Take Control of Risk Management with These Strategies

Risk Management: Taking Risk Off the Table.

Martin Le Marchant

Company Director

Taking Risk Off the Table.

k management, we need to understand The International Organisation for Standardisation defines risk as "the effect of uncertainty on objectives." Il you're interested in the details, the specific standard is IS0 31000:2018, which provides principles and Risk management aims to tell bus. and synergy of 3 key things. Identification Evaluation Prioritisation

The Responsibility for Managing Risk

Managing risk is crucial for every business and organisation, from listed companies to unincorporated associations. Risk management forms part of an organisation’s broader governance framework and is a critical business practice that helps companies identify and evaluate issues, all the way to tracking and improving their risk mitigation strategies. But first, to understand risk management, we need to understand the different types of risk, positive and negative. Yes, you can have positive risks!

The International Organisation for Standardisation defines risk as “the effect of uncertainty on objectives.” (If you’re interested in the details, the specific standard is ISO 31000:2018, which provides principles and guidelines on managing risk).

Risk management aims to tell businesses about the threats in their operating environment and allows them to retroactively and preemptively minimise or combat risk. It follows that risk management is the practice and synergy of 3 key things:

Identification
Evaluation
Prioritisation

But what are the steps, and who should be involved in the process?

Positive Risk?

Typically, risk is considered an afterthought, with most organisations thinking about the consequences and how it can lead to financial loss, legal liability or tarnishing of reputation. From this perspective, it's hard to see risk as anything but a negative. But what if we take a different approach? sometimes referred to as the "do nothing" approach? The risk of not. focused on avoiding risk at all costs (Blockbuster). Understanding this should give you a better grasp of the significancee. of risk and how it can be more than just. a defensive strategy if managed accordingly. Properly managed risk can assist organisations in developing a well-rounded approach, achieving objectives and making informed decisions.

Identifying Risks

Identifying emerging risks can be difficult, but there are techniques to help, such as PESTEL and SWOT analysis. PESTEL analysis assists organisations in identifying risks in the broader (or macro) environment Risks in this environment are generally outside the control of the organisation. PESTEL stands for:. P: Political- Risks such as political stability, corruption and export or import restrictions.. E: Economic - Risks such as strikes, production recalls, and supply chain issues. S: Socio-Cultural - These arise from factors such as demographics, consumer behaviour and changing values. T: Technological - Risks arising from factors such as communication technology and transport options. E: Environmental - Risks such as natural disasters, infrastructure and environmental taxes. L: Legal - Risks such as changes in the law.. SWOT analysis is another technique that can help an organisation understand its strengths, weaknesses,. opportunities and threats. The benefit of SwOT analysis is that it is a simple and recognisable approach,. providing a broader perspective on strategy or approaches. SWOT assists develop an understanding of the impact and what can be done to minimise adverse effects and maximise potential opportunities. SWOT can. also be a helpful framework for thinking about the individual parts of the PESTEL analysis.. Strengths - Strengths describe what an organisation excels at and what separates it from the competition a strong brand, loyal customers, a strong balance sheet, unique technology, etc. Weaknesses - What stops an organisation from performing at its best or areas where a business needs to improve to stay competitive: large fluctuations in turnover, bad debt, an inefficient supply chain, or lack of capital. Opportunities - This refers to favourable external factors that could give an organisation a competitive advantage.For example, if a country cuts tariffs, an Australian exporter can export its products into a new market, increasing sales and market share.. Threats - Threats refer to factors that can harm an organisation. Common threats include the rising cost of

What is

A risk management framework is a set of quidelines and tools that decision-makers can use to decide how to mitigate risk. It could include, for example, policies, strategies, plans, processes and models, and statements of your organisation's position on risk.

Risk Management Process

The five steps in a good risk management process comprise the following and can be used by any organisation:

1. Identify risks - both current and potential risks 2. Analyse the likelihood of each risk you identified and the impact of each one 3. Prioritise which risks to focus on based on business objectives 4. Respond to the risk conditions. 5. Monitor outcomes and adjust as necessary.

Whilst the steps look easy and straiqhtforward; there is considerable effort required to complete the process. The objective is to develop a set of processes for identifying the organisation's risks. It is important to highlight that, by definition, unless the risk has an impact, it isn't a risk. We often hear phrases like "risk management", "risk assessment" and "risk analysis" used interchangeably but what's the difference? Whilst they are related, there is actually a difference between each.

Risk management is the continued process of identifying, analysing, evaluating, and treating loss exposures. These are summarised in the five steps above.. Risk assessment includes the processes and technologies that you use to identify, evaluate, and report on risk-related concerns. The risk assessment process is a critical aspect of the broader risk. management process and is mainly concerned with the Identification and Analysis phases (steps 1 and 2 below). Risk analysis can be considered the evaluation component of the broader risk assessment process,. which determines the significance of the identified risk concerns. Put simply, risk analysis is the actual quantification of risk (i.e. calculating the probability and magnitude of loss)..

