Not all risks are easily measurable, but that doesn’t mean they can’t form part of your risk criteria, argues Sarah Gordon, chief executive of Satarla
Sarah Gordon, chief executive, Satarla
The vast majority of organisations I’ve had the pleasure of working with define risk criteria as the method through which you measure the potential impact of a risk on your objectives, and therefore rank the importance of your risks. But I’d argue that the most important element of a risk criteria is the defining of trigger points where you need to make a decision or take action.
Traditionally, those trigger points tended to be based on financial hurdle rates such as return on investment, or lagging safety statistics such as the number of lost time injuries. But it’s becoming increasingly clear that these are only part of the story.
Less tangible areas of risk such a reputation, environment, cyber and political are rising up the business agenda and need to form part of the risk criteria. So, the big challenge becomes - how do you measure something that can be really difficult to accurately quantify?
If you’re someone who lives and breathes numbers, then being asked to measure something that can only be qualified rather than quantified is really difficult.
But when it comes to the dynamic measurement and updating of things like risk profiles, appetites and tolerances some of the risks will be quantifiably measurable and some of them won’t. Most importantly, sometimes those qualitative aspects will be the make or break part of the decision as to whether you decide to take a risk. In fact, if you can’t easily measure a risk that might be a good indicator that you need to take more notice of it as it suggests that it is complex and liable to surprise you.
Using risk management to influence decisions
Sarah Gordon will be leading a training session on influencing decision-making
The standard approach to risk management has evolved in recent years, with the use of modern computing power to help us challenge our human-based assumptions, together with concepts such as risk appetite and tolerance to help drive the risk culture we desire within our organisations.
This workshop explores the latest developments in key aspects of risk management required by a senior leader.
- · · How to challenge your organisation’s risk profile: what should you expect from the risk committee meeting?
- · · What is risk appetite and tolerance: how do you get it to be meaningful within your organisation?
- · · Building a risk culture: how does this differ from an organisational culture?
- · · Range of relevant case studies from sectors such as aerospace, construction, charities, governments, natural resources and finance.
WHEN: Wednesday 27 November, 9:00-17:00
WHERE: 52 Horseferry Rd, Westminster, London SW1P 2AF
That’s because measurable risk criteria enables people to align the decision making throughout an organisation so there is agreement on what is an appropriate risk to take and what is a risk that needs to be escalated to a more senior level of decision making. Where something cannot be easily be measured, the default should typically be to escalate it “just in case”.
Once your criteria – both intangible and tangible – are set, you need to have a process to constantly review that criteria. If an organisation says: ‘we established our risk criteria or appetite or tolerance five years ago, and it took us three years to get it signed off, so therefore, no we are not going to change it any time soon’, that should be a warning that some very strange decision making may be going on within your organisation as it will be based on a version of your organisation that is five years old..
If the risk management community were to change one thing, it would be to show those organisations that it is not appropriate to sign off your risk criteria and leave it for a long period of time. Your organisation needs to be prepared to adapt its criteria as the environment in which it operates changes.
A leading indicator that an organisation is truly using risk management can be how often they review their risk criteria.
Our training course is about really coming to terms with what can be measured and what can’t. It looks at how to take those aspects of risk that are very difficult to measure and include them in your risk criteria. Then it looks at how to regularly review the criteria, so it doesn’t need to be this mammoth exercise that takes two years to get through the various committees.
If you get this right, you’ll not only save a huge amount of time, but actually be able to use the criteria throughout an organisation because people recognise them, and they respect those trigger points as being sensible.