At Imergo, we often find that the language of risk can be off-putting. The following content may help those new to the area of risk management in understanding this field of knowledge better.
- Appetite: This is the amount of risk that the board of an organisation is prepared to accept. It is a fundamental principle of risk leadership and management and done well provides the basis on which risk taking by the managers of an enterprise can be undertaken.
- Board (role): the board’s role is crucial in the organisation’s response to risk. They are ultimately responsible for risk management – setting appetite and strategy, agreeing policy, monitoring progress and being aware of emerging risks that impact upon their organisation.
- Culture: the culture of an organisation is instrumental in the successful management of risk: well-designed approaches can often struggle to gain traction or support if the attitudes and behaviours prevalent in an entity are not supportive.
- Decision-making: risk management is all about decision-making but principally in a context of uncertainty. Quantifiable approaches include value at risk, likelihood and consequence; other factors include the style and process of decision-making.
- Engaging audiences: risk management is often designed and delivered from a technical perspective. This can affect ownership and accountability for target audiences; successful approaches consider fully the needs and preferences of those groups.
- Frameworks: are common & shared models of how risk management works. Most approaches use recognised professional standards and better versions (of frameworks) enable individual design and operation characteristics of an organisation to be recognised.
- Governance is the principle that provides the means to direct how risk is set and managed in an organisation. It includes areas such as risk appetite and most crucial of all, sets the tone and culture in terms of what are considered good or bad risks to take.
- History of data: Good risk management uses archiving, disposal and retrieval of ‘old’ risk data. Data that relates to past activities is valuable as it can be examined for patterns and trends that may inform the work of the organisation’s decision-makers.
- Interfaces: are important points, gateways and thresholds that allow risk information and data to pass to different parts of, or people in, an organisation – it’s key to consider how (and how well) they work when implementing risk management.
- Joint working: Risk may be seen as a technical area dominated by experts but everyone manages and makes decisions about risk. Organisations that break down boundaries and share information widely often have a deeper, better and more comprehensive view of risk.
- Key risk indicators: measure performance of how well risk is managed in an enterprise. Effective approaches will align with organisational strategy but will also measure changes in activity so that patterns can be identified to enable better performance management for risk.
- Learning logs: a way to capture learning episodes to help educate and improve. Well-designed logs ensure that positive and negative events are recorded. Effective leadership of this area ensures that the content of the logs are reported, considered and acted upon.
- Management Information Systems: Good risk information systems comprise data that describes risks and their likely impact and consequences. More sophisticated solutions cover data about actions and responses and show trends and patterns over time.
- Non-executive Directors: These are ‘outside’ board directors who bring specific skills and experience to the enterprise that may not necessarily exist within the business. They are expected to be independent; they have no reporting lines to the CEO.
- Opportunities & threats: risk has ‘downsides’ (threats) and ‘upsides’ (opportunities). There can be an (over) emphasis on reporting threats and better approaches have a more comprehensive view that provide a balance between positive and negative outcomes.
- Philosophy: a principle that stems mainly from an organisation’s strategy but also its purpose and culture. Risk philosophy considers what types of risk(s) an organisation should be taking given the nature of its business, clients and stakeholders.
- Quality & quantity: Qualitative risk analysis involves subjective judgement to grade a risk event often based on individuals’ perception and personal experiences. Quantitative analysis normally uses data to measure the effect of a risk often in terms of time and cost.
- Risk response: A common method is the 4Ts: terminate (stop the activity putting the business at risk); transfer (move/share the risk, using a route like insurance); tolerate (accept the risk); or, treat (act to make the risk manageable and acceptable).
- Strategic risks: those impacting upon the enterprise’s mission and objectives. At their most acute, they can be existential to the organisation in terms of its success and sustainability. Strategic risk is usually the responsibility of the board and senior team.
- Tolerance: a limit of how much risk an entity is prepared to accept. Whilst appetite, broadly considers what is acceptable, tolerance is a narrower, specific limit that defines what risk an organisation is willing to take regarding each individual, relevant risk.
- Using specialists: Many organisations employ experts or people with proven expertise in their own professional fields. Engaging and sharing with these individuals and groups can often benefit risk professionals in doing their work more effectively.
- Velocity: This is the speed or rate at which a ‘realised’ risk affects an organisation. In addition to measuring impact and likelihood, more sophisticated methods use velocity to inform not just how to respond but how fast the response should be.
- Worst-case scenario: a technique that considers the most severe possible outcome that can reasonably be projected to occur. It provides a basis for developing contingencies, options and responses for serious, adverse events and to ensure organisational preparedness.
- X & Y axis (heatmaps): a depiction of risk using two values – impact & likelihood – in the form of a ‘heatmap,’ showing these values on the two axes of a map. This method makes risk information visible, accessible and shows the relative risk scores of a range of risks.
- Zero-based thinking: a planning activity which starts from scratch (i.e. ‘zero’), building up processes and resources for the desired outcomes. This is an alternative to incremental thinking and a reliance (or over reliance) on historical data or methods.