Taking Risk Off the Table
Managing risk is crucial for every business and organisation, from listed companies to unincorporated associations. Risk management forms part of an organisation’s broader governance framework and is a critical business practice that helps companies identify and evaluate issues, all the way to tracking and improving their risk mitigation strategies. But first, to understand risk management, we need to understand the different types of risk, positive and negative. Yes, you can have positive risks!
The International Organisation for Standardisation defines risk as “the effect of uncertainty on objectives.” (If you’re interested in the details, the specific standard is ISO 31000:2018, which provides principles and guidelines on managing risk).
Risk management aims to tell businesses about the threats in their operating environment and allows them to retroactively and preemptively minimise or combat risk. It follows that risk management is the practice and synergy of 3 key things:
But what are the steps, and who should be involved in the process?
The Responsibility for Managing Risk
The responsibility for overseeing and managing risk ordinarily lies with an organisation’s board and management team. The board should be accountable for regularly reviewing and approving the risk management policies and frameworks. The board is responsible for deciding on the nature and extent of the risks it’s prepared to take to meet objectives. Management is responsible for developing and implementing a risk management framework and any related internal controls.
Typically, risk is considered an afterthought, with most organisations thinking about the consequences and how it can lead to financial loss, legal liability or tarnishing of reputation. From this perspective, it’s hard to see risk as anything but a negative. But what if we take a different approach?
What about the risks you don’t take – sometimes referred to as the “do nothing” approach? The risk of not taking action, or taking ineffective action, can also spell trouble. To better understand this concept, let’s recall the great “battle” between Sony’s Betamax and JVC’s VHS in the late 1970s; or, for the younger readers, how Netflix and Amazon shot to prominence, outperforming well-established companies that focused on avoiding risk at all costs (Blockbuster).
Understanding this should give you a better grasp of the significance of risk and how it can be more than just a defensive strategy if managed accordingly. Properly managed risk can assist organisations in developing a well-rounded approach, achieving objectives and making informed decisions.
Identifying emerging risks can be difficult, but there are techniques to help, such as PESTEL and SWOT analysis. PESTEL analysis assists organisations in identifying risks in the broader (or macro) environment. Risks in this environment are generally outside the control of the organisation. PESTEL stands for:
P: Political – Risks such as political stability, corruption and export or import restrictions.
E: Economic – Risks such as strikes, production recalls, and supply chain issues.
S: Socio-Cultural – These arise from factors such as demographics, consumer behaviour and changing values.
T: Technological – Risks arising from factors such as communication technology and transport options.
E: Environmental – Risks such as natural disasters, infrastructure and environmental taxes.
L: Legal – Risks such as changes in the law.
SWOT analysis is another technique that can help an organisation understand its strengths, weaknesses, opportunities and threats. The benefit of SWOT analysis is that it is a simple and recognisable approach, providing a broader perspective on strategy or approaches. SWOT assists develop an understanding of the impact and what can be done to minimise adverse effects and maximise potential opportunities. SWOT can also be a helpful framework for thinking about the individual parts of the PESTEL analysis.
Strengths – Strengths describe what an organisation excels at and what separates it from the competition: a strong brand, loyal customers, a strong balance sheet, unique technology, etc.
Weaknesses – What stops an organisation from performing at its best or areas where a business needs to improve to stay competitive: large fluctuations in turnover, bad debt, an inefficient supply chain, or lack of capital.
Opportunities – This refers to favourable external factors that could give an organisation a competitive advantage. For example, if a country cuts tariffs, an Australian exporter can export its products into a new market, increasing sales and market share.
Threats – Threats refer to factors that can harm an organisation. Common threats include the rising cost of materials, new competition, labour supply shortages, etc.
What is a Risk Management Framework?
A risk management framework is a set of guidelines and tools that decision-makers can use to decide how to mitigate risk. It could include, for example, policies, strategies, plans, processes and models, and statements of your organisation’s position on risk.
Risk Management Process
The five steps in a good risk management process comprise the following and can be used by any organisation:
- Identify risks – both current and potential risks.
- Analyse the likelihood of each risk you identified and the impact of each one.
- Prioritise which risks to focus on based on business objectives.
- Respond to the risk conditions.
- Monitor outcomes and adjust as necessary.
Whilst the steps look easy and straightforward; there is considerable effort required to complete the process. The objective is to develop a set of processes for identifying the organisation’s risks. It is important to highlight that, by definition, unless the risk has an impact, it isn’t a risk.
We often hear phrases like “risk management”, “risk assessment” and “risk analysis” used interchangeably, but what’s the difference? Whilst they are related, there is actually a difference between each.
- Risk management is the continued process of identifying, analysing, evaluating, and treating loss exposures. These are summarised in the five steps above.
- Risk assessment includes the processes and technologies that you use to identify, evaluate, and report on risk-related concerns. The risk assessment process is a critical aspect of the broader risk management process and is mainly concerned with the Identification and Analysis phases (steps 1 and 2 below).
- Risk analysis can be considered the evaluation component of the broader risk assessment process, which determines the significance of the identified risk concerns. Put simply, risk analysis is the actual quantification of risk (i.e. calculating the probability and magnitude of loss).
