how to manage risk

Managing risk is essentially concerned with understanding how things change over time. How fast will things move from manageable, to unmanageable, from having control to not being in control of what happens next? Effective risk management understands what’s important to a person or organization and what patterns, trends, triggers, or relationships might lead to unexpected events.

Which all sounds pretty easy and straight-forward.

At least it does, if your image of risk is fairly static, like a list of things you shouldn’t forget to pay attention to. Also, if your organization is stable in what it is trying to do and where it is doing it, in a society where the laws aren’t changing, people’s tastes or expectations are fixed, where innovation is at a minimum, there’s no pressure from competition or suppliers, natural disasters don’t happen, nations are never in conflict and no one considers health or safety to be of any particular importance.

Given that the last paragraph resembles no place on earth, it’s worth spending some time thinking about the importance of risk and how any meaningful business strategy should prepare for the unexpected.

Whenever a business owner thinks they have got all their problems under control, something fundamental changes. It could be that a new threat emerges which could potentially damage the organization in some way, or it might be a new opportunity arises that should be considered. This is fundamental to any risk management plan; the world is always changing and that affects both the internal and external factors that generate risks.

You might be thinking that a good approach to dealing with potential risks is to arm the organization to resist change, to keep things stable. You can imagine a solid oak tree in a storm, as a visualisation of this mindset. The tree resists change for a long time, holding out against huge forces until one of two things might happen: the whole root system of the tree comes loose and the whole tree is plucked from the ground in one piece. Or, the roots stay in place but the trunk is weakened, violently and dramatically snapping. Either way, the tree dies.

risk is good

Exposure to risk is how children learn what they can and can’t do. Hopefully not so much risk that they are seriously injured or incapacitated, but sufficient risk that they feel confident to try every greater challenges, or at least with a manageable amount of failure, that they can learn what they did wrong and do better next time. Risk opens up new worlds, confirms that we are growing in composure, skills, maturity and capable of taking on every greater challenges and responsibilities. These benefits of risk also play out for entire organizations and we might even say that the purpose of risk management is to create the conditions by which an organization gets better at taking risks. That is how they will outperform their peers, produce better products, save money, increase satisfaction.

Too many people think that risk management is stopping bad things from happening, as opposed to finding the optimum balance between taking risks that help us achieve our objectives, and suffering risk exposures which in some way destroy value or confidence. These upsides and downsides of risks live together and must always be considered simultaneously.

a reliable process is needed

To consistently find this optimal balance of risk-taking, in an environment that is in constant flux, requires a risk management process. Anything like is sporadic and ad-hoc, meaning that you will often find yourselves having insufficient time to recognize a significant change is happening, or have the ability to coordinate a meaningful response. Put bluntly, you surrender control of positive outcomes.

The international standard for risk management, ISO 31000 is a good, basic approach to building a risk management process. It sets out the following repeating steps:

  • Understand the organizational context in which change happens. Is your organization new, mature, small, growing, a monopoly, operating a cash cow, have an extended supply chain, reliant on regulatory approval, unpopular in the public mood etc.?
  • New threats must be recognized and if they are relevant to objectives, they can be called newly identified risks
  • But there are big risks and small risks, frequent and vanishingly rare risks, so risk analysis work has to be done to calculate as well as possible, preferably using quantifiable data that realistically reflects the nature of the threat, to get a useful profile of each specific risk. This helps you understand the inherent level of risk you are exposed to. Many organizations have a set of scales describing these levels in relation to each other, so it becomes easy to describe their relative priority for responding to them.
  • Knowing what controls you have to manage the frequency/probability of the risk happening, whilst also determining the likely consequences in a range of scenarios is the heart of what is known as risk assessment. Some people call this the residual risk level, after controls.
  • Knowing that the organization faces real risks, they have to develop action plans for bringing the risk levels into line with the optimum exposure they have determined. These risk treatment plans include the possibility of avoiding the risk altogether, modifying either the probability of the risk happening or the consequent outcomes, sharing the risk exposure with other partners through insurance, joint ventures or outsourcing agreements), or simply accepting that there is nothing practical/economic that can be done, usually for a period of time.

Work must be done to ensure that everyone who has an interest in a particular risk is considered in some way or another. Consultation must be undertaken if their views are likely to be significant or influential and it is usually beneficial for outcomes of the risk assessment process to be communicated to such people so that expectations are well managed. Generally speaking, people don’t like bad surprises and nor do they feel calm if they have no information about how something very important to them, appears to not be being handled proactively.

positive risk culture leads to excellence

Doing risk management well involves a lot of coordinated effort by people who are trained to recognise risks as being something that is usually hidden, or beyond the level of attention that most people ordinarily give. This is why the most effective organizations don’t just try to implement a risk management process, but they also give plenty of consideration to their risk culture. This then positively shapes the knowledge, skills and attitudes that staff members have in relation to the risks being managed. These staff members typically manage risks much more effectively, identifying threats and opportunities far quicker and with more insight than their untrained counterparts.

And if we remember that risk is the pathway to growth and performance, a purposefully developed risk culture will help any organization to excel and deliver their mission values.

Are you worried that eLearning is often a bad experience for people?

We know what you mean.

Download our free guide that shows the top 20 training mistakes when designing training.

Get in touch, so we can start making sense of your risks

Learn in 2 mins. what we do & how we do it