Organizational Risk Management – Moving From Reactive To Proactive Management

Organizational Risk Management – Moving from Reactive to Proactive Management

When a risk is the greatest, the potential for reward is also the greatest.  Many leaders chose to avoid risk rather than manage it; they focus on the exposure to loss.  It’s not surprising they decide to take the path of least resistance.  However, choosing risk avoidance to fulfill a perception of safety and security may not yield the rewards they can get by managing risk proactively.

What is Risk Management?

According to ISO 31000, you can reduce your uncertainty and manage your risk, by using a systematic approach to risk management.

ISO 31000, 2.2 Risk – “The effect of uncertainty on objectives”

“Recognizes that organizations operate in an uncertain world. Whenever you try to achieve an objective, there’s always the chance that things will not go according to plan. There’s always the chance that you will not achieve what you expect to achieve. Every step you take to achieve an objective involves uncertainty. Every step has an element of risk that needs to be managed.”

Purpose of Organizational Risk Assessments

  • Identify possible risks
  • Reduce or allocate risks
  • Provide a rational basis for better decision making regarding all risks.
  • Plan appropriate responses to the eventual outcome of a risk.
  • Identify possible missed opportunities
  • Analyze risks that have not yet occurred or risks that could re-occur.
  • Evaluate which risks are significant for the unit and may have a significant impact on the achievement of objectives.
  • Develop risk plans and realistic responses to address these risks.

Risk Assessment – Current Thinking

Risk Assessments can be undertaken both departmentally and organizationally. Larger organizations often do this for each department and then roll the final list of “high” risks up to an organization-wide view.

The concept risk implies control of possible future events, and is proactive rather than reactive. It will reduce not only the likelihood of an event occurring, but also the magnitude of its impact. However, if you don’t actively attack risks, they will actively attack you!

Why Take Risks?

“Don’t rock the boat” refers to risk aversion – an unwillingness to take risk. Risk creates breakthroughs, innovation and invention. Risk seeking behaviours lead to success. Reducing risk likelihood answers the question “What can I do today to ensure the organization’s success continues?”

Risk and Missed Opportunity

The direction of risk matters; there is “upside risk,” or the chance to miss a beneficial opportunity, and “downside risk,” or the chance of an adverse result.

Being able to see risks and opportunities simultaneously helps to develop flexible organizations that can manage value protection and value creation simultaneously. Developing the capability to recognize such opportunities requires a change in the risk management mindset and is critical in helping organizations to better manage and benefit from risk.

Organizations that successfully exploit and protect present opportunities and explore future innovations, while managing risk, have been called “ambidextrous organizations.” These organizations attend to the products and processes of past successes while capturing the opportunities that will define the future. Creating an ambidextrous organization that manages the downside risks and focuses on value creation by capitalizing on opportunities, requires a risk management system that identifies, manages, measures, and monitors both threats and opportunities.

Viewing Risk Through a Different Lens

Studies have found that people evaluating risk have different attitudes towards gains and losses. According to Daniel Kahneman and Amos Tversky—two of the most influential researchers on how people manage risk and the conceptualizers of Prospect Theory— “loss aversion” guides most decisions. They called their studies of how people manage risk and uncertainty Prospect Theory for no other reason than that it is a catchy, attention-getting name.

Risk Avoidance

  • The challenge facing leadership teams is deciding what to do.
  • They can do nothing and respond heroically if needed.
  • Think through the risks and potential responses to be prepared (but wait to see what actually occurs).
  • Take proactive action and incur the costs, but never being sure if they are needed.

Example:

Discussing what you don’t know about the consequences of climate change on the organization is a serious conversation. There is no ‘right answer’ to this risk.

Doing nothing may feel like a good option – wait and see. Procrastination in making a decision can be very attractive. But can you afford to do nothing? Hoping for the best is not a viable strategy to assessing and managing the risk. This challenge is a real opportunity to display leadership, communication and negotiation skills to facilitate a useful conversation.

Why Manage Risk?

Organizations must manage risk to:

  • Increase their chance of success.
  • Prevent potential losses.
  • Decrease the magnitude of a loss.
  • Support effective use of their resources.
  • Promote continuous improvement.
  • Reduce the number of unwelcome surprises.
  • Quickly grasp new opportunities.
  • Reassure stakeholders.

Crisis Management vs. Risk Management

Managing a crisis happens when:
A risk occurs that wasn’t included in the risk management plan and there are no contingencies to manage it.

Managing a risk happens when:
A risk occurs and it was included in your risk management plan and there are contingencies to manage it.

