All businesses have risks. Ideally, a business would mitigate all the risks, but this simply isn’t practical – you have to prioritise. At a high level risk management is intended to:
* Identify the risks,
* Prioritise the risks
* Propose solutions to the risks (and get them accepted),
* Get the business to Implement the solutions,
* Review the residual risk,
* Repeat
In simple terms, most businesses don’t have the resources (including time, money and staff) to manage all the risks, so the question becomes how to best manage these business risks?
While it is difficult to succeed at risk management, it is really quite easy to get it wrong. To try and help you manage your risks these are the three things that we think are most likely to tank risk management in your business.
1. Lack of support
In general risk management is a grudge purchase. Until the risk actually arrives no-one wants to spend money on risk management. Once the risk becomes reality, everyone will want to know why you didn’t avoid it. What you end up with is the famous ‘CYA’ approach (‘cover your arse’), and it goes a little something like this: you identify a risk and you escalate it – they ignore it – and you are safe in the knowledge that you won’t get fired if the risk becomes a reality because at least you reported it.
The challenge here is not just to identify the risk, but also find a way to communicate why mitigation is important. Unfortunately, it often happens that the same message from a different person will succeed (go figure…). In a recent conversation with Rianné Potgieter of the EXP Consulting Group and our client, our primary concern was the lack of a risk management ‘sponsor’ or someone at a senior level who can troubleshoot problems as they arise. Not having the right sponsor was actually the primary ‘risk’ to the success of risk management.
2. Disconnect between risk management and the business
Obviously, you can’t identify risks if you don’t know they exist. At the same time, you simply don’t have enough time to attend all the meetings in your business. Ideally, the risk manager would sit close to the area that he or she is meant to manage (like sitting next to the project management team). Over time, the risk manager becomes a ‘trusted advisor’ and becomes a natural person to consult when issues arise. Of course, this is first prize – where business actually wants to come to you for your opinion. One of the best ways to encourage this is to always be approachable (try not to close your door too often) and make a big effort not to get in the way of a meeting unless something really dire crops up (I really struggle with that one…).
3. Rating risks correctly
Unfortunately, this is often really tricky (ask MTN). You need to not only know that a risk exists (and often you don’t, because the business chooses not to share it with you) but you also need to use your crystal ball to figure out which risk has a high likelihood of becoming a reality (and what that would mean for the business). The most important thing you can do to help yourself here is to back up your risk management matrix with evidence. For instance, it is really helpful to benchmark your risk matrix against other competitor organisations and against the frequency of a particular risk arising in your industry (this is really helpful – if it has happened to your competitors, people are likely to believe it is a real risk).
If all this feels a little overwhelming, call us for a free consultation.