It is the weekend and I have just left a risk-related discussion with a non-risk management professional (but an experienced military and business man). He showed me a local council’s risk register (he is a councillor) which was quite a ‘standard’ risk register with risks scored using a RAG approach. His question (or should be his frustration) was how can we invest so much in risk management and have a number of people involved yet get hit by a major event (a very damaging Ofsted report) which has never appeared on the risk register?
This question has prompted me to think about 5 weakness which often contribute to a situation where risk events hit yet the risk was not on the register. These 5 weaknesses are seen all too often;
1) Lack of integration with Strategy – There is often a lack of integration between the organizational strategy objectives/business plan and the corporate risk register. This means that when councillors (board and executives) were asked to review the risk register they were doing so without the full business context. This lack of context means the ability to challenge the individual risk themselves, or the overall corporate risk register is extremely difficult. It also means that the value of the corporate risk register from a decision-making perspective is considerably reduced. Based on my experience, risk registers presented in isolation like this have a habit of indicating that the risk management team is operating in isolation to the rest of the organisation and the risk management process is a tick-box exercise rather than one that plays an important role in organisational decision-making. The risk management process has to be integrated with the organisations strategy and business plans and the process must be embedded otherwise risk events such as a very damaging Ofsted report will continue to catch organisations by surprise.
2) Poor Risk Identification – Related to the first point, if organisations find that they are surprised by risk events which are not / were not recorded within a risk register such as the council and its Ofsted report, they should look carefully at the quality of their risk identification process. Often the risk identification process can be ineffective because of a lack of engagement in the process beyond the risk team or because the tools used in the process is too limited.
To ensure that the Risk Identification process is robust and identifies all the key, non-key and emerging risks in the organisation the risk team must engage across the organisation from the board, executive and down to the front-line. They should not simply create a risk register based on their own, internal departmental view. As part of the identification process, the risk team should utilise a range of tools and technique to ensure a complete view of the organisation’s risk universe is developed. Running a risk workshop is a common part of the risk identification process unfortunately it is often the only step in the process. A well planned and executed risk workshop is a good risk identification tool but should be supplemented with 1-2-1 senior management interviews, questionnaires, reviews of historical events and management information, scenario planning and war game sessions and a particular favorite of ours, structured brain-storming sessions (we use SMARTWISDOM to deliver these sessions).
3) Use the Risk-bow tie – One Risk Identification tool worth a separate mention is the Risk-Bow tie. The Risk-Bow tie is made up of a risk, its causes and consequences (and often its controls) and can be used as a thinking tool to assist an individual or a group to develop a complete understanding of the risk. It is also a tool that enables the organisation to improve the overall quality of the risk universe by clearly defining causes and consequences per risk, often leading to a rationalisation and consolidation of the risk universe.
4) No Key Risk Indicators (KRIs) – The council risk register which prompted this blog is like many I have seen, in that it only provides a point-in-time assessment of the level of risk within the organisation however what was really missing is trend information, particularly Key Risk Indicator (KRIs) trend information.
KRIs have an important role to play in the risk management process as they enable changes within the risk profile to be monitored and trends to be developed which can both feed into the risk assessment process and provide additional time-based insights into the organizational risk picture.
5) Presenting data not information – Again this point relates to the point above, however far too often risk registers are presented in a ‘flat’, report format meaning that they simply state the current risk assessment level or score. This is presenting data however risk team’s should be focused on providing decision-making information.
Rather than use a report format to present a risk register, why not supplement it with dashboards with trend charts and information which should show how risk assessment levels have changed over time. Include KRI trend information and/or include an overlay that show the relationship between risk assessment levels and risk events trends (hits and near-misses).
Engage the senior team by presenting attractive decision-making risk information, not just a flat risk register.