Risk Management for the benefit of your organisation

Posted by Martin Holzke on 9th March 2016

Risk assessment and risk management are often experienced as regulatory requirement solely associated with yet more work, cost and burden. However, that’s the purpose of risk management totally misunderstood.

Risk management aims at enabling an organisation to gain an understanding of the risks it is actually faced with to take appropriate and well-informed measures to protect itself from undue damage.

As such risk management is a great tool to optimise and re-focus business processes, thus contributing the success of the organisation while at the same time reducing costs.

This might come as a surprise, so let’s take a look how to achieve that.

Many if not most of the common business processes in an organisation are in place to safeguard the organisation and its success. A few examples: Finance, HR, environmental, health and safety processes – to mention some - all are in place to satisfy legal and regulatory compliance. Sales, marketing, production along with quality management are more centred on making sure that customers are satisfied. Others, eg (information) security and business continuity, contribute to both customer satisfaction and compliance as well as enabling the organisation to survive critical situations. There are many others just as well as each of these have further objectives.

Out of the many ways to run each of these processes, there a probably three common pattern.

You could endeavour to operate them to academic perfection, a state likely never achieved yet resulting in frustration if not bankruptcy.

You could pledge ignorance and try to get away with least effort, likely resulting in the business to fail sooner or later.

Or you could choose a healthy middle by employing a risk-based approach. Such approach centres on identifying, analysing and evaluation those scenarios most harmful to the organisation in a risk assessment. Once determined, the organisation takes steps - also known as risk treatment – to manage the adverse impact. This will typically include adjusting existing business processes to make them more fit for purpose, or add new ones implementing additional safeguards.

A risk-based approach means that the organisation focuses their efforts and resources at those areas where failure would cause the worst damage instead of spreading them equally across all parts of the organisation (or none at all). This results in effective and efficient use of resources alike and as such a means of cost reduction.

A risk-based approach also means that the organisation tailors their activities according to their own risk appetite, and what is feasible within its own economic framework. As such this approach takes into account the context of the individual organisation rather than deploying a one-size-fits-all solution. The latter typically overwhelms smaller organisations while at the same time not taking sufficient care of complexities of big organisations, hence not serving either of them well.

A well understood risk-based approach hence contributes to the organisation’s resilience and success rather than just being another of those dreaded compliance activities imposed by a third party.

There is a wide range of risk-based approaches, methods and tools out there to serve the varying needs of different organisations. They vary in complexity and of course cost, so be sure to pick what is suitable for your organisation at this point in time. Naturally with becoming more mature about risk your needs and ambitions will evolve, too. The international standards ISO 31000 and ISO 27005 are good starting point to get you into the right mindset.