Sarah Richards discusses how you should manage risk in the path of business objectives

Risk management is probably one of the least understood terms in the business dictionary. It falls short of a satisfactory description of what it is actually trying to achieve. However, until an improved alternative is suggested, this is the label the business community uses.

Risk management is a common term, but what is it? Put simply, risk is one of life's certainties. This is not a negative approach. How successfully organisations deal with risk is the crux of the matter, and the approach to this subject can have a major impact on the achievement of key business objectives.

As soon the term risk management is mentioned, eyes glaze over and images of disaster are conjured up. People think that it is only about dealing with negative issues and approach the subject with a negative attitude. They see it as a complicated management tool and focus on the physical and material elements. This is the traditional view, but in reality, the approach is about diversifying. For example, physical risk is not always at the operational level, but at all levels, including the departmental and strategic.

Everyone manages risk on a day-to-day level in their business and personal lives, whether it concerns choosing between the most and least expensive brands of stationary, or ignoring or dealing with a technology problem. In this, they exercise a subconscious understanding of risk, led by their emotions, gut feeling or past experience. This approach usually leads to the risk management focus on traditional insurable risks.

Basically, there are two types of risk. There are direct threats and damaging events which could lead to a failure to achieve objectives. Then there are opportunities, or constructive events, which if exploited could offer an improved way of achieving objectives, but are surrounded by threats. Whether managers are weighed down by the risks, or pushed and guided in the right directions towards their goals, depends on the individual's approach and whether a negative or positive mindset is in place.

Approaching the subject consciously will enable risk managers to see areas of improvement and the pitfalls in a business, which create the glass walls between their current position and their business goals. The conscious approach assumes that there is a scientific way to deal with risk. This is not linked to insurance, but to a far broader spectrum of considerations. It is about reducing the exposure to risk by reducing its likelihood, its impact, or both.

This is where risk management comes into its own as a management tool, presenting areas for improvement and new opportunities. It is a way of establishing credibility within a business. My own company has gathered decades of experience in risk management. Understanding our own organisation and the risks we face is key to helping other businesses. We have embedded the risk management approach into our daily operations – before we offer the risk management pill to anyone else, we have made sure we have swallowed it ourselves.

What is risk management about?
Everyone within a business should have an awareness of risk management. It is as important for the senior manager as it is for those at the operations end. It is as relevant to the private sector as it is to the public sector. With a strong risk management infrastructure in place, organisations can overcome hurdles and achieve business objectives.

Good risk management is a fundamental tool for helping organisations achieve objectives, as it identifies obstacles before they become an issue in the same way that one deals with a pothole before it gets in the way of safe highway management. The wider benefits of risk management mean that businesses reach their potential and objectives by identifying the barriers to achievement. With the creation of this mind map, managers have improved judgment when assessing realistic business opportunities; they are less averse to risk and more innovative in their approach to problems. Business planning is therefore improved through a risk-based decision making process, as the emphasis is on the outcome, not the process.

A cycle then becomes clear; organisations make plans, achieve goals, enhance performance, and this feeds back into the performance management framework. The focus is on doing what matters to make a difference.

In order to reach this level of success, you have to put solid risk management practices in place. The risk management cycle is the tool used to identify the process, starting with identification of the risk. Risk analysis, prioritisation, risk management and monitoring follow. However, you must complete the cycle, and this means feeding the outcomes from monitoring back into the identification process. Basic risk management tools include action planning, audit trails, business continuity plans, making sure staff are aware of their areas of responsibility, and so on. All this should fit well with performance improvement plans, business planning and performance management frameworks. It is not about reinventing the wheel, but making sure you use tools effectively.

Risk management at the assessment stage is an important step. You should consider this in line with opportunity analysis, the resources available and external events which might affect the outcome. You therefore need a structured systematic methodology in place to identify, evaluate, prioritise and manage opportunities and risks at strategic, tactical and operational levels.

Risk management within organisations can be demonstrated in terms of a pyramid (see figure 1). If potentially damaging issues are managed effectively, greater focus is placed on strategic business, enabling achievement of business objectives. Time and effort is freed by dealing with risk and co-ordinating management actions. This theory should be embedded in clear processes and communicated effectively to all staff to ensure that the focus is the same for all employees. Decisions based on an objective overview will offer solutions in terms of whether to transfer, control or accept the risk.

Managing the risks will mean that you consider a number of key questions, providing a focus for dealing with negative or problematic issues.

  • What controls are already in place, and what actions need to be taken?
  • Are these controls and actions adequate?
  • Who is required to manage these action and controls?
  • Who is responsible for actioning?
  • What are the critical success factors and key performance indicators?
  • How often is the process reviewed?
  • What are the key dates which will affect the risk management cycle?

    Changing market
    The market place is more risky than it was a decade ago. The challenges facing both private and public sector organisations are varied and complex. Under the scrutiny of stakeholders and taxpayers, there is little margin for error. The pressures are only going to increase, so businesses which manage risk well will succeed. Risk management is a clear process, but the risk manager must have a focused understanding of where the business is going and the stages it needs to go through.

    In the end, an organisation's potential can only be realised, and its business objectives met, if risk management is at the top of the business agenda.

    Sarah Richards, senior partner, Zurich Municipal Management Services

    Case study
    Cambridgeshire County Council has proved that effective risk management can lead to improved results and realisation of objectives. In 2001, the council undertook corporate risk assessment and directorate level assessments. The following year it completed a re-assessment exercise to re-prioritise the risks in their current context, and identify and prioritise new risks. This was an essential re-evaluation step, enabling Cambridgeshire County Council to analyse and monitor lessons, and feed outcomes back into the risk identification process.

    It scrutinised action plans, and this ensured efficiency. The focused approach meant that it directed resources at the areas of greatest priority. This also involved looking at low level risks to see if they were being over-managed and whether the council could divert resources from them to support the higher level risks. This can be a fine balancing act, but you can only use resources effectively if you use them correctly. The council organised awareness sessions with staff and held project level risk assessments during workshops as part of the drive to raise the profile of strategic risk management across the county.