In a business environment, the topic of risk isn’t sexy; unfortunately, firefighting issues is!
There’s simply no glory in managing risk and the subject tends to be subconsciously further down the corporate priority list. At best, it can be a box ticking exercise, i.e., completing a risk register. But how many risks are in there? When did you look at it last and how did you analyze it?
The corporate attitude to risk differs by organization - but having a risk strategy is about thinking:
- What do you want to do about risk?
- Do you have the appetite to implement a strategy?
A good starting point is allocating responsibility for risk: a good CEO should definitely have it on the agenda or a portfolio director dealing with programmes and projects. But risk strategy can be overlooked if those in authority are too busy firefighting business issues or concerned with the cost of preventing risks. In fact, the potential cost of not preventing them can be much greater.
Focusing on the short term issues leads to self-preservation, lack of learning from experience and a fragmented approach across an organization, all of which adds up to increased costs.
Risk strategy - the why and the how:
Senior managers need to look at how to handle risk consistently across the organization. This is about aligning risk management with overall business objectives and instilling a culture of continuous improvement. Without this, companies face a lack of joined-up thinking, and a mentality of issues resolution and firefighting. Issues cost businesses money, but prevention and integrated risk mitigation plans shouldn’t.
Creating an integrated risk process isn’t easy since it’s necessary to have a central, integrated plan that covers all risk activities. So, you should ensure:
- Risk Management is part of the regular Governance cycle
- Is at the start of a Governance agenda not the end
- Review the existing risk information available and lessons learned
- Identify operational risks and link them to strategic risks
- Put a risk management process in place to start building and maintaining integrated risk plans
- Categorize risks in order to control them for the whole enterprise
- Choose a common tool to capture risks, e.g. a risk register which includes probability, impact and proximity
- Represent overall programme risks in the form of Risk Bowties - useful with stakeholders
- Get senior management buy-in and from this have nominated risk champions responsible for plans being integrated across locations – this ensures joined-up thinking, common mitigation actions and the ability to control mitigation costs.
Through the implementation of the AXELOS portfolio of best practice guidance, the Management of Risk (M_o_R®) this approach can help organizations manage risks more effectively immediately.
It also raises risk up the corporate priority list and treats it not only as a threat but also as an opportunity. Doing risk evaluation on a major programme should be done regularly including risk workshops with senior stakeholders.
Can your organization afford not to?