Your essential four step guide to risk management

Sign for a High Risk Area Construction Site

The Importance of having an integrated risk and business strategy

Does your risk strategy and business strategy sit in two separate folders? When drafting your risk strategy, was it aligned to the business strategy and written with your organisational goals at the forefront? Or, as most companies do, is your risk strategy little more than a casually updated excel sheet?

Without an integrated risk and business strategy, the business will struggle to properly identify the long-term challenges that will affect your business, and thus will miss out on crucial indicators and controls and fail to see risk as a strategic priority.

Risk management systems are essential

Once a risk management plan, framework and policy are in place, the next step is to identify the risks and record them in a proper risk management system (RMS). Crucially, a good system provides a common language to talk about risk. This means being able to think about the impact of the office being flooded in the same context as failing to hire the best talent over the long term.

This is why recording risks in something like excel just isn’t good enough. An RMS must take into account the impact of inherent and residual risk, measure the risk velocity, and be smart enough to analyse breaches and assign ownership of controls.

Key Steps to Managing Risk

The Ongoing Risk Management Cycle for Businesses

To ensure your organisation has an integrated strategy in place, let’s look at our four step guide to risk management. Bear in mind that the larger your organisation, the more sophisticated your risk management procedure needs to be.

  1. Assess potential risks in light of the business strategy

This means taking stock of risks in light of the business strategy. If, for instance, one of your key strategic goals is to double your turnover, you need to consider the entire arena of risks connected to that. From what the risks are if you don’t meet that target, to the risks if you do meet it, or even exceed it. One major risk that many small and medium companies overlook is becoming too successful too quickly. If overnight one large contract could double your revenue, would your business have the capacity to cope?

One mistake many risk managers make is to only look at short-term risks. For example, a construction firm may only look at the most obvious things, such as the risk of workers being injured at work. This certainly is often a real risk for such companies. However, long term risks such as the potential for materials to increase in price due to a projected global shortage or a disruption to the supply chain is just as important.

  1. Evaluate the likelihood and impact of the risk

Evaluating the likelihood of an event against the impact of the risk is another key step. An effective RMS provides a method for analyising the likelihood and impact, both before control measures are put in place (inherent risk) and after those measures are adopted (residual risk). This is a crucial part of risk management which many basic systems for dealing with risk fail to grasp.

For instance, the risk of a fire at the office will always be present and to a large extent unknown. A freak accident or electrical malfunction is impossible to calculate. However, control measures, such as ceiling sprinklers, fire-blankets and even making sure all data is constantly backed up off-site significantly mitigate the potential impact of that risk, and many others connected to it.

  1. Consider how to deal with the risk

Now is the time to come up with a strategy to counter all the identified risks. Remember, even risks with a low severity and low likelihood need to be addressed, as they are risks nonetheless. Coming up with control measures and assigning responsibility is a hallmark of an effective system. The best systems can even send automated emails to those assigned as owners of a risk, making sure they deal with their responsibility.

Your business also needs to be able to measure and deal with risk velocity. This is the time it takes for a risk to impact your business. Something like a global rise in oil prices could, over time, impact on your supply chain by making it more expensive to ship goods overseas. While this is a very real risk that could significantly impact your business, the velocity is quite low.

Something like a natural disaster or terrorist attack that shuts down your city or makes it hard for staff to get to work has a very high risk velocity. The minute something happens police cordons will block the route, and there won’t even be time to get into the office and consult the risk strategy. High risk velocity events require rapid responses.

  1. Implement and monitor your strategy

Now that the risks to the firm have been assessed and evaluated, it’s time to put the strategy into action. This includes assigning tasks, following up with their progress and then recording and analysing data from your own firm. An incident register, something many companies have for things like health and safety incidents, helps monitor and understand what is going on around the company that contributes to the risk. A series of incidents around data protection could add up to an overlooked risk that requires a control.

VinciRisk’s Risk Management System

A dynamic incident reporting system such as VinciRisk’s Omnitrack is essential to a well-functioning risk management system. It helps to store data in one place, as well as track and manage it in real time. A risk system is far more than a static document that’s written, passed around, and never looked at it again. To be effective, it must be live, dynamic, fit your business strategy and fit your way of working.

These steps will help get you started in managing risk in your organisation. VinciWorks has an extensive risk management system and world-leading expertise that can help your risk management department easily identify, log, track and mitigate risk. For more information and consultation, contact us below.

 

 

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.