How to make risk management more effective, relevant and value-adding
Unconsciously, we all take and manage risk every day, from taking risks by crossing a busy road during lunchtime to sourcing for alternative suppliers for your products at work. We just don’t call it “risk management”.
Effective risk management helps us think about how to prevent or reduce the chance of something bad happening or increase the likelihood of success in the activities we do.
The standard approach to risk management is about the likelihood of achieving your objectives. Your objectives could include crossing a busy road safely or improving your supply chain.
Unfortunately, the practice of ‘risk management’ identifies potential problems or threats by generating a list of risks that do not help boards and corporate executives position their organisation for success, in most cases.
Risk, as defined by the international risk management standard, ISO 31000:2018 Risk management — Guidelines, is the “effect of uncertainty on objectives”. One of the options for treating risk may include “taking or increasing the risk in order to pursue an opportunity”.
We manage both the upside of an opportunity and the downside of a threat.
This ISO standard is for use by anyone — corporate executive and individuals — who want to create and protect value by managing risks, making decisions, setting and achieving objectives and improving performance.
The previous version of the ISO standard explicitly states that for risk management to be effective, an organization should at all levels comply with the principle that risk management creates and protects value.
So, let us unpack how we can make risk management more effective, relevant, practical and value-adding.
Managing risk is ultimately about outcomes
The achievement of objectives in itself does not always equate to success, which is the final outcome that we are seeking when performing any organisational activity. Otherwise, don’t do that activity.
This is where the achievement of objectives must be translated into tangible successes that are linked to positive outcomes.
Growth for growth’s sake is meaningless. Achieving objectives for the sake of it is meaningless unless you want to game the system and get your financial bonuses by meeting some meaningless performance targets. It becomes a meaningless compliance exercise.
Many organisations consider risk management as something they have to do to achieve compliance. They conduct superficial risk assessments that are no more than documentation exercises. These exercises are of little value to the business or its customers. They are not useful for decision making.
In contrast, effective risk management should enable the structured, systematic and consistent identification and evaluation of risks throughout the organisation based on the vision, mission, purpose and goals of the organisation. The risk management process must allow information about uncertainties (risks) and even issues (known issues) to be actively used to help make better decisions for the long-term success of the organisation.
To do that, we need to apply risk management differently, from now on. We need to be thinking about the ‘achievement of objectives’ from two perspectives:
- Objectives are hierarchical within an organisation — As objectives are hierarchical, the practice of identifying and managing risks must also be hierarchical in nature and be considered as such when designing your framework to manage risks within an organisation.
- Actions to implement or ‘operationalise’ the hierarchy of objectives within a specific organisational context — The vision and top-level goals must be cascaded or broken down into individual project or activity goals.
Objectives are hierarchical
An objective is generally concerned with the “where to” question. It usually comprises of a vision and many goals. (This is the terminology I will be using.)
The hierarchy of objective is set out below:
- Vision —Your greatest ‘purpose’ (why we exist) that is guided by your vision (where are we going) and mission (what do we do). This is your broad primary outcome that you want to achieve. For example, to create economic opportunity for every member of the global workforce (LinkedIn’s vision).
- Long-term main goals — These are long-term goals that will lead you towards fulfilling your vision. The information at this strategic level is captured in the organisation’s strategic plan.
- Medium-term milestone goals — These are the milestone goals in-between the first immediate steps that you need to take and your long-term main goals. These goals are captured in divisional or departmental plans.
- Short-term mini-goals — These goals allow your medium-term milestone goals to be ‘broken down’ further into smaller, bite-size chunks. This is where top-level goals are cascaded. It will make long-term main goals more manageable and achievable. They are stepping-stones that will lead you closer towards reaching your vision. These mini-goals could be represented as plans for teams, units, projects, and even individuals, as personal performance plans.
As objectives are hierarchical, the practice of identifying and managing risks must also be hierarchical in nature and be considered as such when designing your framework to manage risks within an organisation.
