What is risk management and why is it important?
The very mention of the word RISK evokes different responses from different perceptions, thus no wonder it even has different formal definitions, subject to its context, but with the most common terminology used, that most can identify with are the terms “uncertainty and undesirable outcomes”.
We are inadvertently exposed to risk in our everyday lives and again, the context of risk is of great value in understanding what some adapt as a simple solution, while others prefer a more complex and intricate approach to managing risk.
For example, parents are faced daily with risks that are relevant to their children, health care workers are subject to risks due to the very nature of their occupation and then globally there are risks as imposed by climate change and now most recently the war in Ukraine, but this is not aimed at trying to solve either personal or global risks, this is hopefully a different perspective on how risk is viewed, controlled and mitigated and also introduced as a positive opportunity for consideration as opposed to all doom and gloom.
It further aims to illustrate the advantages of a better understanding of risk and deliberation of how organizations can benefit in implementing a risk-based-thinking approach as managing risk in an organizational context is so much more than just maintaining a spreadsheet with a list of possible threats to an organization, if carefully considered and understood, risks can also be indicative of opportunities for organizations to adapt to possible uncertainties and change their approach as demonstrated by the global pandemic.
Suddenly work environments went from travelling to a common place of work, sitting in traffic, to simply getting out of bed and walking to a dedicated space within your home to get on with that which is expected, and granted, while working from home was not the ideal for all, suddenly smaller organizations came to the realization that having a physical place of work was not critical to the performance of their employees and thus presented the organization with an opportunity to rethink their operational performance.
As the pandemic slows down, while larger organizations has paved the way for the return of employees to the traditional work place, others have chosen a hybrid option and many has opted to continue with remote work as evident in advertised career opportunities.
Risk management is the process of identifying, assessing and controlling unwanted outcomes (threats) to an organization's operations and performance. Risks can originate from a host of sources be it financial, legal, health and safety, environmental, strategic oversight, accidents or natural disasters – to name but a few.
A successful risk management program can assist an organization to consider the full range of possible risks and also examines the relationship between risks and the surging impact they could have on an organization's strategic objectives and performance.
In addition to a focus on internal and external threats, Enterprise Risk Management (ERM) emphasizes the importance of managing positive risk (opportunities that could increase organizational value). Undeniably, the objective of any risk management program is not to eradicate all risk but to sustain organizational success by making intelligent risk decisions, hence managing risk should be closely linked with organizational strategy.
The first step to effective risk management would be for organizations to define their risk appetite - i.e. the amount of risk it is willing to accept in alignment with its objectives, thus evaluating which risks are acceptable and which would require additional controls before they are acceptable, some risks might be accepted with no further action necessary, while others might be mitigated, shared with or reassigned to another party, or averted altogether.
It is worthy to note the difference between Risk Appetite vs Risk Tolerance: Risk Appetite the amount of risk an organization is willing to accept to achieve its objectives, whereas Risk Tolerance is the acceptable deviation from the organisation’s risk appetite.
Risk management has perhaps never been more important than it is now, promoted by the rapid pace of globalization and the emergence of the global call for compliance to i.e. GRC and ESG, risk is constantly evolving.
In industries that are strictly regulated i.e. financial industries, risk management is part of a formal function where risks are more quantitative and therefor managed in adherence to prescribed frameworks as prescribed by statutory and regulatory requirements, whereas in most other industries, risk tends to be more qualitative and thus more difficult to manage, thus increasing the need for a conscious, methodical and consistent approach to risk management,
Traditional risk management vs. enterprise risk management
"Siloed" vs. holistic is one of the big distinctions between the two approaches, according to Gartner's Shinkman. In traditional risk management programs, for example, risk has typically been the responsibility of the business leaders/ managers as heads of the particular business unit/ division in where the risk resides. For example, the CIO or CTO is responsible for IT risk, the CFO is responsible for financial risk, the COO for operational risk, etc.
These business units or divisions might have sophisticated systems in place to manage their various types of risks, Shinkman explained, but the company can still be at risk by failing to see the relationships among risks or their cumulative impact on operations, as it is further noted that traditional risk management tends to be reactive rather than proactive.
In enterprise risk management, managing risk is a combined, collaborative and “birds-eye-view” effort, there is typically a risk team who works with the business unit leaders and employees to debrief them, help them use the right tools to think through the risks, collate that information and present it to the organization's executive leadership whereas the traditional risk approach tends to be far more subjective in that the person responsible carries the weight of the decision to define risk and decide on the relevance thereof – as mentioned – as risk is perceived as negative, such an entity could be motivated by performance i.e. the less risks raised, the better the perceived performance, which can lead to organizations defining themselves as risk averse with a low risk appetite but are in contrast oblivious to their risk assessment.
"A lot of organizations think they have a low risk appetite, but do they have plans to grow? Are they launching new products? Is innovation important? All of these are growth strategies and not without risk," Valente said.
Risk management process
The risk management discipline is referenced in many published bodies of knowledge that document a prescribed process to manage risk, the most familiar is the ISO 31000 standard, Risk Management -- Guidelines, developed by the International Organization for Standardization, a standards body commonly known as ISO.
ISO's five-step risk management process comprises the following and can be used by any type of entity:
Identify the risks.
Analyze the likelihood and impact of each one
Prioritise risks based on business objectives.
Treat (or respond to) the risk conditions.
Monitor results and adjust as necessary.
The steps are rather self-explanatory, however, organizations are cautioned not underestimate the effort required to complete the process. Initially, it requires a fundamental understanding of the organizational context and strategic objectives.
The main objective for managing risk should be to develop the set of processes for identifying the possible organizational risks, the likelihood and impact of such risks, how each relates to the maximum risk the organization is willing to accept, and what actions should be taken to maintain and augment organizational value.
With risks that has the possibility of a threat or adverse effect on the organization, it is worth measuring the effectiveness of controls and if such controls needs to be changed or adapted to reduce either the likelihood or impact of such risks, similar to in the instance where there is an opportunity, consideration should be given to how the organization can expedite the controls to ensure that opportunities are realized.
"To consider what could go wrong, one needs to begin with what must go right," said risk expert Greg Witte, a senior security engineer for Huntington Ingalls Industries and an architect of the National Institute of Standards and Technology (NIST) frameworks on cybersecurity, privacy and workforce risks, among others. While the NIST criteria pertains to negative risks, similar processes can be applied to managing positive risks.
When identifying risks, it is important to understand that, by definition, something is only a risk if it has impact, Witte said, - hence risk can have both a negative and or a positive impact, thus to conclude, RISK is so much more than a 4 letter word, if adopted as a serious consideration to an organization’s sustainability and strategic objectives, it not only highlights potential for adversity but also that of opportunity.