Risk can be defined as ‘a possibility or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided or lessened through pre-emptive action.’
In today’s business world, we all hear the word risk bandied about, as well as companies, firms and organisations discussing how they manage risk or how it is intrinsic in all aspects of their business. The second part of this is correct, that you will encounter risk in all aspects of processes, actions, operations and services and you will be managing risk, to varying degrees, in your ability to operate. However the success or effectiveness of this risk management, often differs greatly to what organisations perceive it to be. Many organisations are simply addressing issues as they arise and classifying this as risk management. Effective risk management occurs when it is fully embedded within your organisation.
There are two key questions, which if asked of staff and management, will provide a real insight into how well your organisation manages risk and how embedded it is within your operations, structures and processes:
- What is your risk appetite?
If posed to staff and management, answers will vary greatly, with many responding that the organisation is risk averse, i.e. that the organisation does not accept risk. Risk aversion is actually quite rare, with all businesses or bodies having to accept some level of risk in order to operate. If all employees are not aware of the organisation’s risk appetite, how can they effectively manage the risks within their operational areas or processes?
- What are your Top 5 Risks?
Again responses from staff and management will differ significantly. Most common responses are actually with regard to that employee’s own operational area, not actual risks to the organisation. How can your organisation operate effectively to its full potential if everyone is not on the same page, being cognisant of the key risks to the organisation, not just in their own area.
These two questions are key to identifying where your risk management framework sits on the spectrum of being non-existent to being fully embedded within your organisation. To effectively manage risk as an organisation, it must be a corporate or collective approach, relevant at all levels. The strategic direction and organisational approach must be clearly defined, with formal processes for the escalation and de-escalation of risks, ensuring effective communication between departments, senior management and governance committees.
How comfortable would you be posing these questions to your employees?