The management of risk is one of the most important activities any CEO and management team can do. The sorts of activities this includes are 1. Assessing the likelihood of harmful risks and planning to mitigate them. 2 Considering what appetite the organisation has to take risk, 3. Using risk management to plan for actions that may be beneficial, but have risks.
I’ve never thought there was much point in most organisations planning for a jet aircraft crashing on their offices, or that the basis of our world economic system will collapse, or that a cataclysmic disease will wipe out a workforce. Someone has to plan for these risks – especially Government emergency planners – but you shouldn’t spend too much time on these as senior managers.
Much more useful is for an organisation to manage risks that will have a reasonable prospect of happening. Risk can be looked on as relating to the probability of uncertain future events. A good way of considering risk is to have a simple matrix of probability (high, medium and low) and impact (high, medium and low).
Good organisations have a risk register. Very good organisations use risk management to take on exciting new goals. And excellent organisations take on those goals and manages away to a high degree the harm caused by potentially risky activities.
An organisation can have a defined approach to risk –ie its ‘attitude’. This can be very risk tolerant or risk averse. Great teams have people with different tolerances of risk. You generally want a Finance Director to have a keen eye on risk. Operations Directors need a clear line of sight on where risks are. And Strategy Directors should be careful not to be too constrained by risk. As a CEO, a usual role is to surface the views around risk and work towards an organisational consensus defining your attitude across your business.
Often in strategy-making, the difficulty for an organisation is high degrees of uncertainty around risk. A good way of addressing uncertainty is to develop scenarios (eg scenario 1 is that our competitors develop a product or service marginally better, scenario 2 marginally worse and secanraio 3 markedly better or scenario 4 markedly worse).
Accidents, upset customers, missed deadlines and cost overruns, fraud, disruptions to service through IT failure, poor weather or labour availability are all risks that can be managed away. Using our above matrix, the risk attributed to one activity is the probability of the harmful incident x its impact. The sum of these is the organisations exposure to a particular risk.
A very useful philosophy in risk management is that of ‘marginal gains’, ie if an organisation systematically identifies a wide range and large number of risks, however small, and then bears down on each one, the overall effect is high at reducing risks.
Leadership is vital for risk management. Like so many corporate functions, it’s important it is championed at Board level with defined roles for Chairs of Audit, CEO, Directors and mid organisation leaders. Many risks will come and go during a month or a year. So, dynamic systems of risk recording and management are important. If a big risk coming your way, has been identified and addressed, you can downgrade it. Once it’s passed, you can remove it from your register. No doubt, other new risks will have emerged and your corporate focus needs to be on those.
Leaders should know their risks, know who leads on them and know what their system is for tracking and managing them. I ran an organisation where we had lots of staff driving on poor quality roads, often in poor weather. We had lone workers in moorland and countryside environments. We had tens of thousands of service users cycling, walking and experiencing our sites.
Our moorland restoration work involved helicopters, tractors, heavy loads, ropes and hawsers and people working remotely in moorland environments. In winter. I am now a NED in an organisation that hands out £400M to hundreds of diverse groups for projects and a NHS trust providing services to the most vulnerable people in our society.
When the man in the pub begins to bore for Britain on ‘elf ’n safety gone mad’, remember the words of Sir Michael Bishop who ran the airline British Midland. ‘If you think airline safety is expensive, just wait until you have an accident’.