The Risk Assessment Process

Is intended to reduce management by crisis. There will always be some things that will occur that can’t be avoided but most of these, through sound risk management, can be managed, rather than reacted to. The Risk Assessment Process follows 4 core processes:

  1. Identify Risks
    1. Review possible risk sources and discuss team’s experiences and knowledge.
    2. Brainstorm all potential risks
    3. Organize all risks into risk categories.
    4. Create Risk Statements for each category.
  2. Evaluate & Prioritize Risks
    1. Estimate the impact & probability of the risks.
    2. Evaluate and assess high impact & probability risks.
    3. Prioritize the risk categories and related risks.
  3. Assess Risks
    1. Identify the root causes of the high priority risks.
    2. Questions include:
      • What might cause each risk?
      • How will each risk, if it occurs, impact the organization, etc.?
  4. Develop Responses to Risks
    1. Develop responses to root causes of high priority risks.
    2. What actions to take to reduce risk likelihood? (Mitigation Plan)
    3. What actions to take to manage risk(s)? (Contingency Plan)
    4. How to ensure opportunities not missed?
    5. Identify mitigation tasks to reduce risk likelihood or eliminate the risk.
    6. Develop contingency plan tasks to manage risks.

Identifying and Recording Risks

When identifying risks there is sometimes a temptation to dismiss a risk because “we can’t do anything about it”. This argument doesn’t change the risk into a non-risk.  It doesn’t move from a known to an unknown.  The fact that there is no viable mitigation to reduce risk likelihood isn’t a reason not to include the risk.  Risks that can’t be mitigated will still have an effect on the department/organization and can be quantified regarding impact and probability (likelihood).

It is important to specify the risk correctly. For instance, a risk has a cause and, if it occurs, an impact on the department/organization. When identifying risks, think about their cause and impact.  Further analysis may be required to clarify the cause and the impact, but this doesn’t negate that it is a risk.

For example, if you’re building a bridge, the fact that it’s built over water is not a risk.   The risks may be unknown sub-surface conditions, which if they occur, may lead to re-design of the bridge supports. Mitigation could involve reinforcing the bridge supports to reduce the probability of unknown conditions.

When brainstorming risks, consider:

Threats: A risk that will have a negative impact if it occurs.

Opportunities: A risk that will have a positive impact or a missed opportunity if a risk isn’t taken.

How to Write a Risk

Risk (threat)
• Menus and platforms aren’t working together
• This risk is unclear. Identify the risk by asking “why” this will create a risk.
Corrected (written as a risk)
• Menus and platforms don’t work as one system

Risk (threat)
• Menus and platforms aren’t working together
• This risk is unclear. Identify the risk by asking “why” this will create a risk.
Corrected (written as a risk)
• Menus and platforms don’t work as one system

On-Going Risk Management

Traditional Risk Management

A Risk Checklist is completed and high priority risks are identified.

Current Approach to Risk Management

A Risk Assessment is completed.  High Priority Risk Statements and related risks are identified.  High Priority Risk Statements are analyzed using a cause and effect analysis.  Mitigation plans are developed to reduce risk likelihood and contingency plans are developed to manage risks, should they occur.

Case Study:

Global Risk Assessment; $20 Billion Division of an International Pharmaceutical Company

The Challenge
This global pharmaceutical organization required each division to run a Risk Assessment from the bottom-up every 3 years. However, this was the first formal organizational risk assessment for this division. Organizational risks included the targeted group risks of Maintaining Innovation Capability, Supply Chain Disruption, Unethical Business Practices, Competition for Talent/Leadership Skills, Funding/Market Access Constraints, Addressing Cost Structure and Complexity, Adapting to Regulatory Changes, Biosimilars and Molecular Information/ Sequencing. Understanding the potential risks and the impact they might have on the organization assisted in assigning, prioritizing and applying appropriate risk mitigation and contingency plans.

Solution
Over a 3-month period the senior leadership team was engaged in hands-on sessions where they learned and applied the entire risk management process. They identified risks, evaluated these risks, assessed the high risks and developed responses to these risks. The prioritization of risks became an important part of assessing organizational risks because it is impossible to have enough resources to respond to every risk. Through a well-executed risk assessment process, the organization was able to reduce risk, protect stakeholder’s interests and ensure continuation of their services.

Conclusion

Being able to see risks and opportunities simultaneously helps to develop flexible organizations that can manage value protection and value creation simultaneously. Developing the capability to recognize such opportunities requires a change in the risk management mindset and is critical in helping organizations to better manage and benefit from risk.

Organizations that can manage the downside risks and focuses on value creation by capitalizing on opportunities, require a risk management system that identifies, manages, measures, and monitors both threats and opportunities.  The current approach to risk management is designed to reduce the stress level and concerns of departments and organizations; assessing and managing risks provides an assurance of being in control.

 

 

 

Michael Stanleigh

Michael Stanleigh, CMC, CSP, CSM is the CEO of Business Improvement Architects. He works with leaders and their teams around the world to improve organizational performance by helping them to define their strategic direction, increase leadership performance, create cultures that drive innovation and improve project and quality management. Michael’s experience spans public and private sector organizations in over 20 different countries. He also delivers presentations to businesses and conferences throughout the world. In addition to his consulting practice and global speaking he has been featured and published in over 500 different magazines and industry publications.

For more information about this article you may contact Michael Stanleigh at mstanleigh@bia.ca