Risk Management in Practice: Charting your risk experience
You can never mitigate every risk, but Martin Loosemore says there are simple ways to track your risk management strengths and weaknesses
Risk management maturity is a useful concept which can be used to better understand the effectiveness of an organisation’s risk management practices, systems and culture. It is also valuable in assessing the capabilities of business partners in an organisation’s supply and demand chain.
But what are the characteristics of an immature organisation? Research in many high-risk industries tells us that risk-immature organisations tend to be sceptical about risk management and are often characterised by a culture of success and managerial invincibility. They also tend to have inward-looking, protective and narrowly constructed boards with little independence. These boards are reluctant to ask the hard questions and are not qualified to effectively identify key risks and opportunities. They also tend to promote task-oriented cultures which consistently emphasise the importance of profits over people and other corporate goals.
The result is highly geared, overly lean organisations, which have little understanding of their capacity or appetite to take risk and no spare capacity to deal with the unexpected. These organisations exist “on the edge” and make decisions without any clear boundaries. They nurture a mind-set that company size and past successes provide protection from future risks, that problems happen to others, that good management and hard work prevents problems and that the ends justify the means.
People in risk-immature organisations believe that risk management is someone else’s responsibility and that they have the power to offload risks onto other parties, thereby insulating themselves from the uncertainty of their environment. For these types of organisations, risk management is considered a sign of weakness because problems are seen as a sign of managerial failure. Furthermore, there is a reluctance to re-examine existing organisational practices in the aftermath of a problem and learn lessons for the future. Instead, the priority is to maintain the organisation’s public image and to ensure that internal operations remain intact.
In summary, the risk management systems of immature organisations represent little more than a managerial facade to impress external stakeholders and reassure managers that something is in place to deal with the unexpected, even though managers know that they have minimal impact on day-to-day organisational practices and attitudes.
In contrast to risk-immature organisations, risk-mature organisations typically have a culture of openness, awareness and sensitivity to organisational risks and of their social and financial responsibilities to stakeholders, the general public and the wider environment.
In such organisations, proactive risk management is systematically incorporated into strategic planning processes and championed by senior executives so that it is an integral and instinctive aspect of organisational life at all levels. Boards are structured effectively with a diverse group of independent directors who have the knowledge and capability to identify risks and opportunities and promote an open, transparent culture in which testing questions can be asked of senior executives.
These boards also support risk management by providing sufficient resources and clear statements of fundamentally held core beliefs and attitudes relating to organisational priorities. In larger organisations the central importance of risk management is reflected in the existence of a permanent risk management team, charged with the responsibility to create a comprehensive risk management plan and to continuously communicate, co-ordinate and review risk management efforts.
There is also flexibility and willingness to ‘let go’ of formal, standardised systems and procedures which can become restrictive and counter-productive during a risk event. This requires a capacity to communicate effectively with external and internal stakeholders at a time when formal information systems can become stretched and overloaded with information.
Finally, risk-mature organisations understand the interdependence of risks along their supply chain and put systems and processes in place to encourage a sense of collective responsibility for the management of those risks among everyone involved. This requires a willingness to share risks appropriately in a way which ensures that those who bear risks have the knowledge and resources to control them. It also requires a willingness to pay a fair premium for risk transfer and to retain risk when it is appropriate to do so.
In assessing an organisation’s risk management maturity it is possible, using diagnostic tools, to identify four levels of maturity across eight dimensions, namely; risk management awareness, risk management culture, risk management processes, risk management skills, risk management image, application of risk management, risk management confidence and resources invested in risk management. An organisation’s profile can be represented in a simple spider diagram such as that shown below.
In simple terms, level one is the lowest level of maturity where an organisation’s risk management practices and systems are largely ad-hoc, unstructured and reactive. At level two, there is still no structured approach but there is some experimentation with risk management by a small number of people on selected projects with little consistency. At level three, there are dedicated resources for risk management which are integrated into organisational processes on most projects, through a formalised and generic risk management process. This has specific processes and tools which are also integrated into quality management processes.
Level four is difficult to achieve and needs significant investment of time and resources. It is characterised by a proactive culture of risk management which is inextricably integrated into every project, organisational function and supply chain. State-of-the-art techniques are used to identify and analyse risks and there is top-down commitment to risk management.
In the spider diagram, the organisation in question has conducted two audits at different times – as represented by the inside and outside lines. Assuming the outside profile is the latest audit result, this company is clearly making progress in building awareness and processes but less progress in developing skills and a risk management culture. This would be expected.
The diagram also shows that the organisation is operating at different levels of maturity across different dimensions. For example, the outer profile shows that the company has a Level 2.6 culture but Level 4 processes. In other words, the company has developed a sophisticated system but not embedded it within its organisational behaviour and practices.
The challenge for any organisation is to achieve a consistent level of maturity across all categories and across its entire risk portfolio. Managers can generate a spider diagram for its entire risk portfolio or, to be more precise, they can generate a spider diagram for each type of risk (time, cost, environment, health and safety, quality etc).
Experience in using this audit tool indicates that most companies will be operating at different levels of maturity for different types of risk. For example, an organisation may find that it is operating at level four with its financial risk management practices but at level one with its environmental risks.
The advantage of this type of audit technique is that it allows companies to quickly and easily identify the strengths and weaknesses in their current approach to risk and opportunity management at a strategic, tactical, operational and project level.
It also allows companies to benchmark their systems and practices against international best practice and to identify internal inconsistencies in the way business risks and opportunities are managed. Finally, and most importantly, it helps companies identify priority actions needed to improve risk management capability.
Professor Martin Loosemore is associate dean, research, Faculty of the Built Environment at the University of NSW. For more information about any ideas in this article contact him at m.loosemore@unsw.edu.au
News