Managing risk is essentially concerned with understanding how things change over time. How fast will things move from manageable, to unmanageable, from having control to not being in control of what happens next? Effective risk management understands what’s important to a person or organization and what patterns, trends, triggers, or relationships might lead to unexpected events.
Which all sounds pretty easy and straight-forward.
At least it does, if your image of risk is fairly static, like a list of things you shouldn’t forget to pay attention to. Also, if your organization is stable in what it is trying to do and where it is doing it, in a society where the laws aren’t changing, people’s tastes or expectations are fixed, where innovation is at a minimum, there’s no pressure from competition or suppliers, natural disasters don’t happen, nations are never in conflict and no one considers health or safety to be of any particular importance.
Given that the last paragraph resembles no place on earth, it’s worth spending some time thinking about the importance of risk and how any meaningful business strategy should prepare for the unexpected.
Whenever a business owner thinks they have got all their problems under control, something fundamental changes. It could be that a new threat emerges which could potentially damage the organization in some way, or it might be a new opportunity arises that should be considered. This is fundamental to any risk management plan; the world is always changing and that affects both the internal and external factors that generate risks.
You might be thinking that a good approach to dealing with potential risks is to arm the organization to resist change, to keep things stable. You can imagine a solid oak tree in a storm, as a visualisation of this mindset. The tree resists change for a long time, holding out against huge forces until one of two things might happen: the whole root system of the tree comes loose and the whole tree is plucked from the ground in one piece. Or, the roots stay in place but the trunk is weakened, violently and dramatically snapping. Either way, the tree dies.
Exposure to risk is how children learn what they can and can’t do. Hopefully not so much risk that they are seriously injured or incapacitated, but sufficient risk that they feel confident to try every greater challenges, or at least with a manageable amount of failure, that they can learn what they did wrong and do better next time. Risk opens up new worlds, confirms that we are growing in composure, skills, maturity and capable of taking on every greater challenges and responsibilities. These benefits of risk also play out for entire organizations and we might even say that the purpose of risk management is to create the conditions by which an organization gets better at taking risks. That is how they will outperform their peers, produce better products, save money, increase satisfaction.
Too many people think that risk management is stopping bad things from happening, as opposed to finding the optimum balance between taking risks that help us achieve our objectives, and suffering risk exposures which in some way destroy value or confidence. These upsides and downsides of risks live together and must always be considered simultaneously.
To consistently find this optimal balance of risk-taking, in an environment that is in constant flux, requires a risk management process. Anything like is sporadic and ad-hoc, meaning that you will often find yourselves having insufficient time to recognize a significant change is happening, or have the ability to coordinate a meaningful response. Put bluntly, you surrender control of positive outcomes.
The international standard for risk management, ISO 31000 is a good, basic approach to building a risk management process. It sets out the following repeating steps:
Work must be done to ensure that everyone who has an interest in a particular risk is considered in some way or another. Consultation must be undertaken if their views are likely to be significant or influential and it is usually beneficial for outcomes of the risk assessment process to be communicated to such people so that expectations are well managed. Generally speaking, people don’t like bad surprises and nor do they feel calm if they have no information about how something very important to them, appears to not be being handled proactively.
Doing risk management well involves a lot of coordinated effort by people who are trained to recognise risks as being something that is usually hidden, or beyond the level of attention that most people ordinarily give. This is why the most effective organizations don’t just try to implement a risk management process, but they also give plenty of consideration to their risk culture. This then positively shapes the knowledge, skills and attitudes that staff members have in relation to the risks being managed. These staff members typically manage risks much more effectively, identifying threats and opportunities far quicker and with more insight than their untrained counterparts.
And if we remember that risk is the pathway to growth and performance, a purposefully developed risk culture will help any organization to excel and deliver their mission values.
We know what you mean.
Download our free guide that shows the top 20 training mistakes when designing training.
