Talk to a friendly member of our team about how we can help you with benchmarked and customised risk and compliance consulting services
The four core questions to risk management
A lot of the theory and discussion around risk management can seem complex, but essentially everything boils down to four core questions….
- Do you know the things that matter most to help you succeed?
- Do you understand how and why these things might be disrupted through uncertainty and what you can do about that?
- Are you doing something to minimise the effect of uncertainty on the things that matter most?
- Do you know if what you are doing is working or not?
Everyone needs to understand the risks they face to get the outcome they want. Choosing which risks to control and which to live with reflects your appetite for risk and the potential exposure you can manage.
What is a control?
A ‘control’ (or group of controls) provides you with the ability to monitor and influence risks through a pre-determined risk treatment strategy. A control can also give you an improved measurement to understand the level of risk you are facing at any point in time.
Controls take many forms, but generally they are one of the following:
- a process,
- an activity,
- a physical mechanism or;
- a pre-set threshold
Benefits from defined controls
If you have the right controls in place then you can measure the reduction in risk exposure that they provide, versus the cost of the controls. It is one important way of measuring how well your risks are being managed. If you have set a Risk Appetite Statement and you do not have defined controls, then you will almost certainly struggle to be able to operationalise it and understand whether you are really taking acceptable risks.
Controls give you the ability to see early warning signs that risks might be about to escalate into a problem. This in turn gives you the opportunity to proactively address the risk and keep it from becoming an unacceptable issue.
When you look at this process at scale in a complex organisation it is critical to know that all your controls work to prevent risks from becoming problems, keep you within your budget and keep your staff working on building business rather than responding to avoidable issues.
For all of your risks, you need to understand what your controls are, who owns them and whether they are the right controls:
Example 1, If there is a risk of fire in a building, some preventative risk controls would include:
- conduct a sprinkler system diagnosis/test by a qualified technician and;
- conduct a regular test of the fire alarm and staff evacuation strategy.
The controls here are a physical mechanism/test and a process/activity. If these controls were not identified and the risk treatment was to simply to ‘call the fire brigade’ (transfer the risk), then the risk may quickly become an issue as a fire may have broken out, the sprinkler system may not be responding correctly, and people may be hurt before a fire engine arrives.
Example 2, If a gas compression cylinder relies on a valve handle to be closed when not in use and if the handle is not closed properly, a dangerous gas leak could become an explosion risk. Some of the preventative controls would include:
- a locking mechanism on the valve handle;
- an indicator light (green/red) indicating that the tank pressure is stable,
- this may also be connected to an alarm which sounds if the tank pressure drops and the valve handle is not in the locked position.
If the ‘control’ was simply to ensure that the last person to use the tanks shuts off the valve, then there is little to prevent this from causing an incident if the person is distracted and doesn’t shut the valve properly.
Controls are important in managing your business and avoiding failure/s which could hurt your staff, customers, supply chain, finances and hard-earned brand.
Are you in control of your risk profile?
So how do I know if I am prepared and in control of my risk profile for my business?
Some of the key questions we find many organisations – even the largest and most well managed – benefit from asking are:
- Do I know what the most important controls are in my organisation?
- Is it clear who is accountable for all of these controls?
- How do I know that these controls are the right controls?
- How do I know if these controls are working the way they should?
If you don’t know the answers to the four questions above, then you would likely benefit from an assessment of controls current state.