Risk Management Strategy.
Information and Training. | Risk Management.When organizations implement a risk management process they tend to focus on minimizing or ideally eliminating all potential negative unforeseen events from arising and thereby ensure the smooth operation of the organization. The risk management process may encompass functional areas such as product development, process control, marketing, etc., … may be orientated towards anticipating and managing factors from the external environment which could negatively impinge on the organization, etc. …
While the minimization of potential negative events can help support the continued success of the organization, risks should also be seen as potential positives and potential opportunities. For example, consider a business performing well with a successful product. Why invest in product development to create a completely new alternative to the current successful model? Why choose a high-risk path versus iterations on the current successful formula? Higher risk can equate to exponentially higher levels of returns via dramatic breakthroughs. Individuals and organizations who embrace higher risk levels can significantly outperform those with a lower risk tolerance. Therefore, how risk is viewed needs to relate to the organization strategy.
Developing a Risk Strategy.Where does risk taking fit into the overall strategy of the organization? There needs to be a pre-considered approach to risk management which seeks to identify and minimize those risks which can negatively impact the business and which offer minimal positive potential, while identifying, controlling and exploiting those risks which offer the potential to enhance organizational performance and success. This requires a change in thinking towards the traditional risk model of “likelihood” versus “impact” towards a model where risks are linked to opportunities. Depending on the risk strategy the potential impact needs to be seen from two perspectives, what are the potential negatives and what, if any are the potential positives or opportunities.
For example a machine breakdown on a production process is clearly a negative, with production disruption, potential for backlogs and shipment delays. The risk management process will seek to minimize or eliminate the potential for a machine to unexpectedly breakdown via focusing on preventative maintenance, maybe having a back-up equivalent machine, etc. . However, even with such a simple example, there are potential positive outcomes which could be associated with the equipment breakdown. If managed correctly, maybe during process interruptions, staff interaction sessions (with line staff who could be underutilized during such a breakdown) can be arranged which seek to promote staff involvement, enhance their training, obtain suggestions for improvement, etc.. The goal being to promote a particular positive organizational culture. A positive enthusiastic organizational culture could be immeasurably more beneficial to an organizational in the long term, over some unscheduled process breakdowns.
A simple strategy of the organization may be to insist that potential opportunities are linked to all identified risks, hence if a risk matrix or risk table is being maintained by the risk manager (or other person appointed to oversee the risk process), the table will also identify the potential opportunities associated with each risk and the actions to be taken to exploit those opportunities in the event of the risk arising.
Determining the appetite for risk within the organization.
Will risk taking be a key component of the organizational culture with risk takers recognized and rewarded regardless of outcomes, or will risk be discouraged. An organization that fervently avoids risk, if competing in a competitive environment will struggle to survive long term. If operating in a non-competitive environment, i.e. a government department, will often surround itself with processes and bureaucracy to enshrine a risk adverse culture and can do so over the long term protected by the non-competitive nature of its operating environment. However, the organization operating in a competitive environment, must engage with some level of risk taking. The question for management is what level of risk taking will be promoted across the organization. The organizational strategy needs to consider the risk culture and how risk with all its potential negatives and potential downfalls can be utilized to progress the organization. Management will need to consider the operating environment, competitive pressures, the expectations of stakeholders (shareholders, employees, regulators, the community, ….) etc., and seek to determine the most suitable risk appetite for the organization.
Defining the Risk Strategy.
i) Determine the overall Organizational-wide Risk Appetite – this will be influenced via inputs from the operating environment, regulators, the potential impact of the risks on the community, … etc …
ii) Does the risk appetite need to be modified for certain functional areas, i.e. risk taking within a finance function will generally be less than in the product development. Higher risk may be taken within certain product markets, where the potential opportunities may be greater, i.e. a high risk approach may be taken in order to get a market leading share within a new rapidly expanding technology sector.
iii) How will the organizational culture be influenced so as to reflect the desired risk culture. Organizational culture will be influenced by recruitment policies, the background and experiences of current employees, modes of communication, reward systems in place, the influence of the external environment, etc…
iv) Consideration needs to be made for how risk taking will be rewarded.
If an individual takes a risk and (for example) suggests setting up a small group improvement team (along the lines of the previously known quality circles) as a means of driving improvement in his/her area of responsibility, there could be two possible outcomes. One being that the team identifies and implements improvements, the other being that the team does not identify any suitable improvements, but time (any money) has been lost due to taking staff out of their normal daily routines so as to have the improvement team meetings. Should the team meeting proposer be equally rewarded for both outcomes? Should there only be a reward for positive success? Should the failure of the improvement team be seen as a negative with possible negative consequences in (say) the annual review? The future attitude of all other employees to making suggestions and hence taking risks, will be determined by the response of the organization.
If a product manager champions a new product, again the response of the organization to the initial risk taking by the individual and the outcomes will again influence peers and drive organizational culture towards risk taking.
v) How will the level of risk taking be measured. How can an organization establish some form of measure to benchmark the desired strategic appetite for risk, versus actual practice within the organization.
vi) “Identifying and capturing the potential opportunities associated with routine risks”. As detailed previously many routine risks offer potential opportunities. Such opportunities need to be considered and a willingness to exploit engrained within the organizational culture.
In summary:An organization that successfully embraces risk taking can significantly outperform peers. It must also be clearly understood that while risk taking offers opportunities, there will be “fails”, therefore such “fails” need to be built into the normal expected performance and cannot be allowed to put the reputation or on-going survival of the organization itself at “risk”.
Information & Training.
- Risk Identification. Risk Evaluation. Risk Mitigation. Risk Control. Etc..
- Risk Processes. Risk Planning. Risk Reporting.
- Requirements. Standards. Current best practices.
- Information & Training presentation >>>