The International Organization for Standardization (ISO) recently released a new risk management standard: ISO 31000. It prompted me to think about what really matters — what makes an organization effective in managing risk.
The only way risk management has value is if it affects the way you do business. It must influence decisions and actions; otherwise, it is no more than decoration. Risk management should not be a "check-the-box" activity. Used well, it can help an organization achieve and sustain optimal long-term performance.
To be effective in managing risks, an organization needs not only to understand and assess its risks, but it needs to have a culture that embraces the active consideration of risk in:
Establishing the (short and long-term) strategy, organizational goals, and objectives.
Developing, executing, and monitoring its execution of strategy and achievement of goals and objectives.
I have seen too many organizations focus on identifying and assessing risks every quarter, maybe even talking in terms of a high-level risk response (e.g., accept the risk or hedge it using currency swaps) at the expense of actually managing the risks day-to-day.
Let’s take a mundane example: my commute to work. One approach is to perform a quarterly assessment of the risks: a) that I will be in an accident, or b) be delayed and miss important meetings. Since I am assigned to SAP’s Palo Alto, Calif., office, which is about 18 miles and 25-30 minutes away (by freeway), to a certain extent I must accept the risk. I believe the risk of accidents to be low, and my response is to train myself to drive carefully. The risk of traffic delays is higher, especially if I leave during the morning rush hour, so my response is to schedule meetings for later in the day.
I assess these [residual] risks, compare them to my risk tolerance, and am satisfied. But should I be?
The other approach is to embed risk in my daily decisions. Each day, I review the next day’s schedule and plan ahead. If I have an early morning meeting, I will decide to leave home very early to avoid most of the traffic. (I will also check to confirm that I have to be in the office, in case I can reduce my risks by calling in). I also check the weather forecast and take that into consideration. When I wake up, I again check the weather to see if I need to leave earlier (for example, if there is rain I should expect driving times to be longer). As I am driving, I am making more risk decisions. If the freeway is clogged up with traffic, I may elect to take side streets — taking into account the risk they are also slow due to increased traffic. I am certainly making a number of accident risk decisions as I drive. For example, I will stay further behind the car in front of me when it is raining.
It’s not enough for me to understand risks in my daily decisions; I need to actively manage them. Do you and your management team embed risk into your daily activities and decisions — and manage those risks constantly? Do you:
Consider risks in setting strategy — and assign responsibilities and tasks for minimizing the likelihood and adverse effects of those risks?
Include risk mitigation activities in project plans, etc.?
Consider the risks to achieving your objectives every time you make a hiring or purchasing decision — and identify what you can do to manage the risks?
Do you continue to manage risks by taking actions every day?
Are you monitoring risks, so that you are not surprised? Or do you wait until the official risk assessment time?
Is your risk management program a quarterly exercise or a way of life in the business?