Opinion – Risk management for organisations

Many of the articles I have written refer to risk management  because it is a business I used to be in.  Although risk management is important in our everyday lives, it is also important for all types of organisations.   So here are some thoughts on organisational risk management, adapted from an early post on my own blogsite.

Some organisations are serious about risk management because it is core to their business – insurance companies are the obvious example.  I think too that engineers understand  risk management fairly well because  they are often responsible for structures which must meet high standards of public safety (low risk).  Recent earthquake experience in Wellington suggests that we still have a lot to learn, and I think the engineering profession will respond to that challenge.

Too often organisations don’t take risk management seriously but do it simply because it is an expected component of good management overall.  Organisations in this category will generally place great store on having risk analyses that fit standard templates and will be careful not to postulate risks that indicate that the business is seriously “at risk” or does not does not know what it is doing.  This is a recipe for ignoring the most important risks and getting the organisation into serious strife.

The anecdotal evidence in favour of this view is plentiful and includes IT projects in government departments, financial institutions (hit by the financial crisis) and companies like Fonterra (the baby formula debacle).  It is important too not to forget human disasters like Pike River (which I write about in my previous article) and, many years before that, Cave Creek in the Department of Conservation.

So what is required to take risk management seriously and to have an effective risk management plan?

One point is to not get too tied up in classifying risk.  Many organisations find it convenient to categorise risks as strategic, reputational, operational and so on.  Doing that can sometimes be useful but it can also create blind spots – the reality is that risks, when they occur for real, have a habit of spilling over category boundaries.  Something that started out as a simple engineering risk could well turn into a major reputational risk or worse if it impacts on product safety.

Here are some other thoughts:

• Use standard templates as an aide to thinking, not something that has to be filled out like an exam
• Focus on the risk – don’t get too tied up in knots about quantifying likelihood v magnitude
• Welcome and seriously consider outrageous suggestions
• Think of the worst that could happen in terms of the impact on the organisation – expressions like “it could never happen to us” should be forbidden from the conversation
• Don’t assume that things will work the way they are planned to work; people are human and make mistakes or say they understand when they don’t.
• I think that these days you need to consider deliberate sabotage
• Be prepared to consider outlandish or left field strategies or contingency plans
• Challenge thinking that worries you – even if it comes from people who sound like experts.

And finally, make the risk conversation as all-inclusive as possible – from the top of the organisation to the very bottom.

Read Bas’s first article on this topic here.

Start a discussion on this topic…

This is another of Bas Walker’s posts on GrownUps.  Please look out for his articles, containing his Beachside Ponderings.