Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A to Z of Risk Management


Published on

All organisations, whatever their size or market, face a range of risks affecting the achievement of their objectives. While “risk” is commonly regarded as negative, risk management is as much about exploiting potential opportunities as preventing potential problems.

Risk management comprises a framework and process that enable organisations to manage uncertainty in an effective, efficient and systematic way from strategic, programme, project and operational perspectives, as well as supporting continual improvement. Risk management applies at all levels of an organisation and to all activities.

In this A to Z, I’d like to cover some of the key areas of Risk Management and Treatment and give you a better understanding of this broad topic that underpins multiple quality and ISO standards.

Published in: Business
  • Be the first to comment

A to Z of Risk Management

  1. 1. A to Z of Risk Management © Mark Conway -Oak Consult 2014
  2. 2. Introduction All organisations, whatever their size or market, face a range of risks affecting the achievement of their objectives. While "risk" is commonly regarded as negative, risk management is as much about exploiting potential opportunities as preventing potential problems. Risk management comprises a framework and process that enable organisations to manage uncertainty in an effective, efficient and systematic way from strategic, programme, project and operational perspectives, as well as supporting continual improvement. Risk management applies at all levels of an organisation and to all activities. In this A to Z, I’d like to cover some of the key areas of Risk Management and Treatment and give you a better understanding of this broad topic that underpins multiple quality and ISO standards.
  3. 3. Appetite for Risk Considering and setting a risk appetite enables an organisation to improve outcomes by optimising risk taking and accepting calculated risks within an appropriate level of authority. The organisation's risk appetite should be established and approved by Senior Management and effectively communicated throughout the organisation. The organisation should prepare a risk appetite statement, which may: –Provide direction and boundaries on the risk that can be accepted at various levels of the organisation, how the risk and any associated reward is to be balanced, and the likely response –Consider the context and the organisation's understanding of value, cost-effectiveness of management, rigour of controls and assurance processes –Recognise that the organisation might be prepared to accept a higher than usual proportion of risk in one area if the overall balance of risk is acceptable –Define the control, permissions and sanctions environment, including the delegation of authority in relation to approving the organisation's risk acceptance, highlighting of escalation points –Be reflected in the organisation's risk management policy and risk reporting system –Include qualitative statements outlining specific risks the organisation is or is not prepared to accept –Include quantitative statements which set out how certain risks and their rewards are to be judged and/or how the aggregate consequences of risks are to be assessed and monitored.
  4. 4. Benefits of implementing Risk Management Organisations often find that Risk Management provides a combination of both qualitative and quantitative benefits. Creation of a more risk focused culture for the organisation Organisations that have implemented Risk Management note that increasing the focus on risk at the senior levels results in more discussion of risk at all levels. The resulting cultural shift allows risk to be considered more openly and breaks down silos with respect to how risk is managed. As risk discussions develop into a standard part of the overall strategic business processes, functional units often find that addressing risk in a more formal way helps manage their part of the organisation as well. Communication and discussion of risk is recognised as not only a process to provide information to senior management, but a way to share risk information within and across operations of the company, and allow better insights and decision making concerning risk at all levels. Standardised risk reporting A formal Risk Management System supports better structure, reporting, and analysis of risks. Standardised reports that track enterprise risks can improve the focus of Senior Management by providing timely data that enables better risk mitigation decisions. The variety ofdata (status of key risk indicators, mitigation strategies, new and emerging risks, etc.) helps leadership understand the most important risk areas.These reports can also help leaders develop a better understanding of risk appetite, risk thresholds, and risk tolerances. Improved focus and perspective on risk A Risk Management System develops leading indicators to help detect a potential risk event and provide an early warning. Key metrics and measurements of risk further improve the value of reporting and analysis and provide the ability to track potential changes in risk vulnerabilities or likelihood, potentially alerting organisations to changes in their risk profile. Efficient use of resources In organisations without Risk Management, many individuals may be involved with managing and reporting risk across functionalunits. While developing a Risk Management System does not replace the need for day to day risk management, it can improve the framework and tools used to perform the critical risk management functions in a consistent manner. Eliminating redundant processes improves efficiencybyallocating the right amount of resources to mitigating the risk. Effective coordination of regulatory and compliance matters Financial statement auditors, Insurers and regulatory examiners, have begun to inquire about, test, and use monitoring and reporting data from Risk Management systems. Since Risk Management data involves identifying and monitoring controls and mitigation efforts across the organisation, this information can help reduce the effort and cost of such audits and reviews. Through all of the benefits noted above, Risk Management can enable better cost management and risk visibility related to operational activities. It also enables better management of market, competitive, and economic conditions, and increases leverage and consolidation of disparate risk management functions.
