Managing Strategic & Operational Risk
By James Crown, Chief Executive Officer, Knowledge Group Consulting

Managing risks is an integral part of the management-leadership requirement for effective corporate governance. Risk management will improve your bottom line and can be implemented cost effectively across the whole organisation.

Our strategic and operational risk management program is based on the Australian/New Zealand Risk Management Standard 4360, which has been around since the early 1990s. We have improved it, strengthened it, added a monitoring and reporting program based on an Unacceptable Risk Register and have implemented it in Australian, Malaysian, Singaporean and Hong Kong companies.

Start with two simple definitions: What is Risk? Risk is the chance of something happening that will have an impact upon your objectives. Risk is measured in terms of likelihood and consequences. The Risk Management Process is defined as the systematic application of 'existing' management policies, procedures and practices to the tasks of identifying, evaluating, treating and monitoring risk.

The fundamentals are in those definitions. You must know what your objectives are before you can start defining risks. (See the connection to governance? Your strategic and business plans identify your objectives. Your risk management program identifies the barriers or risks you face in implementation and achievement of those objectives!)

The second fundamental is that the most cost-effective risk management program identifies risks and outcomes, prioritises these so the most unacceptable risks are dealt with first, and then looks for improvement in existing internal controls for risk mitigation. Improving existing controls is far quicker and less expensive than launching new mitigation strategies. Of course, if no control improvement is possible, then a new strategy may be the only recourse - but that is usually the exception.

Risk management needs to be put in place across the whole organisation, from top to bottom, starting with assessing risks across the strategic and business plans, and then moving down into operational day-to-day issues. Our approach uses the same methodology for both strategic and operational risk management.
The steps are easily trained and implemented.

Step 1: Establish policy and senior management commitment to enterprise-wide risk management. Define the risk management structure as 'holistic' - the whole organisation. Establish what kinds of risks are the priorities: image and reputation risks; injury-to-fatality risks; damage to organisational assets risks, and so forth. Establish simple likelihood and consequences tables: what constitutes a low risk, a moderate, significant or high risk? Our methodology makes this a simple process for senior management to sign off on.

Step 2: Identify risks. What can happen? What can go wrong? Break down large areas of risk (for example, human resources) into individual sources of risk (training programs, recruitment and selection, career planning, performance assessments).

Step 3: Identify, for each risk, what the Outcomes of that risk are likely to be if it occurs, and then apply the Priority List. Now we know what might happen that will impact our objectives, what the outcomes would be, and whether or not the risk is a high priority for the organisation.

Step 4: List the controls that already exist, and value those controls as 'highly effective', 'moderately effective', or 'ineffective'. This is important because it is the 'real' value of the control which will help you determine likelihood and consequence.

Step 5: Apply the simple likelihood-by-consequence matrix to determine how likely (almost certain, likely, possible, unlikely, rare) the risk is to occur, and what would be the consequences (insignificant, minor, moderate, major, catastrophic) if it occurs. This leads to a risk rating of Low or Moderate (both of which are Acceptable Risk) or Significant and High (both of which are Unacceptable and need to be mitigated).

Step 6: Develop mitigation strategies to lessen the risk. First, check the controls to see if any improvements can be made. If not, look for new strategies. Develop the strategy and then implement.

Step 7: Monitor and review to ensure the mitigation action has had an effect.

Risk management is one of the most powerful management tools available today. It is best done with a piece of paper and a pencil. It does not require a computer, thus it is accessible to everyone. Contact us for a presentation of strategic and operational risk management, and see the true value behind this exceptional tool.

Click on image to enlarge

Download Article - (19 KB)
Right click & choose Save As