Who is responsible for risk management? We all are!
It is often perceived as a task that managers must do. However, the most effective and successful risk management occurs when all key stakeholders and groups are involved. All levels of the organization from management, engineering, permitting, information technology, construction, compliance and legal are key constituents to identifying, managing, and mitigating risks. How should organizations tackle these unprecedented challenges?
Step 1. Enterprise-Wide
A successful risk management approach needs to encompass all facets of the enterprise. Typically, risk management tools are not leveraged to support the process across the entire enterprise. This is slowly changing as greater oversight by executive management becomes more prevalent. When an organization’s risk management approach is truly enterprise-wide, they will reap the benefits of more information that allows them to make better informed business decisions. If you don’t invest in risk management, it doesn’t matter what business you’re in, it’s a risky business.
Step 2. Consider All Risks
Traditionally, corporate level risk management has focused on financial risks to the organization. Though, financial risk is a big part of risk management, it’s not the only risk that should be considered.
Enterprise risks consists of various categories. Competent risk management will consider all risks throughout the organization such as financial, projects, safety, operations, assets, cybersecurity, and more. An effective approach to manage all risk requires better risk categorization and definition to understand and proactively mitigate risks.
Step 3. Risk Prioritization
As an enterprise, you simply can’t mitigate every single risk. The executive management team should be focused on the risks that pose the largest threat to the organization. In order to do this the company should identify and prioritize risks by impact/severity and probability/frequency. Concepts can be leveraged such as risk templates, simulations, etc.
Since all risks are tracked, this can be implemented within various levels within the organization. However, it’s important to let the managers handle the risks related to their operational requirements. Management should have an overview of risk priority for each operational aspect.
Step 4. Aggregate Risk
While examining the risk profile at large, the risk exposure of the organization might be more than the organization is prepared to take on. This is when aggregating risk allows the company to see the bigger picture.
It’s important to compare the organizations risk appetite to the risk exposure across all operational activities to determine how much risk is realistic for the organization to take on. Management should consider how the aggregate risks stack together to make the most educated decisions for the enterprise.
Step 5. Consider Interactivity
Risks aren’t an isolated event. If one risk comes to fruition it may cause other risks to materialize and cause issues for multiple operations. For example, a capital project to expand a large substation may have an impact on assets with the substation and increase cybersecurity risk exposures.
Risk management often considers risk in a theoretical sense, applying a silo mindset. In the real-world, things can and do go wrong simultaneously. A good risk management approach views the interactivity between risk to understand how they work together, ramifications, and whether the results would be negative or positive. When looking at the interaction of risks, there may be some that need similar mitigation action plans, in which these risks should be considered to be managed together.
Step 6. Risk Mitigation
Logging risks won’t make them disappear. Managing risk requires more than completing worksheets in a risk management tool or tracking them in a spreadsheet against a project. A good risk system should encourage and allow team collaboration to mitigate risks.
Someone with knowledge on how to handle the risk should take control and become the risk owner. They should analyze and identify the options and take action to implement those controls. Consider using a risk register to log the risk events, drivers, mitigation actions, impact/severity , probability/frequency, risk owner and other key risk mitigation details. The risk register is a living document and should be consistently updated. Keep in mind there are different levels and categories of risk, which will require risk owners within different groups of the organization. A successful risk management process needs to include these measures and be implemented from the first phase or stage gate until the project is completed.
Step 7. Facilitate Decision Making
An effective risk management systems simplifies the decisions making process. Risk management is often performed by identifying the top risks and reporting them to the executives, which is categorically ineffective. What are they supposed to do with this information?
A risk assessment report is a valuable deliverable as it shows the significance of the key risks, financial impacts should the risk materialize, and a risk mitigation plan. The critical risks with high financial implications is the ones management will be more inclined to pay attention to.
Risk management will help an organization make investment decisions and improve the way they move forward with projects. Ultimately, a successful enterprise risk management program will facilitate and aid management in making better informed decisions.
Risk Assessment Profiler (RAP)
Contact ARETE to learn how the Risk Assessment Profiler (RAP) addresses all key steps to having an effective and successful Enterprise Risk Management Program.