Organisations or Non-profit organisations face the risk of unexpected events. These risks or events stem from a variety of sources which include financial uncertainties, legal liabilities, technological issues, strategic management errors, accidents, pandemics, and natural disasters. Any of these events can cost your organisation money or be the reason for your organisation to permanently close. By having a Risk Management Plan in place, you can prepare your organisation for the unexpected, minimise the cost of risks and any extra costs before they happen.
So, what is Risk management? Risk management is the process of identifying possible risks, problems, or disasters before they happen. This allows Top Management to set up processes and procedures to avoid these risks, minimise their impact, or at least help manage them. An organisation should do a realistic evaluation of the true level of risk and plan accordingly. A Risk Management Plan does not have to be expensive or very time-consuming.
Why is Risk management important?
Risk management has never been more important than it is now during these concerning times. The risks organisations face have grown more complex while being fuelled by the increasingly rapid pace of globalisation and the pandemic. New risks are continuously emerging, also linked to and generated by the persistent use of digital technology. Climate change has also been labelled as a “threat multiplier” by risk experts.
Also, and perhaps obviously, the Coronavirus pandemic or COVID-19 has quickly evolved into a serious threat that affects the health and safety of organisations’ employees, the resources for doing business as well as the ability to interact with clients. As the world continues to deal with COVID-19, organisations and their board of directors are taking a fresh new look at their current Risk management programs. These organisations are reassessing their risk exposure and examining all available risk processes, as well as reconsidering who should or should not be involved in risk management. There has developed a heightened interest in supporting resiliency as well as sustainability.
What is the Risk management process?
One of the best-known sources published is the ISO 31000:2018 Risk Management – Guidelines standard, developed by the International Organisation for Standardisation, a standards body commonly known as ISO.
The ISO 31000:2018 Seven-Step Risk Management process can be used as a useful guide and comprises the following:
- Communication and consultation: Since raising risk awareness is an essential part of risk management, leaders must also develop a communication plan to convey the organisation’s risk policies and procedures to employees and relevant parties. This step sets the tone for risk decisions at every level.
- Establishing the context: This step requires defining the organisation’s unique risk appetite and risk tolerance, i.e., the amount to which risk can vary from the risk appetite. Factors to consider here include organisational objectives, company culture, regulatory legislation, political environment, etc.
- Risk identification: This step defines the risk scenarios that could have a negative impact on the organisation’s ability to conduct business. As noted above, the resulting list should be recorded in a risk register and kept up to date.
- Risk analysis: The likelihood and impact of each risk is analysed to help sort risks. Making a Risk Heat Map can be useful here, as it provides a visual representation of the nature and impact of an organisation’s risks. An employee calling in sick, for example, is a high-probability event that has little or no impact on most organisations. An earthquake, on the other hand, depending on location, is an example of a low-probability risk with a high impact.
- Risk evaluation: Here is where organisations determine how to respond to the risks they face. Techniques include one or more of the following:
- Risk avoidance: The organisation seeks to eliminate, withdraw from, or not be involved in the potential risk.
- Risk mitigation: The organisation takes actions to limit or optimize a risk.
- Risk-sharing or transfer: The organisation contracts with a third party (e.g., an insurer) to bear some or all costs of a risk that may or may not occur.
- Risk acceptance: A risk falls within the organisation’s risk appetite and tolerance and is accepted without taking action.
- Risk treatment: This step involves applying the agreed-upon controls and processes and confirming they work as planned.
- Monitoring and review: Monitoring activities should measure key performance indicators (KPIs) and look for key risk indicators (KRIs) that might trigger a change in strategy.