際際滷

際際滷Share a Scribd company logo
Synopsis


Every company takes risks  indeed it is a pre-requisite of being in business. It follows that we
all undertake risk assessments and prioritise mitigation activities even if it is only in our heads,
but how can we sustain this risk aware approach throughout our business over a long time
period?


Sustaining risk awareness  the challenge for the long term business


We have all been in the position where something unexpected has happened within the
business, with the result that time and resources are re-directed to fix the problem. Hopefully
it is only a temporary issue and not one to stop the business in its tracks. And then, when the
crisis is over, we have quickly reviewed our contingency plans and risk assessments to figure
out why we werent prepared for the unexpected  go on, admit it, youve done it as well!

The assessment of risks and threats to our business is something we all know we should do
and many of us take it seriously enough to review on a regular basis. But away from the board
room where the effects of not maintaining an effective risk management regime are felt most
keenly, risk management is often perceived as being secondary to core role activities, and it
is cumbersome to undertake.

Risk management solutions abound in the marketplace, some are pure play risk governance
products whilst others are embedded in wider business solutions and all of them allow you
to model business and operational risks to some degree or another. Everyone claims their
product gives you the easiest solution to use, by making it web based, or maybe by integrating
it with your chosen ERP or business planning tool, but is this what you really need? If users
are turning away from your risk governance solution because it is too complex to use, how
are you going to know in the board room that your risk process, so clearly thought through in
the early days is still working?

I have often been asked by prospective clients how we can make the process of collecting,
assessing and managing risks as simple as possible for the end users, whilst still giving the risk
manager and his team a clear and concise picture of the risk exposure faced by the company?
And how, even if we can do this, does the board overlay its requirements of risk appetite and
linking to key investment plans?
There are risk management solutions out there that allow for over 150+ separate pieces of
information to be provided about a risk, issue or opportunity. Do we really need to know that
much about a risk before we can mitigate the threat? More importantly, if you were faced
with screen 1 of 5 asking you for the first 30 pieces of information, are you going to fill it in or
throw your hands in the air in horror? We are all human, and if I still have to make sure that
the 30 orders taken this afternoon are despatched by the time the delivery company arrives
in an hours time, then Im going to pack the orders first, and I might go back to the risk Ive
just found later.....maybe.....

What do we really need to know about a risk before we can start to assess it and plan
mitigation activities? Id suggest that all we really need to know up front is:

    1. What is the risk? A short description of what the risk is, what might be the impact if it
       happens and maybe what the trigger could be
    2. An assessment of the impact including the likelihood that the risk will actually happen
       and a rough cost to the business if it does
    3. An assessment from the author as to whether he or she can manage and mitigate the
       risk themselves

Thats it  3 key pieces of information! OK, I might have simplified things a little but let me
explain. We need to know what the risk or threat is so that anyone monitoring the risk process
within the business can understand the level that the threat represents in relation to the
wider business. Remember, we all have a tendency to think about the effect of a risk in terms
of our own team, department or business unit. We rarely think how it will impact the overall
business, at least not initially.

We also need to know the likelihood and the cost. The person who has identified the threat
and authored the risk is probably in the best position to know, even if it is a high level
guestimate that can be refined later. We all tend to exaggerate risks anyway until we have
a better picture of the impact. Dont forget though that cost may not just be monetary, it
could equally be regulatory, Health & Safety, public opinion or any other form of impact.

Finally we need to know whether the risk can be managed or mitigated by the author or
someone in their team. If they have identified the risk, the chances are that they are best
placed to own it. Dont fall into the trap of centralising your risk mitigation activities  risks to
a team or business unit rapidly become meaningless to the risk manager.

Less than a minute is all we really need at the point the risk is identified. That should be
enough to bring visibility to the issue within the corporate process but still allow me to get
those orders out of the door.
As government and regulatory bodies increase still further the amount of legislation requiring
visible corporate compliance and clear statements of risk to the core business activities, we
need to find a balanced approach to ensure our key people on the shop floor not only
identify and manage our risks but that they have the tools to do this in a way that supports
their needs as well as the corporate risk team. We need to find a middle ground when we
select new corporate risk governance solutions otherwise we may find ourselves once more
wondering what hit us, and why didnt we know about the risk in the first place.