  5. 5. Context Before starting the design and implementation of a risk management framework, it is important to evaluate and understand both the external and internal context of the organisation, since these can significantly influence the framework design. Evaluating the organisation's external context may include: a)The social and cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local b)Key drivers and trends having impact on the objectives of the organisation c)Relationships with, and perceptions and values of, external stakeholders Evaluating the organisation's internal context may include: a)Governance, organisational structure, roles and accountabilities b)Policies, objectives, and the strategies that are in place to achieve them c)Capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies) d)Information systems, information flows and decision-making processes (both formal and informal) e)Relationships with, and perceptions and values of, internal stakeholders; f)Organisational culture g)Standards, guidelines and models adopted by the organisation h)Contractual relationships with suppliers
  6. 6. Documentation Documenting an organisation’s risk management framework and recording each step of the risk management process is critical for a number of reasons, including: Demonstrating to stakeholders that the process has been conducted properly Providing evidence of a systematic approach to risk identification and analysis Enabling decisions or processes to be reviewed Providing a record of risks and to develop the organisation’s knowledge database Providing decision makers with a risk management plan for approval and subsequent implementation Providing an accountability mechanism and tool Facilitating ongoing monitoring, review and continuous improvement Providing an audit trail Sharing and communicating information The following areas of your organisation’s risk management framework need to be documented: Objectives and rationale for managing risk Accountabilities and responsibilities for managing and overseeing risks Processes and methods to be used for managing risks i.e. how the Risk Management process will be applied in the organisation Commitment to the periodic review and verification of the risk management framework and its continual improvement The way in which risk management performance will be measured and reported Resources available to assist those accountable or responsible for managing risks Organisation’s risk appetite translated into risk rating criteria Links between risk management and the organisation’s objectives Links between risk management and other processes and activities Scope and application of risk management within the organisation Requirements for recording and documentation of the risk management process
  7. 7. Evaluating Risks Risk evaluation involves comparing a risk’s overall exposure against the organisation’s risk appetite. This allows the determination of whether further controls are required to bring the risk within a level acceptable to the organisation. The output of the risk evaluation phase is a prioritised list of risks. The following key steps are involved in evaluating risks: 1. Rank the risks based on the outcome of the risk analysis process Risks can be ranked either qualitatively or quantitatively. Applying qualitative analysis, you can rank the risks using a heat map.The heat map is a colour-coded matrix with each colour indicating the level of risk. This heat map represents the tolerance level of your organisation. This would have been developed in the earlier phase of “Establish Context”, as it is a part of the organisation’s risk management context. Based on the control effectiveness rating, likelihood of the risk occurring and potential consequences identified in the earlierphase, plot the risks against the matrix. The completed matrix is your risk profile. Applying semi-quantitative analysis, the organisation can also rank the risks based on their numerical value. The numerical value is a combination of the values assigned by the organisation to control effectiveness, likelihood and consequence. The most common approach to visually recording risk is using a 3 by 3 or 5 by 5 heat map as illustrated below. A risk heat map is sometimes referred to as a risk matrix. 2. Consider the overall risk profile Once the initial risk profile has been developed, the organisation may need to consider how each risk ranks in relation to the other risks. This step allows the organisation to conduct a “sanity check” of the risks that have been placed on the heat map to ensure that risksare rated correctly when compared to each other (e.g. “Risk manager may be off sick with flu” is not rated the same as “Project objectivesmay not be met”). Possible outcomes of this step include: The organisation may reassess the rating of some of the risks if it is felt that the overall spread of the risks relative to each other is not a true reflection of reality The organisation may recognise that some risks are similar to the other risks, or are contributing factors to other risks. Hencethey may be incorporated into the risk description of other risks within the risk register The organisation may consider the interdependencies between the risks and consider the consequence on the organisation if more than one risk occurred at the same time. This may result in changes to the overall risk ratings. 3.Develop a list of priority risks The primary objective of evaluation is to prioritise risks. This helps to inform the allocation of resources to manage risks,both non-financial and financial. The priority list can be categorised by a number of criteria dependent on what is most relevant for the organisation e.g. risk rating, functional area or by type of impact (i.e. strategic or operational). This will further refine the focus for risk treatment.
