Note: Hyperlinks take you to illustrative YouTube videos.
Fear Not, It's An everyday thing
We all manage risk on a daily basis, otherwise we would not safely cross a busy road. As the saying goes: "no one knows what tomorrow will bring"! So, the practice of risk management ("RM") simply formalises an informal habit. Instead of reacting to risks when they happen, RM asks us to anticipate them (known as "risk identification"), study them (known as " analysis" or " classification") and to take steps in advance of the risk happening (known as " mitigation" or " action") to reduce any loss (from " negative risks" or " threats") and maximise any gain (from " positive risks" or " opportunities").
Some risks can be spotted before they happen (" foreseeable risks"). Contrary to popular opinion, this includes COVID 19, for which there were ample warning signs for a distracted world, including an explicit warning by Bill Gates in 2015. Germany's Wirecard business scandal of 2020 also falls in that bracket. Other risks come out of the blue (" unforeseeable risks"). Japan prepared for a Tsunami or an earthquake but did not imagine a combined Tsunami AND earthquake as struck in 2011. Risks can also be opportunities which can be optimised by forward-looking management as demonstrated by Nigeria's paystack which was acquired in October 2020 by America's stripe payments system in a deal valued at over $200m.
But, Keep these pointers in mind!
Be Proactive!
The point is, to work, RM must be proactive! Whether "foreseeable" or "unforeseeable", a good RM system can reduce losses and increase gains relative to a laid-back "reactive" approach. This guide is a very basic introduction to a simple risk "analysis" system and a related "risk register" for recording risks.
Get yours tailored to fit
In practice, entities face very different risks. So, an RM system should be tailored to meet the specific demands of your organisation's situation.
There is more to RM than Analysis!
Also, risk "analysis" is only one part of a functional RM system! For example, you must have an effective system for identifying risks. Those that are not identified in time can end up as very unpleasant surprises.
Equally, it is not enough to identify a risk if no action , or inadequate action, or late action is taken. The differences in infections and deaths from COVID 19 between comparable countries demonstrates the vital role of risk mitigation.
Risks can Mutate: Like Viruses!
Further, risks can change with time, and they need serious monitoring of these changes and their potential effects.
Your RM System is only as good as your Risk Managers and your culture!
Nimble, intelligent enterprise-wide systems -where the Left Hand knows what the Right Hand is up to - are needed to defend against threats and to harness the opportunities offered by positive risks!
Ok, Let's get started...
Keeping these complexities in mind, this framework gets your RM journey started. It offers three classifications of each risk event for your starter register: by Type , Incidence and Impact. As Risk Incidence has two sub-components, four columns will be required for these classifications in a basic risk register i.e. Type, Incidence-Likelihood, Incidence-Scope and Impact. Each risk will occupy one row in your register.
1. A Basic Risk Register
2. A Starter Pack of Risk Types
Risk Type
Risk Type - Once you identify a risk, you give it a reference (“Risk ID”), a good summary of its nature (“Description”) and one label (“Type”) that best says the extent to which you think that the risk can affect the objectives of the organisation. We describe 5 example “labels” below from which you choose the one that best fits the risk.
(a) Strategic – This labels behaviours, events, policies or processes that may significantly affect the attainment of the long term objectives of your entity.
(b) Operational – This label groups behaviours, events, policies or processes that impact on the short term prospects of your entity and which cannot be better classified using (c) to (e) below.
(c) Safeguarding assets – This label classes risks that can affect your entity’s ability to protect the resources available to the organisation and, thus, prevent loss, theft, management overriding of laid down controls, waste of organisation resources, inefficient use of assets and poor decision making.
(d) Reporting – This groups risks that influence the reliability of internal and external reporting which provide information for decision making, control and the assessment of management’s stewardship of resources.
(e) Compliance – This includes risks that affect your observance of applicable (internal and external) agreements, regulations, covenants, laws, policies and procedures which are intended to enhance the economy, efficiency, effectiveness and sustainability of your organisation
3. A Starter Pack of Risk Incidences
Risk Incidence
Risk Incidence – You will need to evaluate two components: Likelihood and Scope.
Likelihood : Give your assessment (example below) of how probable it is that this risk will occur.
(a) Low – estimated to occur more than 3 years from your identification of the risk.
(b) Medium – likely to occur between 1 and 3 years from identification.
(c) High – you expect this risk to happen within a year of your identification.
Scope : Provide your best estimate (example below) of how much of your entity would be affected.
(a) Unit – limited to a single department of the entity with no significant effect outside that component).
(b) Organisation – you think it affects more than one component and possibly the entire organisation but can be contained internally by management.
(c) External – affects the entire organisation, is unlikely to be contained internally and is very likely to impact on the interests of external stakeholders.
Risk Impact
Risk Impact This provides your conclusion on the overall seriousness of the negative risk or positive opportunity for your organisation. The following classifications (derived from Edward de Bono's "5 Day Course in Thinking") can be used in the assessment of risk impact. The first two are used for negative risks; the third is a neutral risk; the last two should be used for positive risks. A colour coding (see the pdf for an illustration) can be used to more easily spot the impact class in a risk register and can be used in generating simple risk heat maps that visually represent the content of a register:
4. A Starter Pack of Risk Impacts
(a) Fatal (F) you conclude that the negative risk identified can seriously undermine the credibility and existence of the entity. It needs very urgent action.
(b) Weak (W) you think that this negative risk is not fatal but may develop into a fatal threat if it not dealt with in good time. It requires a timely defensive action from the organisation. It is significant in nature.
(c) Neutral (N) you identify threats or opportunities that do not currently pose a significant risk to an entity's goals and operations. However, they can mutate into significant negative or positive risks and, therefore, need to be monitored.
(d) Challenge (C) – you find positive risks or opportunities that are likely to directly or indirectly drive an increase in the demand for the entity's services and/or products; but which will require an enhanced level of organisational effectiveness in order to take advantage of the opportunity. There is a significant chance that the opportunity can be lost. The organisation is not yet strong enough to take full advantage of the opportunity and may lose it, if action is not taken. It is significant.
(e) Strong (S) – you note positive risks or opportunities that are likely to directly or indirectly drive an increase in the demand for the entity's services and/or products; and for which the entity is already in a strong position to take advantage of the opportunity. But, it must be monitored to ensure that the strength does not decay through neglect or overconfidence. It is significant.
Conclusion - Good for Starters and for Boards reviewing existing RM systems
Now, you have the basic tools needed to get a starter risk register up and running. Boards can also use the principles to guide their evaluation of an existing system! Remember that there is a bit more involved in a successful RM system. Critically, a good Risk Manager will have the attributes of Covey's "7 Habits of Highly Effective People". The journey will be worth it , when you proactively mitigate threats and get better at taking advantage of opportunities. Good Luck: chance always plays its own – "unforeseeable" - role!
