Hazards are everywhere. Hazards to our health and wellbeing, hazards to our finances, hazards to our hopes and dreams, and that is just at the individual level. The organisations we work for all face their own hazards of a financial, strategic, reputational, operational, environmental, regulatory and legal nature.
The purpose of risk management is to provide a framework to assess the risk these hazards pose to things that we value and then to attempt to manage these risks. Risk management matters because it protects things that are important to us and the organisations we work for.
The Benefits Of A Fully Integrated Risk Management Strategy
Whether we know it or not we practice risk management all the time. If you have ever taken a step back from the edge of the platform at a train station you have practiced risk management, unconsciously going through the five stages of the risk management process in a split second.
Organisations, and the people who work in them, behave in a similar fashion. All organisations practice risk management to one degree or another but few (see below) integrate risk management into all their management processes. This makes it unlikely that the benefits of a fully integrated risk management strategy will be realised.
So, what are the benefits of a fully integrated risk management strategy?
Firstly, the risks facing the organisation will be identified, assessed, prioritised, mitigated and monitored. This will result in a more robust and resilient organisation.
Secondly, the resources and capabilities of the organisation will be more efficiently and effectively managed. Less time will be spent reacting to events and more time will be spent exploiting opportunities as they arise.
Finally, the process and implementation of risk management practices aligns everyone with the goals and interests of the organisation.
If Risk Management Matters Why Does My Organisation Not Practice It?
What are the three top risks your organisation is managing right now? In your own area, what is the top risk you regularly review with your immediate line manager? What risk control are you solely or jointly accountable for? If you can’t answer any of these questions then it is very likely that your organisation does not fully implement risk management best practice.
According to PWC’s Risk In Review survey from 2015, 31% of respondents reported that their organisation did not have a fully integrated risk management strategy. This is despite 73% of respondents reporting that the risks to their company were increasing!
This means that all the major hazards facing these organisations have not been adequately assessed for the probability, impact and proximity of their occurrence. Consequently the risks arising from these hazards will not be effectively managed and that leaves the things that the organisation values very vulnerable.
This isn’t a great way to run an organisation but in my experience in the military, government and commercial spheres it is normal. In every organisation I have worked in there has been a risk management process, usually involving the hasty review and revision of a risk register immediately prior to a project review or management meeting, but only in a select few was I conscious of being part of a fully integrated risk management strategy.
Two of these organisations, Headquarters 3 Commando Brigade Royal Marines and the London Organising Committee of the Olympic Games, managed risk in an exemplary and effective manner. Perhaps this was because of the tasks these organisations were engaged in at the time, but whatever the reason, at all times I could have answered each of the three questions posed at the start of this section.
There are many reasons why organisations do not practice effective risk management, but given the benefits of doing so there are no good ones. SSI RM’s Risk Management Basics Everyone Should Know is designed to help you be part of your organisation’s risk management process. The course that follows it, Building a Risk Management Capability, is designed to make that risk management process an effective one.
Harry Thomsett is a consultant at the security and risk management company SSI RM (http://ssi-ltd.com/). SSI RM provides security and risk management services to organisations operating in high threat areas around the world.