change management is required to make this work. Unless senior leaders become advocates and champions of proactive risk management, the desired cultural change will encounter snail pace adoption; and perhaps systemic resistance.
Risk Management Maturity Model
Here is a snapshot of a generic and simplified corporate risk management maturity model. It's a helpful tool to assess your organisational risk management practice and maturity quickly.
Stage 1: Reactive
Some individuals within the organisation have essential risk management awareness. However, at an organisational level, risk management is ineffective, ad-hoc, reactive and unstructured. Although risk discussions sometimes occur, meaningful actions are infrequent. Unfortunately, excessive incidents and crises arise at this level.
Stage 2: Defined
The organisation recognises the value of effective risk management and its operational and strategic benefits. Action is underway to define and implement foundational risk management awareness, education and a standardised process and methodology.
Stage 3: Proactive
The organisation has established a risk management centre of excellence, or a central risk function, to provide leadership, governance, standards and risk management best practices.
Effective risk management is embedded within the organisation's culture, and senior leadership and management champion it through their words and actions.
Proactive risk identification of threats and opportunities is incentivised and rewarded, and everyone feels safe to discuss captured risks openly.
An analytics dashboard provides risk reports and insights, with associated risk response plans and cost-benefit analysis undertaken to inform decision-making at every level within the organisation.
All the teams monitor the risks to their objectives and take corrective actions where the risk response plan hasn't achieved the intended outcome.
Stage 4: Optimised
The culture of continual improvement builds on the achievements of the preceding levels, and everyone inputs into the evolution of the risk management process and practices.
All new starters are given thorough inductions into the organisation's risk management ways of working.
All job descriptions and team objectives have risk management goals.
Organisational resilience and risk management work alongside business continuity, sustainability, and product innovation.
Entrepreneurialism is part of the organisational culture, and they view adversity as a valuable learning opportunity.
There is explicit risk management integration across all risk perspectives to leverage organisational lessons learned, standardisation and best practices. These include HR, IT, finance, corporate planning, marketing, products, projects, programmes, portfolios and operations. It results in a resilient and adaptive organisation capable of achieving its strategic objectives.
Protection of Strategic Organisational Objectives
Organisations exist to create or exchange values (perceived benefits and utility) in some shape or form. The preservation of those values provides the organisation with the right to exist. As such, it is necessary to:
Maintain awareness of the competitive landscape
Monitor changes in customer behaviour/expectations
Observe and comply with environmental and regulatory changes
All these factors could necessitate the evolution or retirement of one or more items within the product and service catalogues.
Organisational Vision, Mission and Objectives
The vision and mission of organisations require a viable and robust strategy to realise them. A good strategy demands a clear set of measurable objectives that indicate their realisation.
Within this context, risk management, therefore, is about the protection of strategic objectives.
Any perceived threats/opportunities to strategic organisational goals must be captured and assessed for their likelihood of occurring and their impact or severity if they were to happen. The proximity or nearness of the perceived risk is also a critical factor in the risk assessment process. It could drive urgent action if the risk is uncomfortably near or the opportunity is time-bound.
Without clear organisational objectives to protect and defend, risk management is opaque and inconsequential. Its benefit cannot be readily ascertained or measured, and it could be an expensive exercise that yields little measurable value.
Effective Risk Management Requires Purpose Specificity
Here are three key questions to think about, from a risk management perspective, to help your organisation achieve its strategic objectives.
What threats is your organisation worried about, and how does that connect to your strategic organisational objectives? For instances where the perceived risk is not a threat or opportunity to your strategic goals, it may not warrant addressing through risk management.
What are the early warning indicators that your organisation may be unable to meet its critical objectives? Early warning indicators provide focus points that alert you when the threat is near.
What will be the consequences of failure if the organisation fails to meet its corporate objectives? The impact should be measurable. For example, it could be financial loss, reputational damage, or regulatory compliance failure). The insight will aid risk management prioritisation.
These questions are not exhaustive. Instead, they should stimulate dialogue with your management and leadership teams to ensure clarity of your corporate strategic objectives.
Furthermore, the organisational objectives should be understood by everyone because they all have a role to play in defending, maximising and realising them through effective risk management.
Risk Response Strategy
Every critical risk requires a response strategy. The ultimate aim will be to eliminate, reduce or deploy a contingency plan.
If the risk is not a threat but an opportunity, the necessary response may be to maximise the chance of its occurrence by intentionally increasing its probability.
Effective risk management is as much about recognising opportunities and exploiting them as it is about mitigating threats to strategic objectives.
