In today’s ever-changing global business landscape, futureproofing your business isn’t possible without effective risk management. Every business is doing something to manage risk, even if they don’t necessarily think of it that way.
Risk management is the process of identifying, assessing, and deciding how to respond to potential risks before taking action.
Effective risk management isn’t about eliminating risk; it’s about understanding the risks your business faces before they happen, so that you aren’t spending the bulk of your time reacting to unforeseen events. Dealing with risks proactively means that you can spend your time on what matters most–executing your strategy. This is the cornerstone of futureproofing your business.
Risk exists in every business. However, with foresight and planning, it’s possible to prepare yourself to face your risks with confidence. Think of your business as a ship heading out to sea. No matter your destination, in the process of getting there, you’ll encounter different types of risks. Before embarking, you understand that your ship could get lost or sink, and so you invest in devices to help you to navigate to your destination, you ensure your crew is properly trained, and you make repairs to be certain that your ship is seaworthy. If you were to ignore those potential risks, you’d leave yourself open to, at best, failing to reach your destination or, at worst, total disaster. The risk itself isn’t the real problem; it’s the unexpected, unplanned, and unmanaged risks that throw organizations into stormy seas and uncharted waters.
Risk is defined as anything that may affect an organization’s ability to meet its objectives.
Before trying to manage risk or navigate emerging situations, it’s critical to understand how much risk your business is willing to take on. This is the first step to effective risk management: establishing your business’ risk appetite.
Risk appetite is the amount of risk an organization is willing to take in the pursuit of its objectives.
Regardless of the size of your business, it’s critical to establish a risk appetite for the organization. But why is this so important?
Every member of your leadership team and every employee in your business will have their own risk appetite–each person makes decisions every day based on how much risk they’re willing to accept.
To illustrate personal risk appetite, let’s consider an activity that most adults are familiar with, like driving a car. When you’re driving, do you regularly speed? If yes, do you regularly speed 20 km/h more than the speed limit? How about in rain or snow? Or in a school zone? Does it matter if you’re alone or with a passenger? Or if that passenger is a friend, spouse, or child?
If you asked ten people these questions, you would undoubtedly get differing responses. Some people are more risk averse, while others are risk takers. Without a defined risk appetite for your organization, people are likely to default to their personal points of view and may take more (or fewer) risks than you might be willing to accept as an organization. This can result in an increased risk of loss if their personal risk appetite is higher, or a greater potential for missed opportunities if their appetite is lower.
Determining an organization’s risk appetite and communicating it with employees helps to create consistent decision making throughout the organization so that everyone looks at risk in a similar way. When determining risk appetite, all key decision makers should be involved to encourage buy-in and ensure that the organization’s risk appetite takes into account the varying views of your leadership team.
The most critical step in identifying risks is first understanding what you’re trying to accomplish—what are your goals as an organization? From there, it’s a matter of identifying the potential obstacles that will prevent you from achieving those goals. These obstacles come in many forms and vary from business to business. This is why it’s imperative that you don’t treat risk management as a checklist of generic risks— the risks you should focus on are the ones that are most likely to have the biggest impact on your organization and whether you can achieve your goals.
When you embark on your risk management journey, keeping your eye on the prize is essential. This means focusing on the organization’s top risks instead of amassing a laundry list of every risk present within your business. As a general rule, organizations should aim to identify and target around 15 to 20 top risks to actively track, manage, and monitor.
The simplest way to identify key strategic risks as an organization is to brainstorm. Getting a core group of cross-functional employees into one room maximizes your chance of developing a comprehensive, meaningful and accurate list of organizational risks. A great way to start this risk identification session is to start with questions like:
Play out your worst nightmares, because, in many cases, those are your top risks.
Helpful hint: Don’t worry about keeping this list down to a manageable size; that can be done later. The focus at this point should be identifying a comprehensive listing of organizational risks – also referred to as your risk universe.
Once you’ve identified your comprehensive list of risks, it’s time to start removing duplicates and non-critical risks to narrow the priorities down to the top 15 to 20.
Once you’ve identified your key risks, you’ll want to prioritize them. No business has unlimited resources, whether those resources are money or time, and you want to focus on the risks that are most important—in particular the ones that exceed your risk appetite. Risks are typically prioritized through an assessment process using, at a minimum, the following two elements:
Many organizations also consider velocity of change—the speed at which you would start to feel the impact of a risk, if it were to occur. For example, if a successful cybersecurity attack was identified as a key risk, you would often feel the impact of that attack immediately so it would have a high score in velocity of change. Your action plan to manage that risk would need to focus on prevention or dealing with it quickly if it happened. Other risks affect you more slowly and you have more time to deal with them, so your reaction does not have to be immediate.
Using your established risk appetite and your prioritized risk ranking, you’ll be able to determine the order in which to address each risk, so that you can direct your attention to the risks that are most important – the ones that could truly knock you off your strategy.
Once prioritized, you can set up processes to make risk management a living, breathing part of your organization and your decision-making process.
You don’t want to establish a risk management process that is, essentially, a separate initiative. You want to integrate into the way you normally operate. So, if you have management meetings every Monday morning, one of the items on the agenda might be to discuss risk – whether you’re on track with any risk management action plans, or whether there are new risks you need to talk about. It’s not about creating a formal, time-consuming process that you only dust off annually when you renew your risk register. It’s about making risks a part of your day-to-day conversation when you’re running your business.
