Assessing and managing corporate risk
26 Feb 2021 01:12 PM
Blog posted by: Allan Thomson – PPM Product Ambassador, AXELOS, 26 February 2021.
Organizations’ ability to recognize and manage risk is absolutely vital and will be more so as we move into a post-pandemic, rapid change environment.
The way enterprises handle risk affects confidence among investors, though many organizations still pay lip service to it. Leadership teams tend to focus on something that has already happened and they can identify rather than on risk, which is something that hasn’t happened yet and might never happen.
This means that first class, strategic and integrated approaches to risk and ways to manage it remains a rarity in organizations.
However, this problem doesn’t need to be terminal. Comprehensive guidance contained in the Management of Risk (M_o_R®) framework provides a route map for organizational risk management. For project and programme managers it also enables better enterprise agility which will be needed as organizations pivot in the future as a result of market changes.
What is M_o_R?
The guidance is designed to help organizations establish frameworks for decisions about risk and put it firmly on the C-suite agenda.
Its principles and processes provide a method to identify, assess and control risk – and show how risk management can be integrated and tailored to portfolio, programme, project and operational levels.
A principle-driven framework
The principles enshrined in M_o_R cover a range of elements essential to effective risk management, for example:
- Aligns with objectives – the risks you manage should relate to the organization’s strategic objectives
- Fits the context – therefore possible to implement anywhere
- Engages stakeholders – including those that like to deal with issues rather than risk
- Provides clear guidance – embeds processes and informs decision making
- Facilitates continual improvement – learning lessons and improving performance.
- Creates a supportive culture – to get buy-in and shows commitment to mitigating risk
- Achieves measurable value – using a structured approach to risk management is intended to create and protect organizational value.
The risk management approach and processes
Creating the right type of documentation is a mandatory part of using M_o_R.
Why? This articulates the organization’s approach and enhances the governance process. Without this documentation, organizations will lack the material to show, share and obtain C-level endorsement and confidence.
Central to the M_o_R approach is the creation of a set of documentation that describes how the organization will implement risk management, comprising:
- A risk management policy which communicates why and how risk management will be implemented throughout the organization.
- A risk management process
- Risk management strategies for each organizational activity.
The M_o_R approach also recommends three types of mandatory documents which include records, plans and reports:
Records
- Risk register – which captures and maintains information on all of the identified threats and opportunities
- Issues register which captures and maintains information on all identified issues that are happening now and require action.
Plans
- Risk improvement plan – assists with embedding risk management into the culture of the organization and to document planned improvements
- Risk communication plan – describes how information is disseminated to, and received from, all relevant stakeholders of a particular organizational activity
- Risk response plan (integrated with the project plan) – is linked to the response field of the risk register and details specific plans for responding to a single or linked set of risks.
Reports
- Risk Progress Report- this provides regular progress information to senior management within a particular organizational activity.
In turn, the risk management process – as outlined by M_o_R – comprises four steps:
- Identifying the risk
- Assessing the risk – impact, probability, proximity
- Planning
- Implementation.
In addition, communication is a continuum throughout. Overall, the risk management approach should make clear sense to anyone responsible for owning and managing risk and is hugely effective.
The benefits of a structured approach to risk management
If an organization can identify risks properly, this enables a comprehensive view of its level of “risk health”, which is what the C-suite wants to see and understand at any given point.
Having this approach – which is very much the purpose behind M_o_R – allows for better management of unplanned threats, but also exploitation of opportunities. This feeds into improving service delivery and developing competitive advantage plus a more efficient use of scarce resources and reduction in waste.
Having a mindset of contingency in the organization – and a budget to back it up – means people are actively monitoring and reacting to early risk warnings.
Cultivating a cultural approach to risk
While some organizations are naturally risk averse, others choose the “heroic” route, which – by running headlong into change without assessing the risk – is unpredictable at best.
Building a risk-aware and responsive culture is easier in a small organization. This is why, for larger enterprises, the M_o_R principles, approach and processes – provide the C-suite with a framework to endorse and for the staff to own and implement.