Are your risks really problems and challenges?
Our ambition is to work with risk management in a way that creates real impact. Not that it hasn’t previously, but we do, however, believe that we can get even more value for the money by challenging the perception of risk management as primarily reporting and duplication of work that we already do. We want to ensure that risk management leads to productive discussions and decisions that end up having a positive impact on the business.
When challenges are complex, we need simple solutions. At Implement, we think that there is a simple answer to why current risk management approaches are not making real impact: We don’t talk about real risks. Instead, most talk is about facts, problems, issues and challenges – not risks with significant elements of uncertainty.
Facts, problems, issues and challenges are often related to risk – and they certainly are important. But when risks do not focus on uncertainty, and what we do not know or expect, the risk list does not form a strong base for the risk management process.
Even if risk management didn’t include it in a risk list, the organisation would still address the problems, issues and challenges as part of normal business.
Lack of real risks in the risk list causes two major limitations:
An example of point 2: A company is executing a critical project. A supplier is running late, and a risk is raised to the steering committee that the supplier will not meet their milestone on 1 September, but be one month delayed. The project organisation has prepared a plan to mitigate the risk. Resources will be added, and activities will be shuffled around so that the project can squeeze through and still meet the overall deadline of 31 December. And yet the project is hit by a surprise. Not about the supplier delay which was expected, but instead that the supplier pushes delivery to November. And when it arrives, half of the delivery is not of the right quality. The project now has limited options for a plan B. Resources and management time was spent planning for the expected, and the overall, unavoidable delay of the project results in substantial consequences – nobody considered how to mitigate the real risk.
We don’t talk about real risks
We often find that 80% of the risks in corporate risk lists are “non-risks” like facts, problems, challenges and issues. Here are some examples you may recognise?
If you also have weeds of non-risks in your risk list, don’t despair, but look at it as a great opportunity to improve risk perspectives in your organisation. You can improve the overall “enterprise risk management” approach and the risk perspectives that are part of the core processes of the organisation significantly. From strategy development to investment analysis, capacity planning and operational optimisation etc.
The first thing you need to do is to twist and turn the non-risks to find the potential risky element. In this process, many organisations find that they can reduce the length of the risk list from a daunting count of +100 to manageable 50ish risks. The second thing you should do is to help the organisation understand the difference between non-risks and risks. This is where you can really have a positive impact on the organisation. You’ll find that people start having discussions and base their decisions on risk aspects that have never been addressed before.
We won’t overpromise. But in our experience, everything starts to make much more sense once non-risks become risks. You’ll be able to help the organisation not only plan for the expected, but also be ready for the unexpected. And you’ll be in a good position to help the organisation move from a state of fragility to being robust, resilient and even to benefit from uncertainty and changes.
We are a bunch of people dedicated to working with risk management and risk leadership.
Culture eats technology for breakfast
Implement Consulting Group