How to improve your risk management framework

One of Manjuni Gregory’s most important responsibilities as risk manager during induction sessions at the Australian Office of Financial Management – a federal government entity within the Treasury portfolio – is to help new staff define the concept of risk.

For staff at an agency that has as its core responsibility the management of the Australian Government’s debt portfolio, the idea of risk could be overwhelming.

Yet the worst possible outcome would be for staff to find the concept too vast, and therefore avoid ever engaging with it.

“What I say to our new starters is that we are here to deliver certain objectives for the organisation,” says Gregory, who is also the ACT chapter president of the Risk Management Institute of Australasia.

“I begin by defining those objectives. Then, risk is simply what could potentially help or inhibit us from achieving those objectives.

"Proactively managing for uncertainty helps the organisation make better-informed decisions.”

There is increasing focus on upside risk, Gregory says. These are opportunities that might assist in the organisation’s achievement of its goals, such as new business streams, different supplier arrangements or business process improvements that free up resources towards high-priority initiatives.

“You can often frame a risk in a negative or a positive way,” she says.

“Your framing should really be shaped around what your business is hoping to achieve.

“That might change over time. You’re always looking for increasing market share and increasing profits. But there may be sustainability objectives as well.

There may be a desired progression in terms of using recycled goods or making sure your goods can be upcycled. Particular priority objectives should guide the way the business thinks about risk.”

What is influencing risk?

Three specific issues are influencing the changes in risk patterns and profiles that most businesses are experiencing today, says Professor Qihe Tang from the University of New South Wales Business School.

Tang is research director of the University of New South Wales School of Risk and Actuarial Studies, as well as co-director of the recently launched IRIS Knowledge Hub, which produces forward-looking and tech-driven approaches to managing traditional and emerging risks.

“The most fundamental influencer of emerging risk is climate change,” Tang says.

“The second is due to technology developments and people using advanced technology that they don’t fully understand.

"The third comes from the fact that the whole world is more interconnected than ever. This interconnection produces a new source of risk.”

Of course, these influencers of emerging risk are also areas of massive opportunity.

There’s a good reason, Tang says, that the Society of Actuaries, on which he often serves as a panel member, popularised the slogan “Risk is opportunity”.

Without the taking of risk, much of the financial sector would not exist, Tang says.

“Yet due to new risks, such as climate change and the pandemic, people want better protection,” he says.

“Companies in the insurance and financial sectors are constantly innovating new products that help bring certainty.”

However, uncertainty will always be with us, Tang says.

He points to the words of the late, iconic scientist Stephen Hawking, who said uncertainty must be embraced, that the 21st century would be characterised by complexity, not by clarity, and that intelligence is the ability to adapt to change.

 

"Risk is really a human concept. It is only when risk intersects with people directly or indirectly that we become motivated to act."

 

Amy Grace CPA, EY’s Oceania risk leader, agrees that risk is a positive as well as a negative. She says risk should be framed in three ways – upside, downside and outside.

“Downside risk is the risk that you need to prevent from coming to fruition,” Grace says.

“Upside risk in a business is the risk you’re willing to take because the potential reward is great. Outside risks are external factors that you may or may not be able to control, but that you should remain aware of. The pandemic is a good example of an outside risk.”

EY looks at risks across these three layers partly because it makes the concept of risk more manageable, and secondly because it resonates with C-suite executives, but most importantly because it gives the organisation a powerful competitive advantage.

“By developing an understanding of all three types of risks in your organisation, you have that advantage over competitors because you have a structured way to manage risks, and also a strong understanding of your business’s purpose and risk appetite,” Grace says.

“Risk happens every day in all of our decision-making across all layers of the organisation.

“Putting risk at front of mind with the leaders of the business means we’re talking about risk all the time, but we might not be framing it as risk. It becomes about how we make the very best decisions.”

Lisa Sisson, founder of risk consultancy Unearth, has literally written the book on risk in business. Risk Starts and Ends With People outlines how and why people are at the heart of risk and opportunity.

“Risk is really a human concept,” says Sisson, who is also running a course on risk management within Griffith University’s School of Engineering and Built Environment.

“It is only when risk intersects with people directly or indirectly that we become motivated to act.

“For instance, bushfire responses focus on areas that directly affect people, like homes and property, and assets that are deemed important with indirect consequences, like critical infrastructure, for example, communications towers, bridges, power. So, if you take people out of the equation, there’s no risk.”

Of course, this means that in organisations, people are also an essential ingredient in the recipe for good risk management.

However, businesses can sometimes focus so intently on risk management that they turn their people off the idea or fear the consequences of taking on any type of risk.

 

"The most fundamental influencer of emerging risk is climate change. The second is due to technology developments and people using advanced technology that they don’t fully understand. The third comes from the fact that the whole world is more interconnected than ever. This interconnection produces a new source of risk."

 

“As some organisations are fixating on risk, they’re creating processes and policies that actually impede the ability of their people to do their jobs,” Sisson says.

“Those people tend to become disconnected, and disengagement is a big issue in risk management.

“If an employee is actively disengaged, they don’t pay as much attention, they make more mistakes and they just don’t care as much. So if they see something that’s a risk or a vulnerability, they probably won’t speak up about it.”

Deeply connected to people and engagement, risk management is clearly related to organisational culture.

An organisation attempting to execute a risk management strategy in an environment in which staff simply don’t care about the business will be working against its own objective and purpose, Sisson says.

“It becomes a risk vortex,” she says. “

Even though the organisation has the best intentions, they are actually creating the very environment they were trying to protect themselves from.”

The international risk management standard known as ISO 31000 helps walk a business through the purpose of risk management to the specific business, the identification of relevant risks and the management and mitigation of those risks.

However, without a framework that brings everybody in the organisation on board, success will still be difficult to achieve.

The broadest answer to the question of who has responsibility for risk management within an organisation, is – everybody.

If risk is related to culture, everybody plays a role. More specifically, the owner of the strategy depends on the risk itself, Gregory says.

“If it’s related to a particular team, the risk owner might be the head of that team,” she says.

 

"It must be a framework that is operationalised across the entire business. What are the governance arrangements? Who ultimately owns the risk? How do we report on risk? How do we develop our key risk indicators?"

 

“Depending on the organisation and their risk framework, they might already articulate at what level of the business various risks should be allocated for ownership.

It might be senior managers for certain risks, and project managers for others. “It should be somebody who has the accountability and authority to progress actions.”

The risk management strategy must be discussed regularly at the very highest levels, Grace says.

“It cannot be a document the risk manager pulls out of their drawer every now and again,” she says.

“It must be a framework that is operationalised across the entire business. What are the governance arrangements? Who ultimately owns the risk? How do we report on risk? How do we develop our key risk indicators?

“Capture that lifecycle of what risk management should look like, based on the standard but in the context of the individual organisation, and embed it in all parts of the business, and the risk management rubber will hit the road.”