Brought to you by Waterstons

Risk Management

By Helen McMillan

How to identify where the risks in your business are right now and use them to make your business safer and more resilient in unprecedented times.

Helen McMillan

Helen McMillan

Executive Business Consultant
Part 1: Exploring Risk

Risk Management Lifecycle

The Risk Management lifecycle is not static. It’s really important to recognise that just identifying risks and expecting them to manage themselves is not enough. We need to focus on all the key parts of the lifecycle, and we will look at how to properly identify what risks are – and how to understand what are not risks.

Share your Risks

Think of an example of a risk that you are aware of right now.

Think particularly about the risks you think you face as a business in the current operating environment and how the unprecedented events we are experiencing have impacted how you work.

This doesn’t need to be a business risk. It can also be something that has impacted you at a personal level.

We will revisit this throughout the course.

This can be:

  • A risk at the enterprise level, for example, something that would impact our strategic direction, or stop us doing business;
  • A risk at a client level, for example, something that would cause a client’s business concern;
  • A risk at a project level, for example, something that you have experienced in work you have been involved in; or
  • A risk at an individual level, for example, something that has impacted you personally

What exactly is a Risk?

Risk is defined as:

"...looking at potential perils, factors and types of risk to which your assets, operations, projects, interests and clients are exposed"

In order for it to be defined as a 'risk', there are 3 factors involved:

  1. Is there a cause and an impact? There must be a cause of the risk and there must be an impact to us (or our customers) of the risk happening. If there isn’t, chances are that it’s not a proper risk. A risk can also have one or multiple causes and impacts.

  2. Risks are things we cannot be certain about Things that could happen but we're not sure that they will. All risks are uncertain but not all uncertainties are risks to our business or to us.

  3. If there is a cause and an impact, and it’s uncertain, the third thing that defines if it is a risk, is if it matters. It matters to us, for example, if it could have a negative impact on a project being delivered, then it becomes a risk.

It is really important to remember these 3 factors:

  • Is there a Cause and an Impact?
  • Is it Uncertain?
  • Does it Matter?

Look back at the risk example you just detailed. Can you answer yes to the questions above? Do you still think it is a risk?

Risk Management enables...?

One of the great things about good risk management, is that it strengthens our business and enables us to grow in the right way. Risks makes us think about our strategy in different ways, and ensures that we properly assess the decisions we make. It doesn’t stop us from doing the things we want – it just makes sure that we have assessed them and have reduced the risk of something going wrong.

Risk is good for our business and is a positive framework to protect our people and our business. There are a number of other benefits of getting risk right.

It facilitates a proactive risk culture through investment in risk management skills of our people

It clearly defines our risk appetite in alignment with targets and strategy

It ensures a same way and consistent approach to how we look at risk management across the business

Develops appropriate strategies and effective operating controls

It establish clear roles and responsibilities for risk management internally

It provides reliable and meaningful risk information to decision makers

It helps us to identify, analyse and understand each of our material risks

It applies balance to historical risk performance through metrics and lessons learned

"...across the totality of systems, structures, policies, processes and people that identify, measure, evaluate, control or mitigate, monitor, and report all internal and external sources of material risk."

What risk types might we face?

Think of the types of risk that we could face as a business and what each of these key categories mean. It is important to note that these are not the only risk types in our business, but these are the likely principle risks we may come across every day.

Failing to understand / comply with relevant laws, regulations, and industry codes of conduct and not responding appropriately to changes in the regulatory environment

Examples of reg and compliance risk would be Breach Reporting or Data Protection (breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data),, or Conflicts of Interest (a situation in which a person is in a position to derive personal benefit from actions or decisions made in their official capacity.)

The risk of products or services being used to facilitate financial crime within the business, against clients, or third parties (relating to Money Laundering, Terrorism, Corruption Internal Fraud, Data Theft, or Bribery)

The risk of loss resulting from failed internal processes and systems and external events. Impacts arise from the day to day activities and result in direct or indirect losses

Examples of operational risk would be errors in Data Input, Data Loss, Failure of Controls in key processes, loss of System Availability, or Cyber related crime

The risk of not having sufficiently skilled and motivated colleagues who are clear on responsibilities and who behave ethically, leading to inappropriate decision making that is detrimental to clients, colleagues and shareholders.

Examples of People Risk would be failing to secure Talent, lack of Succession Planning, Health, Safety and Well being, and Underperformance

The risk of significant loss, loss of earnings and/ or damage arising from business decisions that impact the long term interests of the stakeholders or from an inability to adapt to external developments

Examples would be Reputational Damage and Financial Detriment

The risk of undertaking business in a way which is contrary to the interests of our clients, resulting in inappropriate client outcomes, detriment, redress costs and/or reputational damage.

Examples would be inability to process Client remediation, lack of Post Sales Admin and support, and unfair terms in Product Design and Pricing

Risk Management Lifecycle (IAMM)

The risk management lifecycle is an ongoing cycle of activity. Risks are not static, they change!

Risk Management Lifecycle (IAMM)

Risk helps us to deliver our strategic objectives in a safe environment. It’s important that we understand our objectives and think about risk in line with those objectives. This will help us to identify the risks that might stop our objectives being achieved and our strategy from being delivered.

An easy way to remember the steps in the Risk Management Lifecycle is to use the acronym, IAMM: Identify, Assess, Mitigate and Monitor.

  • Identify Risks
    Risk Profiling helps identify changes to internal and external risk environments at an enterprise and client level; and supports the identification of emerging risks. This is first step when embarking on a change programme of activity but risks should be identified throughout a project lifecycle.

  • Assess the Risk
    Once risks have been identified, they are evaluated in terms of their likelihood and the impact or consequence. This prioritises the risks that we really need to focus on (and those that need to be highlighted within the risk register).

  • Mitigate Risks
    The materiality assessment of the risk helps to determine the strength of the controls required to bring the risk to within the business’ appetite threshold and inform key control areas that require greater oversight / assurance to ensure that they operate effectively.

    Once risks have controls in place, it is likely there will be actions required to ensure the likelihood and impact of the risk is minimised. It’s important that these actions have named owners in the business and dates to ensure they progress.

  • Monitor Risks
    Risks should be managed on an ongoing basis to reflect changes in the business and control environments. This should include monitoring of key indicators that provide immediate management information on the performance of the risk and controls. This should be done throughout the project lifecycle.

Know your Customer Risk Objectives

What are the top 3 client risks you are aware of right now?

Knowing what is critical to your customers is paramount. Here are some key things to think about that enable you to better understand the risks they are facing. Applying this kind of thinking will enable your projects and operational delivery to be more robust.

Customer Risk Objectives

We should always be thinking about our customers when it comes to risk, and applying our knowledge of things we have seen already, specifically in the sector and wider industry.

When thinking about risks for your projects or operational activities, we first of all need to make sure we have thought about the following:

  1. What risks are we already aware of – what insight is available to us internally from past projects, previous work with the client, and what sector knowledge do we have that can be applied, in terms of lessons we have learned, and challenges we have seen?
  2. What risks can we see right now and in the future? Risk is not just about a static picture – what risks are emerging within the industry? Think about things across the key areas of people, process, internal and external perspectives.
  3. What is it that the client is trying to do? Do we know what matters to them? Do we understand their existing challenges and areas of concern?
  4. What are our actual project objectives? Do we understand what could stop us from achieving them and what we could do to drive it forward?

Re-visit the top customer risks you identified – is there anything you would now change?