- RISK MANAGEMENT WATCH
Ahead of you is a deep fast flowing river. It is a sheer drop to the water. Do you jump? All you can think about right now are the risks, but what are they? Being human, some of us are rational thinkers, or just crazy! People throw themselves into extreme risk situations for all sorts of reasons. Some survive and some don’t!
But you were asked whether YOU would jump. Did you answer ‘no’? If you did, then that’s the wrong answer. Did you answer ‘why’? If that was your response, it was the correct response. You should be asking the question ‘why should you be thinking of jumping?’ Now, imagine that behind you were fierce gun totting and knife wielding Fulani herdsmen. You know they are out to kill you. The wind is at your back and you can hear their footsteps and cattle hooves getting louder behind you as you gaze into the river. There is a 100% chance of death if you remain where you are, but you might just survive if you jump into the water below. Would you jump now?You will agree that the decision to jump or not now becomes easier with a clearer context, and more information.
This scenario leads us into an understanding of Risk Identification, the first step of the Risk Management process.
Risk identification depends on firstly defining the context. You might think about the objective or goal to be achieved, or you might think about what might happen if the risk is not taken. The context could be as simple as the goal or target ahead, but there are other internal and external forces to be taken into account; external influencers, such as the Political situation, economy, demographics, climate can all have a bearing as can internal influencers such as the gearing of the organisation, current cash flow and liquidity, availability of raw materials and suppliers; it all depends on the risk area to be focussed on.
If we were to be conducting a strategic risk identification exercise for a hotel chain who wants a three year forecast of risks, we might ask ourselves a range of contextual questions before thinking about what the risks are such as;
INTERNAL CONTEXT EXAMPLES
- What is the current capacity?
- What is the average occupancy?
- What are the statistics for occupancy versus capacity for the time of year?
- What is the financial situation?
- What is the reputation like?
- Are the contract conditions for events robust?
- Are we up to scratch on staffing levels and skills?
- What is the current standard of maintenance of the hotel and key equipment?
- What are the goals of the internal stakeholders with respect to performance over the next three years?
- What are the goals, plans,vision, culture and value drivers of the business?
EXTERNAL CONTEXT EXAMPLES
- Are the key suppliers performing and is there a good contractual arrangement with them?
- What is the current Political situation? Is there a period of consolidation or change?
- What are the macro-economic issues that affect the business?
- What is the supply market for people like?
- What are the competitors planning / doing?
- Are there any climatic events forecast in the period under review?
- What are the goals of the external stakeholders over the next three years?
Once there is a realistic evaluation of the contextual issues, then the risk identification can begin.
There are many methods for risk identification having explicitly explained the context for the business and the exercise; here are some examples;
Depending on the criticality of the exercise, one would use one or more of these methods, even resorting to all of them if necessary to get a full picture of the risks, or uncertainties.
Most organisations get to the stage of having a long list of risks. You might have a huge list of risks that vary from the bizarre to the ridiculous and there seems to be a real mismatch between size and importance of the risks.
Do not despair!! Before even thinking about the process of weighing up the size of the risk, there needs to be some work to sort out the wheat from the chaff.
There is a case of a public listed company that was struggling with its list of 456 risks which were presented to the board on a monthly basis. The board could not determine which of the risks they needed to concentrate on, nor could they work out what they were supposed to do.
The consultant agreed a programme of interviews for board and senior management members, some analysis and then a workshop to present the findings and refine the list.
Having analysed the contextual issues and the list of 456 risks, the consultant had a pretty good idea of the questions that were going to be asked in the interviews, and set about conducting those interviews over the course of two weeks.
After further analysis of the output, the consultant grouped the risks into six key risks that corresponded with the six main objectives and goals for the organisation. All of the 456 previous risks and the further risks that had been articulated in the interviews were appended as causes and or consequences of these six key risks or as operational risks. Some operational risks were about control failures, others about key dependencies such as premises, people, knowledge and suppliers.
The largest and brightest key risk by far, was one that was new to the board and senior management team. Whilst each individual had referred to it in the interviews, nothing had been written down nor was it on the original list of 456 risks.
This risk was about a schism on the management team between the ‘old guard’ who wanted to carry on as before and the ‘new order’ who recognised the opportunities and threats brought about by the internet and social media.
This organisation was standing at the edge of a river. There were those that recognised that the rampaging Fulani herdsmen at their back were about to hurt and maim them, and the others that felt the threat of death was not significant. As a result of that risk identification exercise, the organisation did plunge into the water below and grabbed the opportunities presented by the new technologies after recognising the wider contextual issues.
Today it thrives and leads in its field using its risk management system as a core part of its governance processes, with the board concentrating on the key risks and the operational risks being delegated to the rest of the organisation. But it might have been a different story had it remained at the edge of the river.
A problem cannot be solved without first identifying it. I will sign off with one big question, are the present policies of government working to alleviate the suffering and high cost of daily living? If NO, is there any serious Risk Identification taking place?And by who?
- Mbonu, FERP, CIRM(UK), HCIB, MsRM (Stern), studied Engineering, is an experienced Banker and Enterprise Risk Management professional. Earned a post graduate degree in Risk Management from New York University Stern School of Business, and is a member of the Institute of Risk Management -UK. Can be reached on 09092092046 (SMS Only); email: firstname.lastname@example.org