How to identify where the risks in your business are right now and use them to make your business safer and more resilient in unprecedented times.
The Risk Management lifecycle is not static. It’s really important to recognise that just identifying risks and expecting them to manage themselves is not enough. We need to focus on all the key parts of the lifecycle, and we will look at how to properly identify what risks are – and how to understand what are not risks.
Think of an example of a risk that you are aware of right now.
Think particularly about the risks you think you face as a business in the current operating environment and how the unprecedented events we are experiencing have impacted how you work.
This doesn’t need to be a business risk. It can also be something that has impacted you at a personal level.
We will revisit this throughout the course.
This can be:
Risk is defined as:
"...looking at potential perils, factors and types of risk to which your assets, operations, projects, interests and clients are exposed"
In order for it to be defined as a 'risk', there are 3 factors involved:
Is there a cause and an impact? There must be a cause of the risk and there must be an impact to us (or our customers) of the risk happening. If there isn’t, chances are that it’s not a proper risk. A risk can also have one or multiple causes and impacts.
Risks are things we cannot be certain about Things that could happen but we're not sure that they will. All risks are uncertain but not all uncertainties are risks to our business or to us.
If there is a cause and an impact, and it’s uncertain, the third thing that defines if it is a risk, is if it matters. It matters to us, for example, if it could have a negative impact on a project being delivered, then it becomes a risk.
It is really important to remember these 3 factors:
Look back at the risk example you just detailed. Can you answer yes to the questions above? Do you still think it is a risk?
One of the great things about good risk management, is that it strengthens our business and enables us to grow in the right way. Risks makes us think about our strategy in different ways, and ensures that we properly assess the decisions we make. It doesn’t stop us from doing the things we want – it just makes sure that we have assessed them and have reduced the risk of something going wrong.
Risk is good for our business and is a positive framework to protect our people and our business. There are a number of other benefits of getting risk right.
It facilitates a proactive risk culture through investment in risk management skills of our people
It clearly defines our risk appetite in alignment with targets and strategy
It ensures a same way and consistent approach to how we look at risk management across the business
Develops appropriate strategies and effective operating controls
It establish clear roles and responsibilities for risk management internally
It provides reliable and meaningful risk information to decision makers
It helps us to identify, analyse and understand each of our material risks
It applies balance to historical risk performance through metrics and lessons learned
"...across the totality of systems, structures, policies, processes and people that identify, measure, evaluate, control or mitigate, monitor, and report all internal and external sources of material risk."
Think of the types of risk that we could face as a business and what each of these key categories mean. It is important to note that these are not the only risk types in our business, but these are the likely principle risks we may come across every day.
Failing to understand / comply with relevant laws, regulations, and industry codes of conduct and not responding appropriately to changes in the regulatory environment
Examples of reg and compliance risk would be Breach Reporting or Data Protection (breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data),, or Conflicts of Interest (a situation in which a person is in a position to derive personal benefit from actions or decisions made in their official capacity.)
The risk of products or services being used to facilitate financial crime within the business, against clients, or third parties (relating to Money Laundering, Terrorism, Corruption Internal Fraud, Data Theft, or Bribery)
The risk of loss resulting from failed internal processes and systems and external events. Impacts arise from the day to day activities and result in direct or indirect losses
Examples of operational risk would be errors in Data Input, Data Loss, Failure of Controls in key processes, loss of System Availability, or Cyber related crime
The risk of not having sufficiently skilled and motivated colleagues who are clear on responsibilities and who behave ethically, leading to inappropriate decision making that is detrimental to clients, colleagues and shareholders.
Examples of People Risk would be failing to secure Talent, lack of Succession Planning, Health, Safety and Well being, and Underperformance
The risk of significant loss, loss of earnings and/ or damage arising from business decisions that impact the long term interests of the stakeholders or from an inability to adapt to external developments
Examples would be Reputational Damage and Financial Detriment
The risk of undertaking business in a way which is contrary to the interests of our clients, resulting in inappropriate client outcomes, detriment, redress costs and/or reputational damage.
Examples would be inability to process Client remediation, lack of Post Sales Admin and support, and unfair terms in Product Design and Pricing
Risk helps us to deliver our strategic objectives in a safe environment. It’s important that we understand our objectives and think about risk in line with those objectives. This will help us to identify the risks that might stop our objectives being achieved and our strategy from being delivered.
An easy way to remember the steps in the Risk Management Lifecycle is to use the acronym, IAMM: Identify, Assess, Mitigate and Monitor.
Risk Profiling helps identify changes to internal and external risk environments at an enterprise and client level; and supports the identification of emerging risks. This is first step when embarking on a change programme of activity but risks should be identified throughout a project lifecycle.
Assess the Risk
Once risks have been identified, they are evaluated in terms of their likelihood and the impact or consequence. This prioritises the risks that we really need to focus on (and those that need to be highlighted within the risk register).
The materiality assessment of the risk helps to determine the strength of the controls required to bring the risk to within the business’ appetite threshold and inform key control areas that require greater oversight / assurance to ensure that they operate effectively.
Once risks have controls in place, it is likely there will be actions required to ensure the likelihood and impact of the risk is minimised. It’s important that these actions have named owners in the business and dates to ensure they progress.
Risks should be managed on an ongoing basis to reflect changes in the business and control environments. This should include monitoring of key indicators that provide immediate management information on the performance of the risk and controls. This should be done throughout the project lifecycle.
What are the top 3 client risks you are aware of right now?
Knowing what is critical to your customers is paramount. Here are some key things to think about that enable you to better understand the risks they are facing. Applying this kind of thinking will enable your projects and operational delivery to be more robust.
We should always be thinking about our customers when it comes to risk, and applying our knowledge of things we have seen already, specifically in the sector and wider industry.
When thinking about risks for your projects or operational activities, we first of all need to make sure we have thought about the following:
Re-visit the top customer risks you identified – is there anything you would now change?