I feel privileged to be both a risk expert and an executive director (having been Risk Decisions CEO for nigh on 25 years). And although I’ve always engaged in risk on behalf of both our customers and the company, in the last few years I have come to appreciate some new understandings of the practicalities of managing risk.
Recent revelations come from moving out of my comfort zone of project, programme, product and strategic business risk and into operational risk. In particular, Risk Decisions’ response to cyber security threats: implementing ISO27001. The journey to certification provided an insight into how confusing the whole topic of risk can be (where risk means different things to different people). It has helped me think through some of the ways to unpick that confusion.
We know the importance of implementing risk top-down viz. the ISO31000 definition of risk being uncertainty that impacts on your objectives. Leadership and direction from C-Suite are key to success, as explored in the Risk-Intelligence white paper. A key next step to organisational risk maturity is helping middle managers understand their role in articulating risk to C-Suite, as described in The Snowball Effect white paper.
It is particularly important to break down the silos that constrain people’s thinking on risk to ‘only their kind of risk’ (Cyber, HSE, Supply Chain, Reputation, Project/Programme etc). Getting rid of the plethora of separate spreadsheet risk registers is a significant step (data breach is both Cyber and Reputation Risk, so which spreadsheet do you put it in?). No matter the source or category, risk information must be made available centrally for speedy decision making. This allows C-Suite to look at risk across the business, focusing equally on
- business strategy and objectives;
- functional operations (compliance and resilience); and
- change initiatives (projects/programs, portfolio, opportunities and innovation).
Opening up risk conversations from the board room to the coal face and across disciplines is key to achieving success. Take, for example, the building of the 2012 Athlete’s Village. The mega-project faced a multitude of challenges and risks: the London 7/7 bombing on the day of the London Olympics announcement; the Global credit crunch of 2008; reputation issues on the recently completed Wembley Stadium project; logistical challenges of moving huge amounts of contaminated earth from the East London site. Senior management were naturally focused on risk from the get-go. C-Suite were involved every step of the way, from the Risk Masterclass included at kick-off, through setting monthly schedule risk analysis targets of 100% confidence.
Not only is it important to get the right information to C-Suite, it’s also important that strategic direction is flowed down from the top. In an age of digitisation, C-Suite should be able to access data whenever they want, instigating questions and informing conversations at division, business unit, project or function/operations levels. Risk visualisation techniques can speed up engagement across teams. Asking the right questions is key to supporting an organisation-wide approach to problem solving. Streamlined governance and simple lines of reporting support faster risk-based decisions.
Risk Professionals and Middle Managers who understand C-Suite thinking are better able to have productive, success-oriented risk conversations. With the right culture from the top, people feel safe to have difficult conversations early, before the problem gets too big to handle. They also have more ‘head-space’ to formulate and propose innovative ideas.
The multi-dimensional nature of risk, with its many different perspectives, can result in mixed and sometimes conflicting objectives for risk management. The challenge for C-Suite is to create an environment in which joined-up, risk-intelligent thinking across teams is supported and rewarded. Where all perspectives on risk are appreciated and people see risk as a positive mechanism to support decision-making for success.
For an in-depth discussion on this topic:
The 18th Jan 2023 Riskologists podcast delves into the topic of implementing effective risk management strategies within organisations. In season 2, episode 3, Riskologists host, Andy Haslam, sits down with Risk Decisions CEO, Val Jonas to discuss ‘A C-Suite Perspective on Implementing Practical Risk Management’.
Click here to listen to A C-Suite Perspective on Implementing Practical Risk Management