  8. 8. Frequency of risk reporting At a minimum, an organisation should update and report on its risk profile on an annual basis. While an annual reporting and update cycle may meet statutory requirements, effective risk management typically requires more frequent reporting on risk. The frequency of risk reporting should reflect the cycle of the organisation’s regular internal reporting. Where the Executive receives monthly or quarterly progress reports on Financial, Operational, Health and Safety or IT matters, they may wish to receive similar risk reports.
  9. 9. Governance The organisation's risk management framework should have the following features: Risk management as part of the organisation's overall approach or framework for governance Risk being recognised as a Senior Management matter, with the Board ultimately accountable for risk management Risk management objectives designed to support and achieve the organisation's risk appetite and the approach to recognising risk in decisions, providing achievable goals for risk management Ownership and accountability for managing and reporting on risk throughout the organisation Roles, accountabilities and responsibilities for managing risk, which are communicated and understood, and a clear distinction between those who have: a) Direct responsibility for the management of risk, e.g. management and staff working within each functional unit b) Responsibility for development, implementation, maintenance and oversight of the effectiveness of the risk managementframework c) responsibility for providing independent assurance, e.g. internal audit d) Ultimate responsibility for obtaining assurance and thereafter driving improvement A defined, effectively communicated and understood policy, which sets out the requirements for managing risk Defined processes / procedures for managing the organisation's risks and the development of risk management across the organisation A method of assessing, leading and monitoring the organisation's risk management culture Defined parameters around the level of risk that is acceptable to the organisation, and thresholds which trigger escalation, review and approval by an authorised person/body A defined approach to recognising risk in decisions and an appropriate flow of risk information around the organisation A commonly defined and agreed terminology for describing key risk management concepts and practices A risk management strategy and a risk management policy containing the objectives and plans for risk management across the organisation
  10. 10. High-Level Risk Management Framework
  11. 11. Individual’s role within Risk Management The organisation should embed risk management by incorporating it into each individual's responsibilities. People should understand: The risks that relate to their roles and their activities How the management of risk relates to the success of the organisation How the management of risk helps them to achieve their own goals and objectives Their accountability for particular risks and how they can manage them How they can contribute to continuous improvement of risk management That risk management is a key part of the organisation's culture The need to report in a systematic and timely way to senior management any perceived new or emerging risks, near misses or failures of existing control measures within the parameters agreed
  12. 12. Joined-up Risk Management No organisation or function within an organisation works in true isolation when it comes to risk management. Internal Risk Management Many organisations handle risk management within functions and submit risks and risk matrices to senior management based upon their evaluation of their functional area risks. The same risks may exist elsewhere in an organisation but their impact and subsequent treatment recommendations may differ. It is therefore hugely important for senior management to collectively review risk matrices to ensure that risk levels and their treatment are agreed upon from an organisational perspective. External Risk Management Some risks and their associated treatments may require joint effort between organisations and third parties. This could involve negotiation with third-party suppliers, local / national government as well as emergency service organisations. Being prepared and being connected to the right stakeholders could mean the difference between your organisation becoming operational very quickly following a major incident and going out of business.
