The Institute of Risk Management is developing a paper on risk appetite and risk tolerance (I am privileged to be a reviewer). I am confident this will be a great addition to the available, practical guidance on risk management.
It prompted me to think about what really matters, what makes an organization effective in managing risk.
The only way risk management has value is if it affects the way you do business. It must influence decisions and actions; otherwise, it is no more than decoration. Risk management should not be a ‘check-the-box’ activity. Used well, it can help an organization achieve and sustain optimal long-term performance.
To be effective in managing risks, an organization needs not only to understand and assess its risks, but it needs to have a culture that embraces the active consideration of risk in:
- Establishing the (short and longer-term) strategy, organizational goals and objectives
- Developing, executing, and monitoring its execution of strategy and achievement of goals and objectives
- Everyday decisions
I have seen too many organizations focus on identifying and assessing risks every quarter, maybe even talking in terms of a high level risk response (e.g., accept the risk, or hedge it using currency swaps) at the expense of actually managing the risks day-to-day.
Let’s we take a mundane example: my commute to work. One approach is to perform a quarterly assessment of the risks: (a) that I will be in an accident, or (b) be delayed and miss important meetings. Since I am assigned to SAP’s Palo Alto office, which is about 18 miles and 25-30 minutes away (by freeway), to a certain extent I must accept the risk. I believe the risk of accidents to be low, and my response is to train myself to drive carefully. The risk of traffic delays is higher, especially if I leave during the morning rush hour, so my response is to schedule meetings for later in the day.
I assess these [residual] risks, compare them to my risk tolerance, and am satisfied. But should I be?
The other approach is to embed risk in my daily decisions. Each day, I review the next day’s schedule and plan ahead. If I have an early morning meeting, I will decide to leave home very early to avoid most of the traffic. (I will also check to confirm that I have to be in the office, in case I can reduce my risks by calling in). I also check the weather forecast and take that into consideration. When I wake, I again check the weather to see if I need to leave earlier (for example, if there is rain I should expect driving times to be longer). As I am driving, I am making more risk decisions. If the freeway is clogged up with traffic, I may elect to take side streets – taking into account the risk they are also slow due to increased traffic. I am certainly making a number of accident risk decisions as I drive. For example, I will stay further behind the car in front of me when it is raining.
Let’s take a second example, this time from corporate life. Years ago, I worked for a company that owned several oil refineries. One of its most significant risk areas was safety, not only of its employees, but also of the many employees of contractors (“contract staff”). At any time, there could be hundreds of these workers within a refinery. While it would have been easy to rely on the contract we had with the contractors, which had multiple stipulations regarding safety (including training and equipment), our Health and Safety department had performed a risk assessment and identified a number of actions it would take to ensure the safety of everybody working at a company location. These included mandatory safety training and orientation for all contract staff, close supervision by our employees, and more.
But, a periodic assessment of risk was not enough. The Health & Safety department also monitored safety training attendance records to confirm that all contract staff were attending and passing the tests. A drop in attendance would indicate a higher level of risk, triggering calls to the contractor and a higher level of monitoring of the work site by management. If a supervisor reported one of the contract staff was not following safe operating procedures, this would raise a risk red flag and actions would be taken – not only with respect to that individual, but to all workers from the contractor.
Assessing safety risk “every so often” was not enough. Risks levels change all the time, and my company needed to understand current risk and take appropriate actions.
It’s not enough to understand risks in your daily decisions; you need to actively manage them. Do you and your management team embed risk into your daily activities and decisions – and manage those risks constantly? Do you:
- Consider risks in setting strategy – and assign responsibilities and tasks for minimizing the likelihood and adverse effects of those risks?
- Include risk mitigation activities in project plans, etc?
- Consider the risks to achieving your objectives every time you make a hiring or purchasing decision – and identify what you can do to manage the risks?
- Do you continue to manage risks by taking actions every day?
- Are you monitoring risks, so that you are not surprised? Or do you wait until the official risk assessment time?
Is your risk management program a quarterly exercise or a way of life in the business?