Getting ahead of risk

Introduction

Risk management in its most basic form is a methodology used by businesses to help identify and mitigate risks that may arise. This could be anything from within your day-to-day operations (such as unpaid invoices) to large scale, external risks (such as the Covid pandemic) that could completely change your strategic approach. There is no “one size fits all” when it comes to risk management – what works for one company may be completely impractical and unworkable for another.

The key is to have a process that works within your business to help mitigate the risks you can identify and, when the unknown happens (and it will, as sure as death and taxes) you have a structure in place to help deal with new risks, and possibly even turn them to your advantage.

Enterprise risk management is a wider concept intended to provide businesses with a more holistic approach – avoiding risk assessments being concentrated solely within certain business teams and providing a high-level view of key risks and how they could impact the whole business.

Where do I start?

A good enterprise risk management system will require at least:

• Buy-in from the top – the board of directors should have this topic on their agenda at each board meeting (as a side note see this great Lawskool article on making board meetings useful)
• A dedicated person to drive it forward – this can be difficult especially in SMEs that may not be able to dedicate resources such as a Chief Risk Officer solely to the job! However if one senior person can take the lead, the process of identifying, assessing and mitigating risks can be shared out across the workforce.
• A clear approach before you start – what that approach looks like will vary from business to business. In essence you need a clear idea of how you wish to define, identify, categorise, and assess risk and what the risk appetite of the business is, in relation to the business’s overall strategic goals and objectives. This is usually set out in a risk management policy.
• Responsibility and accountability – as well as setting out the approach, the risk management policy will also typically set out the different roles and responsibilities linked to the process. For example, how and when the board of directors will become involved, who will be responsible for managing any central enterprise risk register, who will “own” key risks and take action to mitigate or avoid them.
• Tools to use to do the job – You may already have some risk management tools in use within in your business which you can adapt to apply across all business teams. Alternatively you could start with a new approach that all teams can buy into.  Often companies use risk matrices to score and assess risks, using H/M/L, red/amber/green or similar – visual representation is also frequently used and helps summarise and get across the bigger picture quickly.

There are frameworks out there, such as laid out by the COSO (Committee of Sponsoring Organizations of the Treadway Commission) and the ISO (International Organization for Standardization) to help provide structure for businesses. In addition, there is a growing pool of ERM software providers who can take that Excel sheet and turn it into something which really adds value to your business, rather than just ticking a box that you have considered risk management.

Bottom up or top down?

Ideally – both! One of the themes of enterprise risk management is to ensure that any bottom-up review of risks carried out by each business team does not just lead to a siloed output which does not consider the impact of internal and external risks across the business.

Before jumping ahead to huge risks that may be bubbling on the horizon ready to ruin your best laid plans (think of the impact arising from the Covid pandemic, Brexit and global inflation), it can be best to start small – your eyes and ears for the purposes of risk management are often those of your own employees. They know your business inside out, and although enterprise risk management also calls for a top-down viewpoint, the bottom-up approach can help float as many risks as possible in the business – you can then review and distil these into key risks. This approach can also help grow the mindset within your workforce of considering risks within and outside of the business.

As well as your people, it is likely your business has (and continues to collect every day) a wealth of data that can be used in assessing past performance when significant risks have emerged, as well as to help with trend spotting for future issues. Consider if there are ways that you can audit and manage such data to your benefit for risk management purposes (if it contains personal data there are of course restrictions as to the extent of any processing and for what purpose).

Assessing external risks that could impact your business can be difficult, but it needn’t be impossible. Again your employees will have insight into market trends and potential risks on the horizon, as will your trusted external advisers who are often a good port of call for assessing upcoming impacts (such as your legal and compliance advisers, accountants, HR advisers, IT consultants etc).

Once the bottom-up review has identified and distilled risks within the business, and a review of potential external risks has been made, the role of senior management and the board of directors is to join the dots so that the impact of the key risks across the business can be considered. An enterprise risk register containing the key risks can be used to help the board of directors monitor and mitigate these risks, and the register will constantly evolve as key risks change in priority and impact. This can all feed back into the process of strategic business planning and may adjust both the risk appetite of the business and the overarching goals and objectives that the business has set itself.

Conclusion

Most businesses are likely to have in place some form of risk management process. To make existing processes effective and to bring a more integrated approach across the business can require an investment of time and resource, but the end results can help to make everyone sleep more easily at night and feel they can handle anything (well, within reason…).