How effective, really, is risk management in your organisation?
We all manage risks, whether we're aware of it or not. Every time we make a decision or think about how things might turn out in the future we're considering risk and uncertainty. That's what risk management is all about - making better decisions to help us meet our objectives.
In many organisations 'risk management' equates to 'risk registers' and lists of bad things which might happen. Whether you consider it an art or a science, risk management is often dumbed down to the point where it adds little tangible benefit to anyone. The risk management function often sits too far away (literally and figuratively) from decision makers and data, looking backward rather than forward, to be of any use. This is a very expensive waste of time, resources, and effort.
Here are a few questions based on our observations across a number of organisations and sectors which will quickly identify areas where risk management can be improved. This is by no means a full list, but will help identify key weaknesses very quickly.
If you're responsible for delivering risk management then ask your teams. If you have an oversight or scrutiny role then challenge the relevant people. And if you're a risk manager you should know this already. If you don't have confidence in the answers people provide, get in touch.
Are risks scored using a matrix which assigns them a colour? If so, why?
Is the end product of risk management a quarterly risk report which includes a multi-coloured heat map of 'top risks'? Who finds this information useful?
How do you provide evidence of what is a 'top risk'?
Do risk managers regularly use tools such as Monte Carlo analysis, decision trees, optimisation, and bowties to provide timely information to decision-makers?
Does your audit function understand and know how to interrogate quantitative risk models?
How do your risk assessment techniques cater for bias?
What risk assessment techniques are regularly used?
How do you assess the effectiveness of your risk management arrangements internally?
Do people think that 'more risk registers equals better risk management'?
Is risk reported alongside performance, objectives, KPIs and other targets?
What standard(s) and framework(s) do your risk management arrangements align with, and can you justify why?
If you're using consultants to carry out your risk management, why?
For each of your projects and programmes, do you know the range of likely finish dates, and how much each project is likely to end up costing?
What training is provided to the risk team, and to the people using the information provided by the risk team?
Do decision makers think they are being provided with the best possible information by the risk team? Do they believe it helps them do their jobs better?
If you would like an independent view of your risk management arrangements we can help. We design effective risk management frameworks incorporating industry-standard tools and techniques to provide you with timely, actionable information to help you achieve success.