STEP 1: IDENTIFY THE RISKS
By way of example, risk identification can be undertaken using:
- A top-down, bottom-up approach: this involves the board and management identifying the organisation’s mission-critical processes and working with stakeholders to determine the conditions that could impede them. The bottom-up approach starts with the source of the problem (natural disasters, economic downturns, cyber-attacks, etc.), considering their potential impact on particular assets.
- Risk categorisation: As specified by The Committee of Sponsoring Organisations of the Treadway Commission (COSO), there are 4 main categories:
- Strategic risk (e.g. reputation, technical innovations, customer relations).
- Financial and reporting risk (market, credit, tax).
- Compliance and governance risk (e.g. ethics, regulatory, international trade, privacy).
- Operational risk (e.g. IT security/privacy, supply chain, labour issues, natural disasters).
The final task in the identification step is for organisations to record their findings in a risk register. This helps track the risks through the subsequent four steps of the risk management process.
Pro tip: Leverage the collective knowledge and experience of your entire team. Ask everyone to identify risks they’ve either experienced before or may have additional insight about.
STEP 2: ANALYSE
Once you have identified the risk, it needs to be analysed. What you are looking for is; how likely the risks will occur? And if they do occur, what the ramifications could be? This is referred to as the scope of the risk. Specifically, how it impacts the organisation and how many business processes it will affect. While some risks will only be minor inconveniences, some risks can bring an entire business to a standstill should they transpire.
To analyse the risks of an event the following should be considered:
- The likelihood of the risk happening.
- The consequence and impact if it occurred.
From here you want to work out a rating system. For example, you could have ratings of:
- 1 to 5 for likelihood (1 being highly unlikely and 5 highly likely)
- 1 to 5 for consequence (1 being low and 5 for severe).
These ratings can then be utilised to help determine the risk level:
Likelihood x Consequence = Risk level
Based on our example formula, the lowest risk level you could get is 1 (1 x 1), and the highest 25 (5 x 5). You can use this to rank your risks from least urgent to most urgent.
A template of this is shown below:
STEP 3: PRIORITISE
Most risk management solutions will show different categories of risks, depending on the impact of the risk you are analysing. Prioritising the risk you have diagnosed will give you a holistic view of the possible exposure of the entire organisation. You may see that the business has several low-level risks that may not require upper management intervention. However, even just one high-rated risk can be enough to require prompt intervention.
The two types of risk assessments are either Qualitative or Quantitative Risk Assessments.
Qualitative Risk Assessment: they are inherently qualitative – however you can derive metrics from the risks, as most risks are not 100% quantifiable. For instance, the risk of climate change is one that cannot be quantified as a whole.
Note: when performing a qualitative assessment it is essential to maintain objectivity and have a standardised approach throughout your company.
Quantitative Risk Assessment: This style of risk assessment is common in the financial sector – whether it is with regards to money, metrics, interest rates, or any other form of data.
Note: quantitative risk assessments can be automated and are generally considered more objective than qualitative assessments as there is less room for bias.
STEP 4: TREAT AND RESPOND
There are four strategies to manage the threat the risk may cause, where the strategy selected depends on the risk’s likelihood and the severity of impact.
- Risk avoidance: implementing policies, procedures, technologies, training and other steps designed to divert potential risks.
- Risk reduction: Similar to avoidance, it is a series of measures designed to reduce risk to an acceptable level.
- Risk transfer: contracts with a third party to bear some or all costs of a risk that may or may not occur.
- Risk acceptance: accepts the risk because its potential to harm the organisation is very limited or the cost of mitigating it exceeds the damage it would inflict.
STEP 5: MONITOR
It has to be noted that not all risks can be eliminated – some risks are ever-present. For example, market risks and environmental risks, and they will always need to be monitored.
However, when it comes to monitoring risk, it can be thought of as manual or digital systems. Here’s what you should know about them and which you need to use.
Manual systems monitoring: This is conducted by diligent employees. These professionals must keep a close watch on all risk factors they are responsible for.
Digital systems monitoring: The risk management system monitors the entire risk framework of the organisation. If any factor or risk changes, it is immediately visible to everyone with access. Computers are also much better at being able to continuously monitor risks. Monitoring risks also allows your business to ensure continuity.
Relationship to Internal and External Audit
A company’s board needs to ensure that the risk management framework established by management is operating as intended, testing the effectiveness of the strategy from time to time through assurance providers such as internal and external audits.
An internal audit function brings an independent, systematic, disciplined approach to evaluating and continually improving the effectiveness of the organisation’s risk management and internal control processes.
The ‘three lines of defence’
This can be a helpful way to define roles and responsibilities when considering effective risk management and control:
- First line: operational management control.
- Second line: management assurance (risk control and compliance oversight functions established by management).
- Third line: independent assurance.
The board (and its committee(s) if established) are not included in the ‘three lines of defence’; instead are served by the ‘three lines’. Their role is to ensure that the ‘three lines of defence’ model is reflected in the organisation’s risk management and control processes.
Talk Risk with the Experts at Bishop Collins
If you have any questions or would like to discuss your organisation’s risk management framework and internal audit needs, the team at Bishop Collins would be happy to have an obligation-free and confidential discussion.
To learn how Bishop Collins can help you manage your organisation’s risk, visit bishopcollins.com.au or call (02) 4353 2333.