Risk management - Part 1 exploring risk
Risk Management Lifecycle
The Risk Management lifecycle is not static. It’s really important to recognise that just identifying risks and expecting them to manage themselves is not enough. We need to focus on all the key parts of the lifecycle, and we will look at how to properly identify what risks are – and how to understand what are not risks.
Share your Risks
Think of an example of a risk that you are aware of right now.
Think particularly about the risks you think you face as a business in the current operating environment and how the unprecedented events we are experiencing have impacted how you work.
This doesn’t need to be a business risk. It can also be something that has impacted you at a personal level.
We will revisit this throughout the course.
This can be:
- A risk at the enterprise level, for example, something that would impact our strategic direction, or stop us doing business;
- A risk at a client level, for example, something that would cause a client’s business concern;
- A risk at a project level, for example, something that you have experienced in work you have been involved in; or
- A risk at an individual level, for example, something that has impacted you personally
What exactly is a Risk?
Risk is defined as:
"...looking at potential perils, factors and types of risk to which your assets, operations, projects, interests and clients are exposed"
In order for it to be defined as a 'risk', there are 3 factors involved:
Is there a cause and an impact? There must be a cause of the risk and there must be an impact to us (or our customers) of the risk happening. If there isn’t, chances are that it’s not a proper risk. A risk can also have one or multiple causes and impacts.
Risks are things we cannot be certain about Things that could happen but we're not sure that they will. All risks are uncertain but not all uncertainties are risks to our business or to us.
If there is a cause and an impact, and it’s uncertain, the third thing that defines if it is a risk, is if it matters. It matters to us, for example, if it could have a negative impact on a project being delivered, then it becomes a risk.
It is really important to remember these 3 factors:
- Is there a Cause and an Impact?
- Is it Uncertain?
- Does it Matter?
Look back at the risk example you just detailed. Can you answer yes to the questions above? Do you still think it is a risk?
Risk Management enables...?
One of the great things about good risk management, is that it strengthens our business and enables us to grow in the right way. Risks makes us think about our strategy in different ways, and ensures that we properly assess the decisions we make. It doesn’t stop us from doing the things we want – it just makes sure that we have assessed them and have reduced the risk of something going wrong.
Risk is good for our business and is a positive framework to protect our people and our business. There are a number of other benefits of getting risk right.
- Development of the right culture
It facilitates a proactive risk culture through investment in risk management skills of our people.
- Definition of how much risk we want to accept
It clearly defines our risk appetite in alignment with targets and strategy.
- Operations to be consistent
It ensures a same way and consistent approach to how we look at risk management across the business.
- Identification of the right controls to reduce our risk
Develops appropriate strategies and effective operating controls.
- Development of accountability
It establish clear roles and responsibilities for risk management internally.
- Availability of the right information about our business and our clients
It provides reliable and meaningful risk information to decision makers.
- Identification of the riskiest risks to our business
It helps us to identify, analyse and understand each of our material risks.
- Application of lessons learned
It applies balance to historical risk performance through metrics and lessons learned.
"...across the totality of systems, structures, policies, processes and people that identify, measure, evaluate, control or mitigate, monitor, and report all internal and external sources of material risk."
What risk types might we face?
Think of the types of risk that we could face as a business and what each of these key categories mean. It is important to note that these are not the only risk types in our business, but these are the likely principle risks we may come across every day.
- Regulatory & Compliance Risk
Failing to understand / comply with relevant laws, regulations, and industry codes of conduct and not responding appropriately to changes in the regulatory environment
Examples of reg and compliance risk would be Breach Reporting or Data Protection (breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data),, or Conflicts of Interest (a situation in which a person is in a position to derive personal benefit from actions or decisions made in their official capacity).
- Financial Crime Risk
The risk of products or services being used to facilitate financial crime within the business, against clients, or third parties (relating to Money Laundering, Terrorism, Corruption Internal Fraud, Data Theft, or Bribery).
- Operational Risk
The risk of loss resulting from failed internal processes and systems and external events. Impacts arise from the day to day activities and result in direct or indirect losses
Examples of operational risk would be errors in Data Input, Data Loss, Failure of Controls in key processes, loss of System Availability, or Cyber related crime.
- People Risk
The risk of not having sufficiently skilled and motivated colleagues who are clear on responsibilities and who behave ethically, leading to inappropriate decision making that is detrimental to clients, colleagues and shareholders.
Examples of People Risk would be failing to secure Talent, lack of Succession Planning, Health, Safety and Well being, and Underperformance.
- Strategic, Business & Financial Performance Risk
The risk of significant loss, loss of earnings and/ or damage arising from business decisions that impact the long term interests of the stakeholders or from an inability to adapt to external developments
Examples would be Reputational Damage and Financial Detriment.
- Conduct Risk
The risk of undertaking business in a way which is contrary to the interests of our clients, resulting in inappropriate client outcomes, detriment, redress costs and/or reputational damage.
Examples would be inability to process Client remediation, lack of Post Sales Admin and support, and unfair terms in Product Design and Pricing.
Risk Management Lifecycle (IAMM)
The risk management lifecycle is an ongoing cycle of activity. Risks are not static, they change!
Risk helps us to deliver our strategic objectives in a safe environment. It’s important that we understand our objectives and think about risk in line with those objectives. This will help us to identify the risks that might stop our objectives being achieved and our strategy from being delivered.
An easy way to remember the steps in the Risk Management Lifecycle is to use the acronym, IAMM: Identify, Assess, Mitigate and Monitor.
Identify Risks Risk Profiling helps identify changes to internal and external risk environments at an enterprise and client level; and supports the identification of emerging risks. This is first step when embarking on a change programme of activity but risks should be identified throughout a project lifecycle.
Assess the Risk Once risks have been identified, they are evaluated in terms of their likelihood and the impact or consequence. This prioritises the risks that we really need to focus on (and those that need to be highlighted within the risk register).
Mitigate Risks The materiality assessment of the risk helps to determine the strength of the controls required to bring the risk to within the business’ appetite threshold and inform key control areas that require greater oversight / assurance to ensure that they operate effectively.
Once risks have controls in place, it is likely there will be actions required to ensure the likelihood and impact of the risk is minimised. It’s important that these actions have named owners in the business and dates to ensure they progress.
Monitor Risks Risks should be managed on an ongoing basis to reflect changes in the business and control environments. This should include monitoring of key indicators that provide immediate management information on the performance of the risk and controls. This should be done throughout the project lifecycle.
Know your Customer Risk Objectives
What are the top 3 client risks you are aware of right now?
Knowing what is critical to your customers is paramount. Here are some key things to think about that enable you to better understand the risks they are facing. Applying this kind of thinking will enable your projects and operational delivery to be more robust.
We should always be thinking about our customers when it comes to risk, and applying our knowledge of things we have seen already, specifically in the sector and wider industry.
When thinking about risks for your projects or operational activities, we first of all need to make sure we have thought about the following:
- What risks are we already aware of – what insight is available to us internally from past projects, previous work with the client, and what sector knowledge do we have that can be applied, in terms of lessons we have learned, and challenges we have seen?
- What risks can we see right now and in the future? Risk is not just about a static picture – what risks are emerging within the industry? Think about things across the key areas of people, process, internal and external perspectives.
- What is it that the client is trying to do? Do we know what matters to them? Do we understand their existing challenges and areas of concern?
- What are our actual project objectives? Do we understand what could stop us from achieving them and what we could do to drive it forward?