Actions towards achieving the vision
The actions to implement or ‘operationalise’ the hierarchy of objectives are as follows:
- Strategy — Provides a clear long-term roadmap. This is the “how to” to achieve the vision. This is managed through executive management. At this strategic level, executives are concerned about leading the entire organisation to success by managing the portfolio of programs and projects. Strategies result in the definition of comprehensive programs, projects and initiatives to achieve the desired objectives at the different organisational layers. Organisational structures and governance support the implementation of these programs and projects.
- Portfolio — These are collections of initiatives that deliver on the strategic objectives. This is managed through portfolio or investment management within divisional or departmental structures. At this level, executives are concerned about the realisation of benefits or investments made in the business.
- Programs — Group of related projects that collectively deliver the agreed benefits. This is managed through program management within team and unit structures. Dependencies and conflicts between projects are managed at this program level.
- Projects — Single discrete activity that is created to deliver the agreed benefits. This is managed through project management. Project teams deliver the agreed deliverables within schedule, budget and quality constraints. Most organisational activities are ‘projects’ at the core and should be treated as such. Simply put, a project is a series of tasks or activities that need to be completed in order to reach a specific outcome or purpose.
In essence, the vision and top-level goals must be cascaded or broken down into individual project (or activity) goals. The achievement of all project goals must be aligned, where their individual contributions can be aggregated up towards the achievement of the vision.
Decisions that are made throughout the organisational structure must ultimately contribute towards the achievement of its vision.
For the uninitiated:
- A vision is the broad primary outcome of the organisation.
- A strategy is an approach you take to achieve the vision.
- An objective or goal is a measurable step you take to achieve a strategy.
How effective risk management should look like
Effective risk management is about providing decision-makers across and throughout the organisation with timely and valuable information that they need to make informed and intelligent decisions to implement the right strategies, accomplish their goals, vision and mission, and be ultimately successful.
The risk management process should provide information related to the effective implementation of strategies and the achievement of objectives and goals. This will enable them to make better-informed decisions that will create and protect organisational value.
After all, risk management is about value creation and protection.
Decision-makers must know how to make informed and intelligent decisions necessary for success. They must find the answer to this question, what might affect the likelihood and extent of my success.
To answer this question effectively, we must consider two inter-related things that will guide our decision:
- What is the description of the intended future state or desired outcomes required or expected? This is driven, in part, by the hierarchical nature of objectives.
- What is the description of projects currently undertaken? This is about the activity we are doing and how the achievement of it will contribute to the overall success of my intended future state or desired outcomes.
Unfortunately, risk management as we know it today is great at performing at the tactical or operational level. That is, only identifying uncertainties or risks arising from our activities. It fails miserably to adequately define our actions and link them to the achievement of the vision and success required, which is our desired future state.
The first key consideration — How to increase the likelihood of success?
The best place to start identifying and managing risks is to be very clear about the outcomes we are seeking to achieve (from doing a project or performing any activity).
These ‘desired outcomes’ are descriptions of the intended future state with clear measures of success.
By defining and measuring the desired future state, we can determine what the undesired states might be. These undesired states could be the risks that we may face. Once we have clear descriptions of the undesired states, we can then describe their effect on customers and thereafter, evaluate the likelihood that we will get one or more of these states.
We must ask two key questions when undertaking a project (or activity):
- Question 1 — What does success look like? (This ensures alignment towards achieving the vision.)
- Question 2 — What are the measures of success? (Our actions must contribute to the achievement of performance measures. This drives our actions.)
In answering these questions, think about how you can increase the likelihood of your success within the context of achieving the following:
- The organisation’s vision, mission and purpose beyond the silos of excellence that exist within.
- The measures of success (the answer to Question 2 above).
.
It is easy to end up with a long list of ‘risk’ (possibly an inventory of 100 ‘risks’!) rather than a risk management system that effectively manages a handful of key risks that have strategic consequences. Organisations often skip over the important part — that is:
- Providing a strategic lens into risk, and
- Asking the question: In the context of our products, services, and strategic objectives, what are the big risk causes that would make it difficult for us to be successful?
