Hazards, and the risks that arise from them, are around us all the time. There are so many risks that if we stopped and thought about it we could be overwhelmed. It is simply not possible to manage all the risks facing an organisation but neither is it desirable or necessary to do so.
A key task of the risk management process is to identify which risks need to be managed and which do not. This ensures that management attention and the organisation’s resources are not wasted. So, how do you decide which risks to manage?
Context Is Everything
The first step is to understand the organisation’s current situation and the objectives it is pursuing. It is a key task of senior management to clearly and continuously communicate to employees the objectives the organisation is seeking to achieve, how it is going to achieve them, and what resources and capabilities are being employed to do so.
Senior management should also regularly summarise the broader context in which the organisation is operating, highlighting any hazards it perceives on the horizon. Such a summary may cover political, regulatory, economic, environmental, etc, issues that may affect the organisation over a specified timeframe. It should cover the competitive situation of the organisation, too.
With the context established the risk management process can be put to work to identify hazards and manage the risks that arise from it. For example, new data protection laws being introduced may affect how the organisation conducts its marketing activities. Financial, regulatory and operational risks all arise from this hazard and they should be a subject of the risk management process.
No Process is An Island
Risk management should not happen in isolation but be fully integrated into the organisation’s wider processes to ensure that it operates within a broader organisational context. This will enable the risk management process to both influence, and be influenced by, these processes. Examples of such processes include the planning process, the budgeting process and the capability development process.
These processes will identify hazards that could cause the organisation harm and it is the purpose of the risk management process to understand the risks that arise from these hazards and to develop and implement plans to manage them. Thus the budgeting process may identify the hazard of a shortfall in working capital in the next financial year and this should be fed into the risk management process.
Similarly the risk management process will generate outputs that will influence other organisational processes and activity. The plans developed and implemented to manage a projected shortfall in working capital will be the primary output of the risk management process. These plans may require action to be taken in many other parts of the organisation than just the finance department.
This points to a key feature of an integrated risk management process – it sits above and astride other organisational processes. The risks arising from a projected shortfall in working capital will affect all parts of the organisation and consequently the budgeting process is not the appropriate process to manage these risks. The budgeting process should identify the hazard but it is the risk management process that should develop and coordinate the organisation’s response.
Another task for senior management is to specify the amount of risk that an organisation is prepared to tolerate. Some risks are so improbable and/or so inconsequential that the cost in management time and organisational resources is not justified by the harm that will arise from a hazard occurring. Given this reality senior management may state that all risks of a given level or lower will be tolerated, i.e. not subject to any further risk management activity beyond ongoing monitoring.
It is neither necessary or desirable to manage all the risks that challenge an organisation. Only those risks that are contextually relevant, arise from another organisational process, and/or exceed a stated risk tolerance should be subject to formal risk management. Anything additional to this at the management’s discretion.
Harry Thomsett is a consultant at the security and risk management consultancy SSI RM (http://ssi-ltd.com/). SSI RM provides security and risk management services to organisations operating in high threat areas around the world.