Too often risk management reporting and focus is limited to the “top 20 risks”
We often find that organisations generate a “Top 20 risks” style report and their supporting risk management processes are geared towards generating those reports. More often than not these reports display the ‘residual risks’ so the Board and Executives can get a feeling for how much risk is left after all their risk controls have reduced the ‘inherent risk’. Based on these reports the Directors and Executives consider their risk appetite and if any of the residual risks are outside that appetite they ask for something to be done.
That’s the way traditional risk management is done, it’s supported by the standards so what’s wrong with that? The focus is all wrong and it drives counter-productive risk management behaviors throughout the organisation.
So what should the focus be?
Simply, what you can realistically affect, the risk controls!
In explaining this to a Board recently we showed that their business was inherently risky, they deal with clients prone to physical outbursts so employees are always at risk of physical harm. They knew this and it was included in their Top 20 risk reporting. For over a decade the Board have seen that risk in the reports and have agreed it’s a big risk. Guess what, that risk will always be there it will only ever go away if they shut that business unit.
They are very safety conscious company and they have lots of controls that reduce the likelihood and impact on the organisation in the event of the risk occurring. But the residual risk is still high so they worry and when incidents occur they instruct the CEO put more controls in.
So far so good right? Wrong. In their risk reporting there are 2 paragraphs describing the risk, an inherent and residual risk score with 2 pages of risk tables providing guidance on how to generate those scores. The majority of the risk framework is about describing and measuring the risk. In the report there is one letter that represents the risk controls – U for unacceptable, A for adequate, E for excellent.
In that organisation there are over 35 individual risk controls that reduce this risk, over 50 pages of procedures, multiple education courses and managers – it’s a complex business structure, because it needs to be. But all of that complexity has to be represented in one simplistic score!
So that’s 80% focus on the risk 20% focus on the controls.
But for the line managers it’s the other way around, they focus on the controls because that’s what they can affect and the inherent risk doesn’t change that often anyway.
Why don’t Boards focus on the controls?
Everyone that has ever been involved in risk management knows that controls reduce risks. But the majority of simple risk tools let you create a risk record, then within that risk record you list the controls and provide a single score for all of the controls.
But some of those controls affect multiple risks, and some of them are good and some of them are bad, how would you know which ones are which? If your auditors highlighted a failing risk control where would your risk manager capture that in the risk record? If your risk manager has introduced Control Self Assessments (CSAs) how are the results reflected in the risk reports?
All of the detail and granularity is focused on the risk, and you still need that, but why do you have to resort to expensive risk system to allow insight into your risk controls. An organisation reduces its risk by changing the risk controls, so why don’t we focus on the controls?
Does your company focus on what it can affect, or what it can’t?
Blue Zoo has a long pedigree in building fit-for-purpose risk management processes that ensure Directors and Executives understand how risk management actually happens in their organisation, how to demonstrate that it does and how to make informed business decisions about their risk appetite and profile. Which risk controls in your organisation are acting as a lead indicator of a pending incident?