  13. 13. Keeping your Risk Registerup-to-date The purpose of a risk register is to record details of all risks that have been identified, together with their analysis and plans for how those risks are to be treated. The risk register is an important component of the overall risk management framework. It will include ALL risks -not just operational risks, and can be focused either on the organisation as a whole, or on specific projects where it is used to maintain the register of project risks over the lifetime of the project. An important parameter recorded in the risk register is the 'owner' of each risk -the person who owns responsibility for actions relating to that risk. It is important to record when the risk item was identified and added to the register, when the entry was last updated, and for some items, when they were closed. However, closed items should be maintained for historical analysis purposes, perhaps being transferred to a separate 'closed risks' register table. Access to the risk register must be controlled to maintain its integrity and confidentiality. Some items recorded in the register may be very sensitive and thus not for wide publication. These confidential items can be 'flagged' by adding an extra field to the table record structure. The integrity of all item entries is also important, so you need a security policy for the register that defines who should be able to update the table and who can read it.
  14. 14. Likelihood and Impact of Risks Events identified as potentially impeding the achievement of objectives are deemed to be risks and should be evaluated based on the likelihood of occurrence and the significance of their impact on the objectives. It is important to first evaluate such risks on an inherent basis—that is, without consideration of existing risk responses and control activities. For example, an organisation with headquarters on the banks of a river may seek to assess its exposure to the risk of flooding. On an inherent basis, it would consider the likelihood and impact of a flood by considering external data (such as the historical and projected frequency of floods) and internal data (such as the estimated damage to its physical assets if a flood were to occur). An impact and probability rating should then be assigned using defined risk rating scales. These individual risk ratings should then be brought together in the form of an inherent risk map as I outlined in E. Additionally, as risk assessments are refreshed over time, a risk map can allow analysis over time (e.g., upward or downward trend of risks, and the extent of positive or negative correlations between certain risks).
  15. 15. Monitoring and Review Both monitoring and review should be a planned part of the risk management process and involve regular checking or surveillance. It can be periodic or ad- hoc. The organisation's monitoring and review processes should encompass all aspects of the risk management process for the purposes of: –Ensuring that controls are effective and efficient in both design and operation –Obtaining further information to improve risk assessment –Analysing and learning lessons from events (including near-misses), changes, trends, successes and failures –Detecting changes in the external and internal context, including changes to risk criteria and the risk itself which can require revision of risk treatments and priorities; and –Identifying emerging risks Progress in implementing risk treatment plans provides a performance measure. The results can be incorporated into the organisation's overall performance management, measurement and external and internal reporting activities. The results of monitoring and review should be recorded and externally and internally reported as appropriate, and should also be used as an input to the review of the risk management framework.
  16. 16. No Risk, No Reward“No risk, no reward; no guts, no glory!”In business, this mantra poses challenges, especially when dealing with compliance, security and risk management—organisations often need to take risks to get ahead of competition and take care to avoid overstepping their bounds. Organisations must address the point when something is no longer a risk, but an inevitable failure. When a large organisation takes a risk, it has to consider a wide range of people: its employees, customers, investors and other stakeholders. Do regulatory requirements drive all choices and should the company always play it safe? No risk, no reward, remember? Companies in the 21st century that play it safe are going to fall to the competition. “The bigger the risk, the bigger the reward”is becoming a culture rather than just a motivational poster. The businesses that push too hard, too fast will have less success, but the companies that remain calculated, deliberate, and informed when taking risks, are not really taking risks at all -they are making smart business decisions. What is vital to organisational survival, and their ability to thrive in a competitive industry culture, are the right tools and resources needed to make calculating risks easier and faster.