Most valuable opportunities contain an element of risk (uncertainties) - to a greater or lesser extent. Therefore, it is in the organisation's best interest to develop strategies, a culture of calculated risk-taking, and proactive and preemptive risk management to maximise desirable opportunities.
A mature risk management practice is where:
Critical risks to strategic organisational objectives are identified and prioritised.
The risk net effect on strategic objectives has been assessed.
A robust risk response plan has been developed.
The most viable solutions are ready for implementation should the risk materialise.
The culture of proactive risk identification and incentives is established.
Continuous improvement is embedded as part of the cultural norm.
The aim is to ensure that the organisation is not surprised by unidentified critical risks.
Unknown critical risks can quickly become a crisis if they transition from a perceived threat to an incident or crisis. Organisations will require a robust business continuity plan to manage the problem in such instances. Furthermore, such incidents or crises often expose the lack of organisational resilience in its operating model.
Organisational Resilience
Organisational resiliency has begun to emerge as an extension of risk management. One could argue that corporate resilience is an umbrella term that encapsulates both risk management and business continuity. In any case, it ensures the organisation can maintain a healthy level of business operability and stability during severe disruptions and unforeseen events.
Resilient organisations can thrive during uncertainty and use it as a competitive advantage.
The work required to transform legacy organisations into resilient ones can be significant. It encompasses people, processes, and technology transformation. It is underpinned by a compelling organisational vision and strategy.
Let's briefly summarise the requirement for each:
People:
To develop a high-performance self-organising agile workforce and adaptable organisational capability with a continuous learning mindset.
Processes:
To develop tech-enabled and configurable processes that adopt and integrate agility and continuous improvement.
Technology:
Automate repeatable and low-value tasks and optimise the value chain to eliminate waste, improve efficiency, propel innovation and sustainability, and increase productivity.
To leverage the power of technology to inform and drive value creation.
Risk Visibility and Reporting Dashboard
Effective risk management is about risk visibility and control. I use the word “control” loosely as it is not always possible to control the factors that drive critical risks. Instead, control denotes an organisation’s ability to identify and implement internal governance measures that enable effective decision-making to manage risks.
Governance enables decisions to be made at the proper levels and not unnecessarily slow down, stifle, hinder or paralyse decisions, ownership and accountability.
For a vibrant organisation and employee personnel development, everyone within the organisation should be aware of and comfortable with their decision rights.
Employees value some level of autonomy. Balance the need for independence with experience and credibility so as not to jeopardise the organisation's reputation.
Leaders and managers must develop their teams and equip them for growth and greater responsibility. It will ensure that identifying and exploring new opportunities is seen as valuable. In the business landscape, a risk-averse organisation will not have longevity.
Senior leaders require visibility of all identified critical strategic organisational risks. Today, many tools and reporting dashboards provide data visualisation in easily digestible formats to foster and stimulate dialogue.
Many senior leaders don't have the time or inclination to sift through reams of data. Therefore, leverage technology to enable real-time reporting of critical insights to drive action and impact.
Effective risk management leverages the power of technology to communicate risk insights to ensure everyone within the organisation is aware of the aggregated risks and the mitigation strategies to address them. It is the surest and fastest way to create a risk-aware culture and drive proactive risk management behaviour.
Lessons Learned and Continuous Improvement Culture
An organisation that believes in and values efficiency must strive to get work done right the first time. However, this is easier said than done. The way to enable this is through obsessive attention to learning from experience with an attentiveness that is forensic.
The intention is not to develop a blame culture. Instead, it is a positive recognition that every occasion is an opportunity to learn and improve. The Cumulative effect is greater efficiency over time.
Seek to embed the commitment to continuous improvement into your organisation's DNA.
The central risk function can ensure that risk management captures and integrates lessons learned.
Lessons learned and continuous improvement culture aren't optional if an organisation seeks maximum value, operational efficiency and effectiveness.
Great leaders champion responsible financial management and the desire to reduce waste in the value chain. Every employee should feel empowered to challenge the status quo when it's no longer fit for purpose.
This mindset recognises that risks to strategic organisational objectives lie in unproductive attitudes and behaviour as much as in external drivers and events. Conversely, successful organisations are not risk-averse; they equip themselves to manage and exploit them effectively within their risk appetite and capacity.
Get in touch to continue the conversation.
The Intelligent Change Management Guide: How to Successfully Lead and Implement Change in Your Organisation. Find out more!
Purpose-Driven Transformation: The Corporate Leader's Guide to Value Creation and Growth. Find out more!
Accelerate: Your Career Ascension Guide. Find out more!