Risk is inherent in any business and is in constant change, being impacted by micro and macro factors. Understanding the risks that your organisation is exposed to, the level of control you have over those risks, and the actions necessary to handle them is central to effective risk management. The main risk categories can be listed as follows:
- operational risks
- strategic risks
- financial risks
- reputational risks
- compliance risks
ISO 31000:2018 Risk management and its implementation
The second edition of the risk management standard states that “Managing risk is iterative and assists organisations in setting strategy, achieving objectives and making informed decisions.” It then goes on to say that in order to implement a risk management framework, an organisation should:
- develop an appropriate plan including time and resources
- identify where, when and how different types of decisions are made across the organisation, and by whom
- modify the applicable decision-making processes where necessary
- ensure that the organisation’s arrangements for managing risk are clearly understood and practiced.
Developing the ISO Standards in Sweden
The traditional risk model
A risk is an inherent part of all operations, so too is risk appetite and the level of risk an organisation is willing to accept within its operations. In the traditional model used by many organisations today, once critical risks have been identified, the likelihood of them occurring is plotted along with their potential impact on the organisation. Based on this information, a strategy is defined to move risks from high risk and/or high likelihood of occurring, to low-to-medium risk and unlikely possibility of occurring in line with risk appetite.
However, for an organisation that operates multiple business models, and therefore fundamentally different levels of risk appetite, the model simply doesn’t suffice. Furthermore, it was developed before businesses and society became reliant on IT and global supply chains, and before non-compliance was a high-risk strategy for an organisation. Today, organisations face a more fragmented and uncertain picture of their current risk exposure. The risk landscape has changed and risk management, its models and the tools used to manage it, must move forward.
Bringing control to risk management models
New models introduce a new key component into risk management that enables organisations to embrace risks rather than simply mitigate them; namely control. The 4C Relative Risk Control Model, for instance, shifts focus to the level of control exerted over a risk. The ultimate goal of risk management in this sense is no longer achieving the lowest possible risk exposure but achieving adequate control of the risk landscape. An adequate control level means managing the risk in line with the organisation’s risk appetite. This concept even allows for risks with high exposure to the organisation to be deemed acceptable, which would not be case with the traditional risk model. In the model, risks are transitioned from inadequate control to adequate control over time, no matter the impact they may have on an organisation. This strengthens the mandate of risk owners and fosters a clear common view on risk and risk appetite over time. The model therefore supports diverging risk appetites between departments and business units, i.e., enabling companies to embrace a risk in one part of the company and mitigate it in other areas.
Risk management software
Due to the complexity of today’s risk landscape, traditional risk management tools no longer suffice. Spreadsheets are useful for basic risk operations but if you want to work with risk systematically, according to ISO 31000, based on a common understanding of risks, modern risk management software is becoming a necessity.
The 4C Exonaut® software was included in Gartner’s 2020 Hype Cycle for Risk Management report. The end-to-end solution delivers a structured and integrated approach to project-based and enterprise-wide risks. With a common risk register, aggregating risks, and visualising them in dashboards, Exonaut provides a comprehensive overview of risk exposure at all organisational levels and business areas. For examples, Exonaut enables you to map, visualise and share complex risk scenarios and their many dependencies in a similar way to the bowtie method, but on a far greater scale.
Discover how the government-owned bank, SBAB, uses Exonaut as part of its three-dimensional approach to risk management.
Risk and organisational resilience
As one of the three key elements of organisational resilience, your risk strategy should be closely integrated with your Business Continuity and Incident Management strategies.
An integrated operational strategy will also enable you to pinpoint where, for instance, business continuity capabilities should be increased in order for a controllable high-return risk to be exploited in accordance with risk appetite, as opposed to simply looking to transition it to low-risk.
Our approach is driven by a shift from an operational silo mindset to an organisational resilience mindset. This involves the strategic integration of risk, business continuity and crisis management and continuous capability development through training and exercises.
Risk Management – developing your strategy
At 4C Strategies, we can help you develop a risk management strategy that meets your organisations needs and risk appetite. Our expert consultants have extensive experience from supporting global enterprises in the planning and delivery of risk strategies that support better business decision making. Using the latest risk models and our advanced risk management software, we work with your risk teams and senior management to define the optimal roadmap for a healthy risk environment that supports business goals.