The Value of a Systematic Approach to Identifying and Managing Risk
Thinking about risk
Because the future is unknowable and therefore uncertain, identifying, characterising, managing and monitoring risk must be embedded in the governance and operational management of all organisations. Small to mid-sized companies and non-profits must be just as alert if not more so to this challenge because they lack the financial strength and the specialist resources larger entities usually have.
Many people think of risk management as simply about stopping undesirable things from happening, but equally important is the risk of missing out on an opportunity through lack of vision or preparedness. Risk is not inherently bad. It is not something to be avoided but, rather, to be understood and balanced off against the rewards that are expected from the pursuit of an organisation’s objectives.
The board is ultimately responsible for an organisation’s risk management framework. What is loosely called ‘risk management’ should be thought of as an integral part of the board’s process of ‘strategic thinking’. The process of paying explicit attention to the future of an organisation, then guiding it with intent involves pursuing opportunities through a maze of hazards that the future typically throws up. This requires the attention of management as well to a multitude of potential risks. A great many of these risks will be beyond an organisation’s ability to control or even influence but at least it must be able to anticipate, plan for, and ultimately survive even a major risk event.
Because not all risks are created equal, a board must be able to articulate its ‘risk appetite’. This is vital to inform judgements about risks worth taking. The board must ensure that management has a good understanding of the nature and extent of risk it is prepared to accept in the pursuit of the organisation’s objectives.
Download the Risk Register Template
What kind of risk?
There are many sources of risk and each organisation needs to identify and determine which of these is relevant to their situation. For illustrative purposes here are some of the risks which the boards of small and medium enterprises, both for-profit and non-profit, have to deal with to assure satisfactory business performance and sustainability.
- Market Change Risk: Dynamic movement in the market is a significant risk for all organisations. Competitors may emerge offering lower prices or better products and services. Government policies can change the rules of the game. New technologies can make established ways of doing things obsolete. Major sponsors can go out of business.
- Economic Risk: The economy moves in cycles, although the actual timing and the size of peaks and troughs in those cycles are never certain. Economic change can also be abrupt, and crisis-driven (e.g. the oil shocks of the 1970s, the share market ‘crash’ of the late ‘80s, the GFC of 2008, today’s coronavirus pandemic). Economic downturns affect even the biggest corporations but can have an even greater impact on small to mid-sized businesses or non-profits. Funding for non-profits is always contestable and even harder to find in an economic downturn.
- Financial Risk: In any small to mid-sized business or non-profit, capital is at a premium and cash flow is a big deal - even more so in the start-up phase. Boards have to continually monitor their cash position to ensure sufficient funds to meet their organisations’ financial obligations. Financial risk can be very personal - founders and business owners may have to use their life savings or take out substantial loans to get, or keep, their organisations running.
- Location Risk: A locational advantage is a critical requirement for many small to mid-sized businesses. Non-profit service providers may also have a locational dependency. But location can also pose risks as well as deliver benefits. For example, some locations may be vulnerable to disruptive natural events (e.g. storms, floods, and earthquakes).
- Cyber Security Risk: Increasingly, transactions within and between organisations occur online which poses more and more complex risks. For example, network disruption, privacy and other confidential data breaches, spamming, payment frauds, identity theft, etc.
- Key person risk: The smaller the organisation the more likely it is to be dependent on a small number of employees or even volunteers. Often the biggest risk is to the health, both physical and mental, of the founder or owner. Smaller organisations tend not to have the depth of staffing to ride out a crisis involving employees whose knowledge and skill sets are crucial to the performance of the business.
- Health and Safety Risk: The basic premise is that no one should suffer harm in organisations whether they are employees, volunteers or visitors to business premises. There is a legal obligation on board and management to identify and manage these risks.
- Reputation Risk: For many small organisations whether commercial or non-profit, their reputation is their most critical asset. Consider a restaurant that experiences food poisoning or a non-profit whose front person is caught up in a scandal of some kind. It can easily be a case of ‘game over’.
Getting on top of risks
Even in a smaller organisation with limited resources, whoever is ultimately responsible for the future of the organisation needs to make the time to think about risk. The most important risks that require close and continuing board attention are those we might call ‘mission-critical’ risks. These are likely to be reasonably visible, but they nevertheless deserve systematic attention that identifies, characterises, manages and monitors them. The aim over time is to intentionally and progressively reduce specific risks.
In dealing with mission-critical risks the board needs to make time to think about these for itself. Directors should have the kind of relatively detached, ‘big picture’ take on risk that is, by definition, hidden from those caught up in the vortex of the day-to-day management. That is not to deny the value of management participation in thinking about risk. It is simply to say that the board has to understand and own management of the kinds of risks that if not handled well, would cause an organisation significant harm.
A systematic approach by a board to understanding and owning mission-critical risk would likely involve the following sequence of steps. Each of these steps should be followed to the degree of depth and formality relevant to each board’s circumstances.
1. Identify potential major risks. This could involve a range of techniques such as:
- Regular environment scans – perhaps as a feature of every board meeting, asking questions like ‘What is happening out there?’ ‘Does it have risk implications?’ ‘Do those matter?’
- Focused brainstorming – perhaps as part of a strategic planning process. A starting point might be the kind of risks referred to above. Another might be to use a PEESTI-type framework to start the conversation (Political/governmental, Economic, Environmental, Social/Demographic, Technological, and Industry)
2. Characterising those risks – getting focus on the risks that require the greatest attention at the board level and understanding their dimensions. The process of filtering out and prioritising mission-critical risks is mostly done by assessing the possible impact of each risk and its probability of occurring. This step also helps the board to better articulate its appetite for risk.
The use of scenarios is helpful when applying the kind of ‘What if’ thinking that is essential for any board assessing risk. Although scenarios are often thought of in terms of ‘best case/worst case’ these should be contrasting but equally conceivable models of the future. Scenarios help a board better understand the nature of risks that might be associated with each scenario and to test alternative strategies.
The use of a ‘pre-mortem’ approach is also gaining popularity. It is simply the process of assuming that a planned initiative has failed then working back to understand what might have gone wrong.
3. Managing the risks – given that governance is essentially a ‘hands off’ process, the board’s policy-making function is central to this step. Remember it is the board’s job to direct and control organisational endeavour. Management must be given clear direction on what is to be achieved (‘ends’). The board also must rule out the application of unacceptable ‘means’. This is best done by setting boundaries to management’s decision-making freedom. This is an integral aspect of the board’s delegation of authority to allow management to ‘operate’ the organisation and is the most direct expression of the board’s risk appetite.
4. Monitoring the risks - most boards require management to prepare a risk register. An occasional review of the risk register can give a board assurance that management has a good line of sight on lower level risks as well as the mission-critical risks the board is primarily interested in. The board should expect management reporting on mission-critical risks sufficient to give it confidence that those are being managed or mitigated appropriately. Ideally the board will do periodic ‘deep dives’ into each of those risks. As part of that process it may also wish to commission independent reviews of how those risks are being handled.
No matter how a board approaches risk it must remember that its risk environment is constantly changing.
Like rust, risk never sleeps!