  17. 17. Owners of Risks and Responses Where the risk management process identifies any risks that need to be actively managed, each risk and each response should be assigned an owner who is responsible and accountable for: –In the case of a risk, owning the organisation's assessment of the risk, monitoring it, and reporting its status –In the case of a risk response, responding to the risk, contributing to the development and maintenance of an appropriate control environment, and reporting on the status of the response Risks and their responses may be owned by the same person.
  18. 18. Policy The organisation's risk management policy may include: Governance, outlining how risk management is governed Policy scope, describing the purpose of the policy and who it is aimed at; describing the high level principles and the benefits of implementing risk management; setting out the objectives, including legal and regulatory requirements, and what it intends to achieve; and providing an explanation of the relationship with other policies Policy applicability, setting out to whom and to what the policy applies Risk management process, providing a high level overview and description of the risk management process adopted by the organisation Risk appetite, outlining the organisation's risk appetite, thresholds and escalation procedure Reporting, describing the purpose, frequency and scope of reporting Roles, accountabilities and responsibilities, describing the high level roles, accountabilities and responsibilities in respect of risk management Variations and dispensations, stating whether variations or dispensations from the policy are allowed and, if they are allowed, describing the process for requests for this
  19. 19. Qualitative and QuantitativeRisk Analysis Quantitative Risk Analysis In short, Quantitative risk analysis is by far the most exhaustive, costly and time-consuming method of doing a risk assessment.However, its primary benefit is identification of your greatest risk based on financial impact. Assigning a value to loss associated with vulnerability is often the best way to obtain corporate buy-in and a true understanding of impact to the organisation. Quantitative is the only option if your Senior Management requires numeric figures and findings that can be measured against budgets from year to year. Quantitative Risk Analysis -Key Points: Yields results in terms of financial impact All findings are expressed in monetary values, percentages, and probabilities Allows for more control and understanding regarding procurement and budgeting Requires larger organisational cooperation Better protection against litigation risk Very time intensive Qualitative Risk Analysis Qualitative risk analysis is more common than quantitative due to the time and cost involved. In Qualitative analysis, the assets are discovered and reviewed for known vulnerabilities against a database of potential vulnerabilities. The risk is then measured against relative scales to determine the probability of a threat exploiting the vulnerability. Threat impact, probability of threats, and vulnerabilities used in the analysis are very subjective between analysts conducting the analysis. It is not uncommon in a qualitative risk analysis to have two experts with differing conclusions. If an organisation is strapped for time or can't afford the resources to dedicate to understanding your risk in detail, qualitative is the best methodology Qualitative Risk Analysis -Key Points: Requires less time and is less costly Findings are simple in nature Focus is on specific vulnerabilities to the affected assets Values of loss are perceived and not quantified Vulnerabilities are rated subjectively Focus is on understanding the risk and often include recommendations for mitigation based on analysts knowledge and expertise
  20. 20. Risk Management Process The organisation's risk management process should, as a minimum, comprise the following steps: Context Identification Assessment Response Reporting Review
  21. 21. Senior Management Responsibilities The responsibilities of the senior management of the organisation in respect of risk management should include: Ensuring that there is a fit-for-purpose and up-to-date risk management framework and process in place and that risk management is adequately resourced and funded Providing strategic direction on the appropriate recognition of risk in decisions and setting risk appetite and associated authority Approving the risk management policy and setting the "tone" and culture for managing risk and embedding risk management Ensuring the key risks facing the organisation are properly assessed and managed; Evaluating the risk implications of change Planning for how the organisation will respond to risks that could arise, including the management of a crisis Providing direction and receiving assurance on the effectiveness of risk management and compliance with the risk management policy Reporting on risk management to stakeholders and signing off public disclosures
