The purpose of risk management is to create and protect value. It helps us achieve better business outcomes.
Risk management should be part of our day-to-day activities. When it is integrated closely into the way we manage our business, it helps us be more effective and efficient, make better decisions, capture opportunities and avoid unpleasant surprises.
This tutorial describes how we can embed risk management at the executive level, to lead its wider adoption in business operations.
Embedding risk management
Leadership and culture
The executive team is responsible for the management of risk within an organisation, according to the risk appetite set by the Board and in full knowledge of the risks involved. To support this, executive leaders need to ensure they are fully informed with accurate and up-to-date information. Making risk management a routine part of the discussions in regular management meetings is an important way of achieving this.
Everyone in the organisation should be switched on to risk, both threats and opportunities. An organisation where individuals incorporate into their thinking the risks, the current controls and what they may do to treat and cost effectively address the risks is most likely to avoid pitfalls, capture the odd gem of a brilliant opportunity, and enhance performance.
The focus of this tutorial is establishing this culture through a top-down management-driven process.
Monthly monitoring and review
Risk management should be embedded in executive management meetings each month (Figure 1). The COO should drive the detailed agenda, taking into account information provided by the risk champion. (Note: We have referred for convenience to the Chief Operating Officer, the COO, as the person who drives the meeting agenda. In a particular organisation, the Chief Executive or another executive might undertake this role.)
When the process is mature, the executive should usually discuss the following under the risk management item:
- One or two specific risks – high risks, risks with high potential exposure (PE), or risks with low control effectiveness (CE) – and actions to improve them
- One or two critical controls and associated assurance activities
- One or two key tasks from previous discussions about risks and controls
- One or two lessons learned, from successes or failures
- Things that keep us awake at night.
Short presentations from managers and staff (risk, control and task owners) may be required.
The COO should plan the risks and controls to be considered, in consultation with other executives and the risk champion as appropriate. The COO and the risk, control and task owners should provide most of the base information and support, including:
- Information from the risk management information system
- Action plan summaries
- Pre-meeting warnings to risk, control and task owners
- Topics for the next meeting
- Updates to the risk management information system after the meeting.
The people responsible for the risks, controls and tasks should do most of the work, not the risk champion. The risk champion can assist with identifying priorities for the executive meeting agenda, but the risk champion does not manage risks, controls and tasks – those activities belong to line managers. The risk champion should monitor the status of the risk management information system, however, and remind the risk, control and task owners to update it appropriately.
Managers should also review what risk management activities have been performed over the month and what is planned for the coming month and months ahead. Activities of interest might include formal risk assessment workshops, treatment workshops, control assurance activities, treatments, lessons learned workshops and risk management training.
Weekly oversight and discussion
In addition to the monthly review and feedback process described above, the executive would normally discuss aspects of risk in its more frequent (weekly or fortnightly) meetings. Here the focus would normally be on current decisions and other matters of immediate concern.
Where appropriate, the risk champion should update the risk register as a result of those discussions. Even if there are no changes to a risk, its controls, the ratings or the treatment actions, the date of the review and discussion should be updated in the risk management information system to reinforce the discipline of keeping risks under regular review.
Implementing the monthly monitoring and review process described above cannot be done all at once. It will need to be managed carefully, so people progressively learn about and understand what is required.
When starting out, the focus might only be on one or two risks, and the status of improvement tasks. As people become more familiar with discussing risks and controls, topics relating to critical controls and assurance using control self-assessment (CSA) can be introduced, and then lessons learned and root cause analysis (RCA). (For more information about how to conduct a control self-assessment, look here. For more information about root cause analysis, look here.)
A plan and target timetable for embedding risk management in monthly meetings is strongly recommended. Table 1 shows an ambitious but realistic plan for expanding the topics discussed at management meetings, and the associated skills enhancements necessary to support them.
What’s needed to make it work
The schedule in Table 1 is ambitious, a stretch target. The activities in the plan might be spread out over a period that is twice as long, say over 18 months, but with two provisos:
- Risk management should be included in the agenda every month, so it becomes part of the organisation’s routine
- All of the activities should be included in the plan, not just a review of risks and associated actions. Control self-assessments (look here) and root cause analyses (look here) are simple tools that allow the organisation to move from basic risk management to include other processes that support significant improvements in outcomes and assurance.
To make any plan like this work, strong and committed executive support is essential. This is needed to ensure:
- There is always time in the agenda for the necessary discussions
- Risk, control and task owners are encouraged, and supported where necessary, to prepare for and engage in meaningful discussions that will lead to improvements in outcomes.
An appropriate risk management information system is essential to hold and maintain the information needed to support the discussions. Excel spreadsheets are rarely a viable long-term solution.
Support from the risk champion is often needed, at least initially, to help risk, control and task owners develop short, focussed presentations on the key points to be discussed with the executive, and any additional help they might need to resolve the matters they confront. Appropriate training will also be needed.
Managers’ position descriptions should all state clearly what risks or areas of risk the role is accountable for managing. Each of the most important areas of risk should be covered by someone’s position description.
Benefits for the business
A planned, regular cycle of executive review for the most important risks, controls and tasks has many benefits:
- Risks, controls and tasks are likely to be discussed in executive meetings anyway, so there is little extra effort required
- The review process keeps executives up to date with progress in addressing important risks, controls and improvement tasks
- Regular executive reviews keep risk, control and task owners focussed on the items for which they are responsible
- Attention to risks and controls by executives drives attention to risk management at operational levels of the organisation
- The cycle allows a ‘rolling review’ of the risk management information system, ensuring it is always relatively current and avoiding time-consuming periodic reviews
- Important matters are less likely to slip through the cracks.
The executive team is responsible for the management of risk within an organisation, and risk management should be a routine part of the discussions in regular management meetings.
The COO should plan the risks and controls to be discussed, and provide pre-meeting warnings to risk, control and task owners.
Risk, control and task owners should provide information to support discussions in each meeting. Short presentations may be required.
The contents of the risk management information system should be updated after each meeting, to reflect changes arising from the discussions.
The executive is responsible for ensuring that appropriate activities are being planned and implemented to enhance risk management and improve outcomes.