Author & Company Information


Author:       Carl Booth

Job title:    Consulting Director

Company:      Line Xero Ltd

              Pera Innovation Park

              Melton Mowbray

              Leicestershire. LE13 0FG



Telephone:    01664 481157

Email:        carl.booth@linexero.com

Web:          www.linexero.com (Company)

              www.xerorisk.net (XeroRisk Product)

More Related Content

Business Cont 2008 Article Pub

  • 1. Synopsis Every company takes risks indeed it is a pre-requisite of being in business. It follows that we all undertake risk assessments and prioritise mitigation activities even if it is only in our heads, but how can we sustain this risk aware approach throughout our business over a long time period? Sustaining risk awareness the challenge for the long term business We have all been in the position where something unexpected has happened within the business, with the result that time and resources are re-directed to fix the problem. Hopefully it is only a temporary issue and not one to stop the business in its tracks. And then, when the crisis is over, we have quickly reviewed our contingency plans and risk assessments to figure out why we werent prepared for the unexpected go on, admit it, youve done it as well! The assessment of risks and threats to our business is something we all know we should do and many of us take it seriously enough to review on a regular basis. But away from the board room where the effects of not maintaining an effective risk management regime are felt most keenly, risk management is often perceived as being secondary to core role activities, and it is cumbersome to undertake. Risk management solutions abound in the marketplace, some are pure play risk governance products whilst others are embedded in wider business solutions and all of them allow you to model business and operational risks to some degree or another. Everyone claims their product gives you the easiest solution to use, by making it web based, or maybe by integrating it with your chosen ERP or business planning tool, but is this what you really need? If users are turning away from your risk governance solution because it is too complex to use, how are you going to know in the board room that your risk process, so clearly thought through in the early days is still working? I have often been asked by prospective clients how we can make the process of collecting, assessing and managing risks as simple as possible for the end users, whilst still giving the risk manager and his team a clear and concise picture of the risk exposure faced by the company? And how, even if we can do this, does the board overlay its requirements of risk appetite and linking to key investment plans?
  • 2. There are risk management solutions out there that allow for over 150+ separate pieces of information to be provided about a risk, issue or opportunity. Do we really need to know that much about a risk before we can mitigate the threat? More importantly, if you were faced with screen 1 of 5 asking you for the first 30 pieces of information, are you going to fill it in or throw your hands in the air in horror? We are all human, and if I still have to make sure that the 30 orders taken this afternoon are despatched by the time the delivery company arrives in an hours time, then Im going to pack the orders first, and I might go back to the risk Ive just found later.....maybe..... What do we really need to know about a risk before we can start to assess it and plan mitigation activities? Id suggest that all we really need to know up front is: 1. What is the risk? A short description of what the risk is, what might be the impact if it happens and maybe what the trigger could be 2. An assessment of the impact including the likelihood that the risk will actually happen and a rough cost to the business if it does 3. An assessment from the author as to whether he or she can manage and mitigate the risk themselves Thats it 3 key pieces of information! OK, I might have simplified things a little but let me explain. We need to know what the risk or threat is so that anyone monitoring the risk process within the business can understand the level that the threat represents in relation to the wider business. Remember, we all have a tendency to think about the effect of a risk in terms of our own team, department or business unit. We rarely think how it will impact the overall business, at least not initially. We also need to know the likelihood and the cost. The person who has identified the threat and authored the risk is probably in the best position to know, even if it is a high level guestimate that can be refined later. We all tend to exaggerate risks anyway until we have a better picture of the impact. Dont forget though that cost may not just be monetary, it could equally be regulatory, Health & Safety, public opinion or any other form of impact. Finally we need to know whether the risk can be managed or mitigated by the author or someone in their team. If they have identified the risk, the chances are that they are best placed to own it. Dont fall into the trap of centralising your risk mitigation activities risks to a team or business unit rapidly become meaningless to the risk manager. Less than a minute is all we really need at the point the risk is identified. That should be enough to bring visibility to the issue within the corporate process but still allow me to get those orders out of the door.
  • 3. As government and regulatory bodies increase still further the amount of legislation requiring visible corporate compliance and clear statements of risk to the core business activities, we need to find a balanced approach to ensure our key people on the shop floor not only identify and manage our risks but that they have the tools to do this in a way that supports their needs as well as the corporate risk team. We need to find a middle ground when we select new corporate risk governance solutions otherwise we may find ourselves once more wondering what hit us, and why didnt we know about the risk in the first place. Author & Company Information Author: Carl Booth Job title: Consulting Director Company: Line Xero Ltd Pera Innovation Park Melton Mowbray Leicestershire. LE13 0FG Telephone: 01664 481157 Email: carl.booth@linexero.com Web: www.linexero.com (Company) www.xerorisk.net (XeroRisk Product)