  22. 22. Treatment of Risks Risk Treatment is the process of selecting and implementing measures to modify risk. Risk treatment measures can include avoiding, optimising, transferring or retaining risk. Management or treatment options for risks expected to have positive outcome include: –Starting or continuing an activity likely to create or maintain a positive outcome –Modifying the likelihood of the risk, to increase possible beneficial outcomes –Trying to manipulate possible consequences, to increase the expected gains –Sharing the risk with other parties that may contribute by providing additional resources which could increase the likelihood of the opportunity or the expected gains –Retaining the residual risk Management options for risks having negative outcomes look similar to those for risks with positive ones, although their interpretation and implications are completely different. Such options or alternatives might be: –To avoid the risk by deciding to stop, postpone, cancel, divert or continue with an activity that may be the cause for that risk –To modify the likelihood of the risk by trying to reduce or eliminate the likelihood of the negative outcomes –To try modifying the consequences in a way that will reduce losses –To share the risk with other parties facing the same risk (insurance arrangements and organisational structures such as partnerships and joint ventures can be used to spread responsibility and liability) –To retain the risk or its residual risks
  23. 23. Understanding the types of Risk Assessment Risk assessment can be conducted at various levels of an organisation. The objectives and events under consideration determine the scope of the risk assessment to be undertaken. Examples of frequently performed risk assessments include: –Strategic risk assessment –Operational risk assessment –Compliance risk assessment –Internal audit risk assessment –Financial statement risk assessment –Fraud risk assessment –Market risk assessment –Credit risk assessment –Customer risk assessment –Supply chain risk assessment The examples described above are illustrative only. Every organisation should consider what types of risk assessments are relevant to its objectives. The scope of risk assessment that management chooses to perform depends upon priorities and objectives. It may be narrow and specific to a particular risk, as in some of the examples above. It may be broad but high level: e.g., an enterprise-level risk assessment or a top-down view that considers the broad strategic, operational, reporting, and compliance objectives A more full explanation of the examples above can be found here
  24. 24. Vulnerabilities & Threats Assessment Vulnerability It's common to define vulnerability as "weakness" or as an "inability to cope". Both of these definitions are completely wrong (from a security and risk management perspective). A better definition of vulnerability is "exposure". If you give a presentation at a conference it might open you to criticism or even ridicule. Plenty of people have a fear of public speaking for this very reason. However, the act of giving a speech isn't a weakness it's an exposure. Connecting a system to the internet can represent a vulnerability. For example, it exposes a system to a DDoSattack. However, connecting a system to customers via the internet isn't likely to be considered a weakness from a business perspective. Threat A threat is something bad that might happen. It's as simple as that. A more complex definition wouldn't be any more helpful. From a security perspective the first threat that pops to mind is a security attack. However, a threat can range from innocent mistakes made by employees to natural disasters. Risk Risk is a chance that something unexpected will happen. It's the combination of threats and vulnerabilities: Risk = Threat x Vulnerability
  25. 25. Why bother withRisk Management? In difficult times most organisations adopt a back-to-basics approach, scrutinising overheads and new projects to ensure that costs do not rise to unacceptable or unsustainable levels. Whether we are experiencing falling revenues now, or are fearful of what the future holds, focus on Risk Management can fade and not be a priority. But there is a certain irony in this. Risk Management is intended to help management identify risks that could threaten the organisation and take action to mitigate or eliminate material risks. Risk Management provides management with confidence that unplanned disruption can be handled effectively and the organisation has the best chance to survive, whatever the circumstances. In poorer economic times, businesses are more threatened by more risks and potential disruption than is the case during more prosperous periods. For one thing financial resources are likely to be more constrained, providing less flexibility in your response to realised threats and disruption. For another, your organisation will be leaner, with fewer facilities, equipment and staff. You often have to downsize to cope with difficult economic circumstances. The organisation will be working in a lean manner and that lack of spare capacity can make recovery from unplanned disruption difficult to manage. And then there is the competition who, in more difficult times, will be chomping on the bit to take your clients and your business away. If risks materialise and you are inadequately prepared, or your business faces unplanned disruption without the necessary plans in place, your competition will have the best opportunity to take bite sized chunks out of your business portfolio. Client goodwill is something we all work hard for and is difficult enough to maintain in good times. In more challenging times your business has to be ready, willing and able to service clients when they require it, no matter what events transpire. There is no need to advocate that all professional firms spend fortunes on Risk Management. Many of our financial institutions have done that for years and look where they have found themselves. But developing a sensible approach to managing risk, documenting key risks in a Risk Register (with appropriate mitigation noted) and preparing sensible and pragmatic Treatment and Business Continuity Plans should not cost the earth. It will however help you protect the value and goodwill you have created in your business and should not be ignored, despite the current circumstances.
