Risk Agility - Do we have a risk culture or appetite?
A fire occurs in your organisation, your server room is flooded, intellectual property is stolen, your computers are hacked, a significant fraud occurs, a key employee leaves or a key supplier goes into liquidation. These are just some issues that can impact on your business.
If any of these events were to occur in your organisation, how prepared are you to manage them? To what extent will they impact on you? The answer relates to the risk agility of your organisation.
Risk agility refers to your organisations flexibility, particularly in systems and processes. The degree of your flexibility is dictated by the risk appetite and risk culture of your organisation. These influence how easily you are able to manage and treat the risk, as well as the extent of the impact that a risk event may have on your organisation.
A strong or positive risk agility framework means you actively manage and build risk awareness within your organisation whereas a weak or negative risk agility framework means you have poor risk management practices and an aversion to risk.
Risk Appetite The risk appetite determines how much risk the organisation is prepared to accept as it strives to achieve its key objectives. This is a balancing act as the potential impact of the risk has to be weighed against the extent of the outcomes or benefits that are being targeted.
Some questions that help to define the risk appetite of your organisation include:
What are the risks the organisation is willing to take?
Can the organisation identify what these risks might be and their potential impact?
How have these risks and their impact been factored into the key objectives of the strategic plan?
Have you identified risks that are outside the capabilities of the organisation?
At a board and senior executive level is there an effective risk management governance framework that clearly articulates the tolerance level for managing risk?
How do the board and senior executives communicate the risk appetite throughout the organisation to ensure staff do not exceed these tolerances?
If you can only answer some of these questions it suggests that your organisation has yet to develop clear policies on the topic or perhaps it has not been able to communicate the guidelines to the people who need to understand them.
We can't consider risk appetite alone. We also need to look at the risk culture of your organisation to ensure there is an alignment within the risk management framework.
Risk Culture Your risk culture is the way your organisation approaches and handles risk. It is reflected in your organisational values, ethics and behaviours. Without a strong risk culture your organisation is not agile when it needs to be in the face of economic or marketplace changes. Unless your people are aware of the level of risk they can manage and be accountable for, your organisation will be slow moving in the face of change and less able to take up opportunities as they arise.
Your risk culture is instilled into your organisation through clear leadership from the board and leadership teams. Support is not just in the form of words but in actions that are incorporated into the strategic plan and key decisions.
Having a strong risk culture means:
That board members and senior executive staff set strong examples with their attitude, support and actions that are both observable and influential for staff.
Staff receive risk management training, discussion and feedback is provided at staff meetings, risk elements are included in position description statements and performance plans.
Staff are clear about who to contact in relation to risk related issues, whether it be dedicated risk officers, human resource staff or a senior manager.
Staff are accountable and responsible for risks that relate to their section or work practices, are actively encouraged to make suggestions and there is a clear reporting process when a risk event occurs.
The risk register is updated by management, minuted in the meetings and reviewed by the board of directors on a regular basis.
What these points also highlights is the need to have a strong communication process in place that forms part of a continuous improvement process in the management of risk throughout all levels and operations of the organisation.
Risk agility - the level of risk your organisation will accept, how clearly your people understand what ethical risk standards they must meet, and how well equipped they are to manage and be accountable for risk management in their roles.
Unless risk is an integral part of everyone's role your organisation is not likely to be agile and able to take fast action when it needs to.
Now that you've had time to consider the answers to my earlier questions, revisit the scenarios in the opening paragraph.
Posted by Ricky Nowak on 20th February, 2014 | Tags:
Ricky specialises in building top performing teams and individuals for many of Australia, New Zealand and Asia's leading organisations, and is an energetic motivational conference speaker, corporate trainer and executive coach.