Risk assessments are an integral process to effective Risk Management, and yet far too many businesses still view the risk assessment process as simply creating a static document that once completed can be filed away. What these companies are failing to comprehend is that the humble risk assessment is a powerful instrument to maximise stakeholder buy-in, establishes management priorities, a way to determine and secure budgetary needs and resources, and clearly defines the extent of risks that could materially impact on your business and stakeholders.
The whole point of risk assessments is that they identify uncertainty as realistically and rationally as possible. But circumstances change. Things evolve. In the same way that your business must be dynamic to respond to fluctuations in the economy, changes to your market, and developments in your industry, the content of the risk assessments must also be dynamic. In fact, one of the key principles stated in AS/NZS ISO 31000:2009 Risk Management is that “Risk management is dynamic, iterative, and responsive to change”.
In order to get the most out of your risk assessments, here’s our advice:
Think one step ahead
What makes a risk assessment dynamic? A dynamic risk assessment shouldn’t just report on historical risk, but also where there is risk currently and where it will be in the future. By looking forward, it should reflect the most likely scenario of how the risk will affect the next four quarters of your business plan.
Know your business plan
Without a solid business plan, you won’t be able to dynamically assess risk. It’s crucial to know the forward leaning goals and objectives of the business in order to apply any found risks to them and get an understanding of how the risk will affect your business in the future. Taking this approach will also allow you to put the right controls in place to mitigate risks for the long term.
Consider the following:
Will the business be expanding into new markets?
Are there new products/services on the horizon?
What product/service is generating the most revenue for the business?
How long is the average sales cycle?
What is the sales strategy for next 12 months?
How does the business measure success?
Once you have a firm understanding of these considerations, apply the risk assessment to each factor and extrapolate outcomes.
Involve the whole business
Where many companies stumble is in their failure to embrace risk management across all business processes. Risk management cannot be applied in a vacuum. If the risk champion / manager does not partner with every corner of the business and leave no stone unturned, they are guaranteed to miss something. In contrast, if they partner with all relevant stakeholders from day one, then a mutual goal is established for everyone to work towards, resulting in maximum buy-in across the business. Trevor Jones of ASTRA Group Services, our Strategic Partner and experienced risk program facilitator, expressed the importance of stakeholder involvement. “Effective risk assessments need to involve and have representation from relevant stakeholders. Their knowledge and experience in the scope and context of the risk assessment will determine the accuracy and validity of the underpinning data or assumptions. In addition, the level of authority vested in the attendees will determine the level of controls that can be confirmed or applied. As an example, a risk assessment for establishing a new item of manufacturing plant will require design engineers, supplier technicians, maintenance and equipment operators to be present and contribute their knowledge and experience”.
“Irrespective of the focus of the particular risk assessment, the outputs should be collated and catalogued into a single Risk Register. This will allow the Residual Risk to be calculated and sorted in hierarchal order to determine Management Priorities. This is the whole objective of Risk Management – to determine what impacts to the organisation exist (both positive and negative) and prioritise resources accordingly,” Trevor said.
Getting the most from a risk assessment
Risk assessments aren’t a box to be checked in order to respect compliance obligations. When done correctly they can help inform the direction of a business, assist in the allocation of budget and resources, set priorities for the business as a whole, and stimulate the right discussions that need to be had for the business to enjoy long term success.