  26. 26. X-Ray SpectaclesHorizon Scanning When conducting risk assessments organisations are increasingly being forced to explore risks and disruptive threats further into the future. Typically, most companies cannot realistically look more than six months into the future with any degree of confidence for strategic planning. Unprecedented events and the complications of globalisation make even six months too vague for many. Strategic anticipation or foresight is becoming an important capability to assist decision-making when confronted with increasing global risks and economic/geopolitical turbulence. A degree of uncertainty has always been a business reality, but today it is the extent of the uncertainty and the potential consequences that make organisations cautious and apprehensive about directions and decisions. Uncertainty cannot be managed as by its very nature it is incalculable, but organisations can reduce their vulnerability to it. New approaches are now required; understanding the mistakes of the past can be informative, but hindsight will not necessarily inform or help with foresight. As a result, businesses must make an effort to develop scenarios, consider likely future events and apply futures methodologies. Tools such as horizon scanning help generate new insights based on social and environmental monitoring, or distributed sensing capability, which allow one to make sense of an emerging threat, issue or trend. As a logical extension of scenario planning, horizon scanning can be used alongside techniques such as crowd sourcing, trend analysis, phase transition and experiential learning, amongst others, to generate ideas about likely future risks, issues and opportunities. It is vital that corporations, when faced with continuous anxiety and uncertainty become skilled at spotting trends; they also need to acquire the techniques of pattern recognition and horizon scanning to generate strategic options and guide decision-making.
  27. 27. Your Organisation and Risk Whatever the size of your organisation, Risk Management should be a consideration. Ask yourself the following questions about your organisation: 1.What are the organisation’s top risks, how severe is their impact and how likely are they to occur? 2.How often does the organisation refresh its assessment of the top risks? 3.Who owns the top risks and is accountable for results, and to whom do they report? 4.How effective is the organisation in managing its top risks? 5.Are there any organisational blind spots warranting attention? 6.Does the organisation understand the key assumptions underlying its strategy and align its competitive intelligence process to monitor external factors for changes that could alter those assumptions? 7.Does the organisation articulate its risk appetite and define risk tolerances for use in managing the business? 8.Does the organisation’s risk reporting provide management and the board information they need about the top risks and how they are managed? 9.Is the organisation prepared to respond to extreme events? 10.Does the board have the requisite resources to provide effective risk oversight? If you are struggling to answer these questions or are uncomfortable with how you are feeling about your answers, don’t panic! You’re not alone. But you should be doing something about it before a risk becomes a reality!
  28. 28. Zurich to Accenture Risk Management is big business -from consulting to insurance. There are literally thousands of organisations that you can engage with from the global players such as Zurich and Accenture to the smaller more regional consultancies and insurers. Insurance will not reduce your business' risks but you can use it as a financial tool to protect against losses associated with some risks. This means that in the event of a loss you will have some financial compensation. This can be crucial for your business' survival in the event of, say, a fire which destroys a factory. Some costs are uninsurable, such as the damage to a company's reputation. On the other hand, in some areas insurance is mandatory. Insurance companies increasingly want evidence that risk is being managed. Before they will provide cover, they want evidence of the effective operation of processes in place to minimise the likelihood of a claim. If you need support in implementing a cost-effective Risk Management system for your organisation we would be delighted to help you. Give us a call or click hereto get in touch!