The Importance of having an integrated risk and business strategy
Does your risk strategy and business strategy sit in two separate folders? When drafting your risk strategy, was it aligned to the business strategy and written with your organisational goals at the forefront? Or, as most companies do, is your risk strategy little more than a casually updated excel sheet?
Without an integrated risk and business strategy, the business will struggle to properly identify the long-term challenges that will affect your business, and thus will miss out on crucial indicators and controls and fail to see risk as a strategic priority.
Risk management systems are essential
Once a risk management plan, framework and policy are in place, the next step is to identify the risks and record them in a proper risk management system (RMS). Crucially, a good system provides a common language to talk about risk. This means being able to think about the impact of the office being flooded in the same context as failing to hire the best talent over the long term.
This is why recording risks in something like excel just isn’t good enough. An RMS must take into account the impact of inherent and residual risk, measure the risk velocity, and be smart enough to analyse breaches and assign ownership of controls.
Key Steps to Managing Risk
To ensure your organisation has an integrated strategy in place, let’s look at our four step guide to risk management. Bear in mind that the larger your organisation, the more sophisticated your risk management procedure needs to be.
Assess potential risks in light of the business strategy
This means taking stock of risks in light of the business strategy. If, for instance, one of your key strategic goals is to double your turnover, you need to consider the entire arena of risks connected to that. From what the risks are if you don’t meet that target, to the risks if you do meet it, or even exceed it. One major risk that many small and medium companies overlook is becoming too successful too quickly. If overnight one large contract could double your revenue, would your business have the capacity to cope?
One mistake many risk managers make is to only look at short-term risks. For example, a construction firm may only look at the most obvious things, such as the risk of workers being injured at work. This certainly is often a real risk for such companies. However, long term risks such as the potential for materials to increase in price due to a projected global shortage or a disruption to the supply chain is just as important.
Evaluate the likelihood and impact of the risk
Evaluating the likelihood of an event against the impact of the risk is another key step. An effective RMS provides a method for analyising the likelihood and impact, both before control measures are put in place (inherent risk) and after those measures are adopted (residual risk). This is a crucial part of risk management which many basic systems for dealing with risk fail to grasp.
For instance, the risk of a fire at the office will always be present and to a large extent unknown. A freak accident or electrical malfunction is impossible to calculate. However, control measures, such as ceiling sprinklers, fire-blankets and even making sure all data is constantly backed up off-site significantly mitigate the potential impact of that risk, and many others connected to it.
Consider how to deal with the risk
Now is the time to come up with a strategy to counter all the identified risks. Remember, even risks with a low severity and low likelihood need to be addressed, as they are risks nonetheless. Coming up with control measures and assigning responsibility is a hallmark of an effective system. The best systems can even send automated emails to those assigned as owners of a risk, making sure they deal with their responsibility.
Your business also needs to be able to measure and deal with risk velocity. This is the time it takes for a risk to impact your business. Something like a global rise in oil prices could, over time, impact on your supply chain by making it more expensive to ship goods overseas. While this is a very real risk that could significantly impact your business, the velocity is quite low.
Something like a natural disaster or terrorist attack that shuts down your city or makes it hard for staff to get to work has a very high risk velocity. The minute something happens police cordons will block the route, and there won’t even be time to get into the office and consult the risk strategy. High risk velocity events require rapid responses.
Implement and monitor your strategy
Now that the risks to the firm have been assessed and evaluated, it’s time to put the strategy into action. This includes assigning tasks, following up with their progress and then recording and analysing data from your own firm. An incident register, something many companies have for things like health and safety incidents, helps monitor and understand what is going on around the company that contributes to the risk. A series of incidents around data protection could add up to an overlooked risk that requires a control.
VinciRisk’s Risk Management System
A dynamic incident reporting system such as VinciRisk’s Omnitrack is essential to a well-functioning risk management system. It helps to store data in one place, as well as track and manage it in real time. A risk system is far more than a static document that’s written, passed around, and never looked at it again. To be effective, it must be live, dynamic, fit your business strategy and fit your way of working.
These steps will help get you started in managing risk in your organisation. VinciWorks has an extensive risk management system and world-leading expertise that can help your risk management department easily identify, log, track and mitigate risk. For more information and consultation, contact us below.