By Carolyn Williams, Director of Corporate Relations, Institute of Risk Management
Risk management is not new. No doubt the Egyptians had some form of risk management in place when building the pyramids, although their risk appetite in relation to health and safety was probably a bit different to that of today’s construction companies. Some years ago Stephen Carver of Cranfield gave a brilliant lecture for us proving that William didn’t become the Conqueror because he was the best soldier, but because he was the best risk manager around.
Risk is a natural part of corporate and individual existence. We all want to change the world in some way and that might go well, or it might not. Some things we can control, others we can only be prepared for. But without risk there can be no progress and no reward. Expanding business, particularly into global markets, is always going to be challenging, but there are things that can help organisations prepare themselves for a smoother ride.
Risk does not exist in a vacuum. Useful talk about risk is always linked to objectives. Your organisation first of all has to be clear on its strategy, what it wants to do and on what success means. What do you want to achieve? How will you know when you’ve achieved it? What will be the measure of success? What do you need to protect (think financial, physical, human and environmental assets, bearing in mind that a big proportion of value today is found in intangible assets including brand)? What will the tolerances be – there may be a range of acceptable outcomes. Then you can talk about risk – what might stop you achieving your objectives? And also, what are the opportunities that might help you exceed your objectives? The risks you identify can be external (for example political developments in key markets or failures of third party contractors) or they could be internal (like loss of key personnel, a flooded factory or a cyber attack).
In the long-term organisations don’t get good at risk management in isolation: it goes hand in hand with getting good at all aspects of management.
Identifying risks, and putting together plans to manage them, is important but not quite enough. Over the past couple of decades we’ve seen the introduction of more standards, regulations, codes and management controls than ever before. But we’re still seeing problems occurring when people just don’t behave as you expect them to.
Whether it’s not following set procedures, bad judgement calls, groupthink or perverse incentives, organisations need to be aware of the impact of their culture on their risk environment. How people behave in your organisation can mean that they take too much risk, or possibly not enough.
Growth, mergers and takeovers, globalisation and management trends towards outsourcing and shared services mean that delivering any sort of product or service, whether mobile phones or child protection, relies on complex networks.
Organisations need to take time to really understand not only their supply chain vulnerabilities, but also the wider ‘extended enterprise’ that comes together to support their operations and which might include parties such as regulators, customers and the dangerous factory next door. Risks have a nasty habit of being interconnected, or, like buses, arriving together. This can quickly wreck a complex, but fragile, operating model.
Linked with the complexity of modern business is the speed at which things move these days. Business is getting faster – and hence the time to respond to some risks is getting shorter. Some decisions need to be made at speed and unless the organisation has invested in preparation and good information they are not likely to be quality decisions.
To maximise the chance of achieving objectives and being able to take advantage of opportunities, organisations need to ensure that they are good at risk management. As with other skill areas like finance, specialists will be needed to drive the process and advise at all levels, but there is also a need for a wider appreciation of risk across the management team. Most large organisations, and those with mature risk management processes, will be seeking to embed risk-based thinking across the company, building it into project processes, decision making and talent management. In an increasingly uncertain world, risk management is a skill everyone is going to need.