It is not the quantity but the quality of risk identified and the effectiveness of the risk management process that will make a competitive difference and improve performance for organisations.
There are good and practical reasons to focus the organisation on strategic risks:
- “Strategic risk has become a major focus, with 81% of surveyed companies now explicitly managing strategic risk — rather than limiting their focus to traditional risk areas such as operational, financial and compliance risk. Also, many companies are taking a broad view of strategic risk that doesn’t just focus on challenges that might cause a particular strategy to fail, but on any major risks that could affect a company’s long-term positioning and performance.” (Deloitte, 2013)
- “Strategic risks account for about 60 percent of the risk universe, followed by operational risk (30 percent) and financial risk (about 10 percent).” (Corporate Treasurers Council, 2013)
- Strategic risks “dominate the list of concerns for many companies … [and they] do not have a structured framework for identifying or mitigating them.” (Economist Intelligence Unit, 2010)
- “For two-thirds of the value shifts — positive and negative — the underlying events are strategic in nature, rather than operational or financial. […] Overall, the CEO and the Board should take explicit ownership for the management of the drivers of value and associated strategic risks, and regularly review the performance of the overall risk management and control infrastructure. By doing so, they should be rewarded by sustained growth and protection of shareholder value.” (Oxford Metrica and Ernst & Young, 2002)
The second key consideration — How to increase the likelihood of achieving my objectives?
Think about what could happen so that you can increase the likelihood of achieving your objectives.
When organisational activities are considered as discrete projects, we are able to use project management methodologies to effectively focus our efforts on completing the activity on time, within cost and at a pre-specified output quality.
We already know that there are common project-related risks that should be mitigated and they include:
- Insufficient resources available
- High turnover of project staff
- Contractor/consultant failure
- Overly optimistic schedule
- Poorly defined requirements
- Scope creep
- Poor project governance
- Unclear project objectives
- Inadequate/poor communication
.
By actively managing known or common project risks, we are able to implement the required mitigations at the start of the project to keep the project on track to meet its objectives.
What about risk professionals?
If risk professionals want to create and protect value for their organisation as required by the international risk standard and ‘earn’ a seat at the board (including getting paid for their work!), they must strategically work alongside corporate executives to enable the achievement of the organisational vision and strategies.
When risk management is about the achievement of objectives, they must understand what success looks like for the organisation and the sum of parts that contribute to that success. They must help their executives and team leaders to effectively translate what looks good on paper into measurable outcomes and successes that are aligned towards the achievement of the organisational vision and strategies.
It effectively means that risk professional must be able to implement or execute organisational strategies in order for them to create value for their employers. They must be able to bring to life and into reality the vision, mission, and purpose of the organisation. That’s their value-creation contribution to their employers.
For this reason, I am also calling myself a strategy execution specialist in addition to being a risk professional. It gives a renewed emphasis for risk professionals to make a tangible value-adding difference in organisations.
The reality is that if risk professionals do not reinvent themselves continuously, create value for their employers, and keep up with the ever-changing business environment and challenges, they will be out of a job in no time. Prospective employers may not place much value in employing a dedicated risk professional because they are just process-gurus that ensure compliance with the risk standard.
It is a known fact that many businesses and organisations are struggling to survive. The business environment will get difficult. And risk professionals must step up their game and be relevant to the business.
Value creation will be the only differentiating factor for risk professionals. They must successfully enable their employer to achieve their vision and strategies. This will enable them to keep their jobs secure.
Call-to-action
Sign up for your FREE consultation on how I can help you execute your corporate strategy and personal life plan.
.
References
Corporate Treasurers Council (2013). Enterprise Risk Management — Beyond Theory: Practitioner Perspectives on ERM.
Deloitte (2013). Exploring Strategic Risk: 300 executives around the world say their view of strategic risk is changing.
Economist Intelligence Unit (2010). Fall guys — Risk management in the front line.
Oxford Metrica and Ernst & Young (2002). Risks That Matter: Sudden increases and decreases in shareholder value and the implications for CEOs.