A top-down, bottom-up approach: this involves the board and management identifying the organisation's mission-critical processes and working with stakeholders to determine the conditions that could impede them. The bottom-up approach starts with the source of the problem (natural disasters, economic downturns, cyber-attacks, etc.), considering their potential impact on particular assets. Risk categorisation: As specified by The Committee of Sponsoring Organisations of the Treadway Commission (COsO), there are 4 main categories:

The final task in the identification step is for organisations to record their findings in a risk register. This helps track the risks through the subsequent four steps of the risk management process. Pro tip: Leverage the collective knowledge and experience of your entire team. Ask everyone to identify risks. they've either experienced before or may have additional insight about. STEP 2: ANALYSE Once you have identified the risk, it needs to be analysed. What you are looking for is; how likely the risks will. occur? And if they do occur, what the ramifications could be? This is referred to as the scope of the risk. Specifically, how it impacts the organisation and how many business processes it will affect. While some risks will only be minor inconveniences, some risks can bring an entire business to a standstill should they transpire. To qnglyse the risks of qn event the following should be considered:. .The likelihood of the risk happening. The consequence and impact if it occurred. From here you want to work out a rating system. For example, you could have ratings of:. 1 to 5 for likelihood (1 being highly unlikely and 5 highly likely) 1 to 5 for consequence (1 being low and 5 for severe) These ratings can then be utilised to help determine the risk level: Likelihood x Consequence = Risk level Based on our example formula,the lowest risk level you could qet is 1 (1 x 1).and the hiqhest 25 (5 x 5).You can use this to rank your risks from least urgent to most urgent A template of this is shown below.

STEP 3: PRIORITISE Most risk management solutions will show different categories of risks, depending on the impact of the risk you are analysing. Prioritising the risk you have diagnosed will give you a holistic view of the possible exposure of the entire organisation. You may see that the business has several low-level risks that may not require upper management intervention. However, even just one high-rated risk can be enough to require prompt intervention. The two types of risk assessments are either Qualitative or Quantitative Risk Assessments. Qualitative Risk Assessment: they are inherently qualitative - however you can derive metrics from the risks, as most risks are not 1oo% quantifiable. For instance, the risk of climate change is one that cannot be quantified as a whole. Note: when performing a qualitative assessment it is essential to maintain objectivity and have a standardised approach throughout your company. Quantitative Risk Assessment: This style of risk assessment is common in the financial sector- whether it is with regards to money, metrics, interest rates, or any other form of data Note: quantitative risk assessments can be automated and are generally considered more objective than qualitative assessments as there is less room for bias. STEP4:TREAT AND RESPOND There are four strategies to manage the threat the risk may cause, where the strategy selected depends on the risk's likelihood qnd the severity of impgct

Risk avoidance:implementing policies, procedures, technologies, training and other steps designed tc divert potential risks. Risk reduction:Similgr to qvoidance.it is q series of megsures desiqned to reduce risk to gn acceptable level. Risk transfer: contracts with a third party to bear some or all costs of a risk that may or may not. OCcur. Risk acceptance: accepts the risk because its potential to harm the organisation is very limited or the cost of mitigating it exceeds the damage it would inflict..

It has to be noted that not all risks can be eliminated - some risks are ever-present. For example, market risks and environmental risks, and they will always need to be monitored. However, when it comes to monitoring risk, it can be thought of as manual or digital systems. Here's what. you should know about them and which you need to use.. Manual systems monitoring: This is conducted by diligent employees. These professionals must keep a close. watch on all risk factors they are responsible for. Digital systems monitoring: The risk management system monitors the entire risk framework of the. organisation. If any factor or risk changes, it is immediately visible to everyone with access. Computers are. also much better at being able to continuously monitor risks. Monitoring risks also allows your business to ensure continuity.

Relationship to Internal and External Audit.

A company's board needs to ensure that the risk management framework established by management is operating as intended, testing the effectiveness of the strategy from time to time through assurance providers such as internal and external audits.. An internal audit function brings an independent, systematic, disciplined approach to evaluating and.. continually improving the effectiveness of the organisation's risk management and internal control. The 'three lines of defence' This can be a helpful way to define roles and responsibilities when considering effective risk management

First line: operational management control. Second line: management assurance (risk control and compliance oversight functions established by. management). .Third line: independent assurance.

The board (and its committee(s) if established) are not included in the 'three lines of defence'; instead are served by the 'three lines'. Their role is to ensure that the 'three lines of defence' model is reflected in the organisation's risk management and control processes..

Talk Risk with the Experts at Bishop Collins.

If you have any questions or would like to discuss your organisation's risk management framework and internal audit needs, the team at Bishop Collins would be happy to have an obligation-free and confidential. discussion.

To learn how Bishop Collins can help you manage your organisation's risk, visit bishopcollins.com.au or call 02)43532333