Not many outside of the fields of finance and insurance study the subject of risk so extensively or know it so well. This doesn’t mean that you need a wealth of knowledge about risk or tons of experience managing it.
To manage risk well, you do have to be forward thinking. Seat-of-the-pants management doesn’t cut it, even if your organization is very small, like mine. Continually putting out fires — reacting rather than planning — is as far as one can get from risk management.
We need to approach risk management systematically and methodically. This means we should:
- Know and understand the risks our businesses face. It is wasteful, counterproductive, and pointless to worry about events that are low on the probability or impact scale. Know where your efforts will be rewarded the most and concentrate on those risks.
- Implement a risk management policy, making sure it aligns with our overall company policy. State your company’s greatest concerns with respect to risk and point your company in the right direction – tell them generally how you’re responding to risk and why.
- Develop and implement a risk management framework. Here, you go into considerably more detail than you do in your risk management policy, of course. ISO 31000 is designed to guide you through this process.
- Get everyone in the organization involved. Make sure risk management is part of everyone’s job. Every one of your company’s processes, no matter how trivial they might seem, has an element of risk and must, therefore, be operated with risk management in mind.
- Continually gather and analyze risk data. Identify, monitor, and report on anomalies and trends early. This is the era of “big data” and it’s difficult for anyone, at any given time, to say what data we need to be analyzing, so have some flexibility. If you’re tracking certain data and you discover they’re not telling you what you need, don’t stop and fret. Learn from your errors and move on.
- As important as corrective actions are, you’ll discover that preventive actions help you manage risks more effectively.
- Conduct risk audits periodically so you manage change more effectively. New types of risk surface all the time – it’s unavoidable. Inevitable, even.
- While you can always improve, don’t ever expect perfection. High expectations often lead to a great deal of disappointment. Your risk management framework will probably improve slowly and gradually. Oh, you might get the occasional leaps and bounds but mostly, you have to be patient and persistent. Continual and incremental improvement are what you should strive for.
- Don’t outsource risk management completely. What I mean is that while other companies and individuals may know quite a few things about risk management that you don’t, they don’t know your business quite as well as you do. Don’t abdicate your own responsibility to manage risk.
- Continually assess the fitness of your risk management framework, with an eye to making changes for the better.
Speaking of approaching risk management methodically, note that ISO 9001 can be invaluable in your risk management efforts. You don’t have to be ISO 9001 certified to use the standard. Something I mentioned earlier — preventive action, a requirement of ISO 9001 — is an excellent risk management tool, one that every business should use.
What about your organization? Are you managing risk? How?