Thinking about risk
Because the future is unknowable and therefore uncertain, identifying, characterising, managing and monitoring risk must be embedded in the governance and operational management of all organisations. Small to mid-sized companies and non-profits must be just as alert if not more so to this challenge because they lack the financial strength and the specialist resources larger entities usually have.
Many people think of risk management as simply about stopping undesirable things from happening, but equally important is the risk of missing out on an opportunity through lack of vision or preparedness. Risk is not inherently bad. It is not something to be avoided but, rather, to be understood and balanced off against the rewards that are expected from the pursuit of an organisation’s objectives.
The board is ultimately responsible for an organisation’s risk management framework. What is loosely called ‘risk management’ should be thought of as an integral part of the board’s process of ‘strategic thinking’. The process of paying explicit attention to the future of an organisation, then guiding it with intent involves pursuing opportunities through a maze of hazards that the future typically throws up. This requires the attention of management as well to a multitude of potential risks. A great many of these risks will be beyond an organisation’s ability to control or even influence but at least it must be able to anticipate, plan for, and ultimately survive even a major risk event.
Because not all risks are created equal, a board must be able to articulate its ‘risk appetite’. This is vital to inform judgements about risks worth taking. The board must ensure that management has a good understanding of the nature and extent of risk it is prepared to accept in the pursuit of the organisation’s objectives.
Download the Risk Register Template
What kind of risk?
There are many sources of risk and each organisation needs to identify and determine which of these is relevant to their situation. For illustrative purposes here are some of the risks which the boards of small and medium enterprises, both for-profit and non-profit, have to deal with to assure satisfactory business performance and sustainability.
Getting on top of risks
Even in a smaller organisation with limited resources, whoever is ultimately responsible for the future of the organisation needs to make the time to think about risk. The most important risks that require close and continuing board attention are those we might call ‘mission-critical’ risks. These are likely to be reasonably visible, but they nevertheless deserve systematic attention that identifies, characterises, manages and monitors them. The aim over time is to intentionally and progressively reduce specific risks.
In dealing with mission-critical risks the board needs to make time to think about these for itself. Directors should have the kind of relatively detached, ‘big picture’ take on risk that is, by definition, hidden from those caught up in the vortex of the day-to-day management. That is not to deny the value of management participation in thinking about risk. It is simply to say that the board has to understand and own management of the kinds of risks that if not handled well, would cause an organisation significant harm.
A systematic approach by a board to understanding and owning mission-critical risk would likely involve the following sequence of steps. Each of these steps should be followed to the degree of depth and formality relevant to each board’s circumstances.
1. Identify potential major risks. This could involve a range of techniques such as:
2. Characterising those risks – getting focus on the risks that require the greatest attention at the board level and understanding their dimensions. The process of filtering out and prioritising mission-critical risks is mostly done by assessing the possible impact of each risk and its probability of occurring. This step also helps the board to better articulate its appetite for risk.
The use of scenarios is helpful when applying the kind of ‘What if’ thinking that is essential for any board assessing risk. Although scenarios are often thought of in terms of ‘best case/worst case’ these should be contrasting but equally conceivable models of the future. Scenarios help a board better understand the nature of risks that might be associated with each scenario and to test alternative strategies.
The use of a ‘pre-mortem’ approach is also gaining popularity. It is simply the process of assuming that a planned initiative has failed then working back to understand what might have gone wrong.
3. Managing the risks – given that governance is essentially a ‘hands off’ process, the board’s policy-making function is central to this step. Remember it is the board’s job to direct and control organisational endeavour. Management must be given clear direction on what is to be achieved (‘ends’). The board also must rule out the application of unacceptable ‘means’. This is best done by setting boundaries to management’s decision-making freedom. This is an integral aspect of the board’s delegation of authority to allow management to ‘operate’ the organisation and is the most direct expression of the board’s risk appetite.
4. Monitoring the risks - most boards require management to prepare a risk register. An occasional review of the risk register can give a board assurance that management has a good line of sight on lower level risks as well as the mission-critical risks the board is primarily interested in. The board should expect management reporting on mission-critical risks sufficient to give it confidence that those are being managed or mitigated appropriately. Ideally the board will do periodic ‘deep dives’ into each of those risks. As part of that process it may also wish to commission independent reviews of how those risks are being handled.
No matter how a board approaches risk it must remember that its risk environment is constantly changing.
Like rust, risk never sleeps!