What does a company’s approach to risk management say about its leadership?
What does a company’s approach to risk management say about its leadership?
By Stephanie Oley
Behind every tale of corporate success or failure is a risk that was managed either exceptionally well, or mishandled with devastating consequences.
Think of the greatest corporate triumphs or fails of recent times. In the first camp is the rise of Zoom, online training, and fine food delivery during the lockdown events of the past few years. In the second camp is the failure of (too many) businesses to guard against cybercrime, or plan for global warming. Another example is the poor governance arrangements and decision-making in Australian financial circles[1], which led to the Royal Commission into banking and finance, several years back.
Looming above these events are tales of the way those companies and even entire industries were run. Little wonder that risk management is maturing as a discipline, with more businesses now able to view it through the dual lens of opportunity and downside.
This last point is important. Managers need to know that risk management is equally about embracing opportunities as it is about averting crises. And encouragingly, risk management is now captured in a range of systems and frameworks that can be learned and shared.
The 5 main types of organisational risk
Let’s start by looking at the types of risks that all organisations must be mindful of. They take an infinite number of variations, but can generally be grouped into the following five themes:
- Security and fraud risk – including everything from cyberattacks to embezzlement, money laundering and intellectual property theft.
- Compliance risk – the impact of changing laws and regulations on a business, in areas including occupational health and safety, certification requirements and tax reporting.
- Operational risk – a broad area that covers internal risks such as human error, and external risks such as how a company would respond to natural disasters, outages or pandemics.
- Financial risk – impacts on financial and business performance, triggered by events such as market movements, debt management, income streams and insurance.
- Reputational risk – the impacts of poor customer service, public scandals, faulty products or services, and others.
The top global framework helping organisations to identify, track and respond to such risks is the ISO 31000 Risk Management Framework. Developed by the International Organization for Standardization, ISO 310000 is not for certification, but does provide valuable guidance to organisations of all sizes, activities and sectors.
Complementing this and other frameworks is the decision-making in place at an organisation. In Australia, the leading guidance on this topic is set out in the ASX Corporate Governance Principles and Recommendations. This in turn gives form to other processes that are loosely linked to risk management: including corporate governance, change management, crisis management and business process design.
Risk management: Who is doing it well?
As Australia matures, so does its approach to risk management. The above-mentioned ISO 31000 risk management framework identifies four levels of risk maturity: Level 1 – naïve, Level 2 – novice, Level 3 – normalised, and Level 4 – natural. ‘Natural’ refers to a proactive state of risk management, where the organisation consciously looks to maximise opportunity and mitigate risk. This is the ideal state of risk maturity, and which many Australian firms are consciously striving to achieve.
Different industries also have different levels of maturity when it comes to risk management. Consumer goods firms such as Procter & Gamble are generally higher up on the scale, as are the big pharmaceuticals such as Pfizer and Roche.
Government is traditionally more reluctant to manage opportunity and embrace change, partly due to the political spiderwebs that can hinder accountability. And, as the Royal Commission has revealed, banking and finance still has work to do.
Honing your expertise in managing risks
More managers are recognising the gap between where they are, and where they should be. A short course such as CCE’s Risk Management Course and Corporate Governance will give a solid overview of the main frameworks to know, the ideal state for an organisation, and pathways to get there. Sometimes, classroom discussions will even reveal shortcomings in a team’s governance or business model.
For example, one construction firm realised that its 12-member board was composed mostly of individuals not prone to sharing ideas. The frameworks and models discussed at the workshop led them to implement positive changes later.
Risk management applies to the private and public sectors, mid management and senior executives, and all industries alike – from law to finance and NPOs. By better understanding risk, your organisation can focus better on opportunities, not just develop a contingency plan for worst-case scenarios.
[1] From EY: https://www.ey.com/en_au/financial-services/how-the-royal-commission-impacts-the-financial-services-industry