From our director Patrick Parker
With a former public sector background, Patrick Parker (Director at CGR Ltd) reflects on the need for risk management to be simple and resilient to the churn of staff over time.
Are you managing risks? A couple of things you should know…
Fundamentally, risk management is straightforward
You identify things that could go wrong and impact your objectives, then you decide on a proportionate set of measures to keep the risk acceptable and you ensure that those things get done. This effectively boils down to the “what” and “so what”. There are other elements of course, as can be explored in ISO31000 (the international standard for risk management). You need to surround your risk picture with real-world ‘risk intelligence’ data so that you can see where risks may be leaking through to issues/impacts – then respond accordingly. And, of course, risk can be positive – measures are then designed to ensure that a good thing happens, instead of preventing a bad thing from happening.
But ultimately it boils down to the “what” and “so what”. It should be simple and enduring. And yet two problems often emerge…
Too much complexity and not enough action
Organisations get bogged down in the “what” at the expense of the “so what”.
Too much focus can go into analysing the risk, through complex visuals or convoluted quantification. There may be merit in some of this, but resource is finite and balance is required. You could end up with a beautifully crafted set of risks but lack the capacity to ensure you’re doing anything about them. This leaves you admiring the risks rather than managing them.
Things to avoid with risk management software
Some software tools perpetuate common mistakes, like promoting complexity in risk identification and analysis, while falling to deliver clarity around controls and actions. This inhibits active risk management and accountability.
High turnover and poor continuity
The churn of risk managers and other staff over time leads to continuity problems, particularly where the risk system is held together with MS Office tools. One key person may drive their own risk management template and approach for a few years – when they leave, their replacement is left with an array of spreadsheets that they don’t understand, and an inability to locate the data they need. So, they start all over again.
A new approach is then briefed to the C-Suite, when all the executive wants is consistency and confidence in the picture of risk, risk intelligence and action – so that they can make effective decisions, dialling risk appetite up or down as required.
Future-proof your risk management: choose the right system and stay ahead of the curve
It makes sense to get risks out of spreadsheets for a number of reasons.
Choosing the right system should deliver you clarity and simplicity to support decision-making – while providing resilience and consistency over time as staff come and go. But system choice is important. It needs to have simplicity at its core.
You need to be able to strip it back to the absolute basics of: what could go wrong; what measures have you decided are proportionate and reasonable; and have you taken those measures? A good system will allow you to bolt-on and integrate other processes and data and should also allow you to manage the system in-house and make changes and have you taken those measures?
A good system will allow you to bolt-on and integrate other processes and data
That’s right, and it should also allow you to manage the system in-house and make changes in-stride. But if you can’t see the core of simplicity running through it, beware – because fundamentally risk management is straightforward!