Nowadays, risk management is on everyone’s corporate agenda; let it be a private or public organisation. A special attention to risk management is paid by governments, stock exchanges, shareholders and regulators. However, this hasn’t always been the case.
We began our risk management research back in 2007. This was the time when most large non-financial corporations were just starting to build risk management functions and implementing risk management frameworks. At the time, our study showed that risk management was largely driven by the stock exchange requirements, fancy concepts proposed by auditors and was very basic in nature.
During our initial research, we have identified several challenges relating to weak culture and confusion around the roles and responsibilities that the boards, executives and the risk management teams play in the overall risk-based management of the company. We also noted that back in 2007, risk managers focused primarily on activities like developing risk management framework documents, conducting basic risk assessments and preparing risk reports that rarely showed clear connection between the risks and corporate objectives or business decisions. This resulted in very compliance-like and sometimes overly bureaucratic procedures. It often took months to get any meaningful results and it quickly became a box-ticking exercise for the executives. Business units resisted what was perceived as a “back office initiative,” claiming that risks were already known and under control. All in all, risk management in non-financial companies has failed to provide meaningful change to how companies operate or executives plan and make decisions.
It soon became apparent that there is a need for greater and more independent risk analysis and a link between risk management and business decision making. Some of the more advanced executives demanded risk analysis at the time a decision was made, not once a quarter or once a year, which was the norm at the time. They wanted to see impact of uncertainty on their bottom line, cash flows, schedules, their key performance indicators and targets, project NPV, not some abstract risk levels or heat maps. Unfortunately, most risk managers were not able to deliver. Many tools and methodologies used by modern risk managers are simply not designed to provide a timely and quantitative assessment of impact of uncertainty on everyday management decisions.
Today, as we continue to adapt to a highly volatile environment, businesses are becoming more proactive about risk management. Is this just a facade or are organisations truly becoming more risk aware? And how will the new ISO31000:2018 reinforce these changes?
Today, as we continue our research, we are pleasantly surprised by how many organizations have already recognised the limitations of “stand-alone” and “separate” risk management processes and are proactive in integrating risk management into decision-making, core business processes and the overall culture of the organisation. We have collated best practices from more than a dozen mature organisations to propose an alternative approach to risk management. An approach without the heat maps, risk registers, risk frameworks or risk mitigation plans. For several years, we have tested and validated the findings both locally and internationally. We have summarised fifteen practical ideas on how to integrate risk management into the daily decisions and operations of the organisation. These were grouped into three high level objectives: drive risk culture, help integrate risk management into business and become a trusted advisor.
This document is designed as a practical implementation guide. We recommend using it as such. Each section is accompanied by checklists, numerous video references, useful links and templates. Go the RISK-ACADEMY website and download the checklists so you can complete them as you listen through the guide.
This podcast series is filled with useful short videos and interviews available on the RISK-ACADEMY YouTube channel. You can listen to them, skip them or leave them till later as you see fit.
Check out other risk management books
RISK-ACADEMY offers online courses
Informed Risk Taking
Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!
ISO31000 Integrating Risk Management
Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.
Advanced Risk Governance
This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.
