Talk to a friendly member of our team about how we can help you with benchmarked and customised risk and compliance consulting services
The four core questions to risk management
A lot of the theory and discussion around risk management can seem complex, but essentially everything boils down to four core questions:
- Do you know the things that matter most to help you succeed?
- Do you understand how and why these things might be disrupted through uncertainty and what you can do about that?
- Are you doing something to minimise the effect of uncertainty on the things that matter most?
- Do you know if what you are doing is working or not?
Everyone needs to understand the risks they face to get the outcome they want. Choosing which risks to control and which to live with reflects your appetite for risk and the potential exposure you can manage.
What is a control?
A ‘control’ (or group of controls) provides you with the ability to monitor and influence risks through a pre-determined risk treatment strategy. A control can also give you an improved measurement to understand the level of risk you are facing at any point in time.
Controls take many forms, but generally they are one of the following:
- a process,
- an activity,
- a physical mechanism or;
- a pre-set threshold
Benefits from defined controls
If you have the right controls in place then you can measure the reduction in risk exposure that they provide, versus the cost of the controls. It is one important way of measuring how well your risks are being managed. If you have set a Risk Appetite Statement and you do not have defined controls, then you will almost certainly struggle to be able to operationalise it and understand whether you are really taking acceptable risks.
Controls give you the ability to see early warning signs that risks might be about to escalate into a problem. This in turn gives you the opportunity to proactively address the risk and keep it from becoming an unacceptable issue.
When you look at this process at scale in a complex organisation it is critical to know that all your controls work to prevent risks from becoming problems, keep you within your budget and keep your staff working on building the business rather than responding to avoidable issues.
For all of your risks, you need to understand what your controls are, who owns them and whether they are the right controls:
Example 1 – In order to ensure you got the value you paid for and met your obligations under a third party supply agreement, some controls might be:
- An SLA (Service Level Agreement) that captures the key performance metrics on the parties and which is appropriate to use day to day to ensure you get what you pay for;
- Clear ownership of the agreement by someone in the business who will stay across required changes and opportunities to protect and grow value from the arrangement;
- An agreed independent assurance cycle whereby Internal Audit/Operational Risk (or someone else) reviews the ongoing governance and management by the parties.
Example 2 – If a gas compression cylinder relies on a valve handle to be closed when not in use and if the handle is not closed properly, a dangerous gas leak could become an explosion risk. Some of the preventative controls would include:
- A locking mechanism on the valve handle;
- An indicator light (green/red) indicating that the tank pressure is stable,
- This may also be connected to an alarm that sounds if the tank pressure drops and the valve handle is not in the locked position.
If the ‘control’ was simply to ensure that the last person to use the tanks shuts off the valve, then there is little to prevent this from causing an incident if the person is distracted and doesn’t shut the valve properly.
Controls are important in managing your business and avoiding failure/s which could hurt your staff, customers, supply chain, finances and hard-earned brand.
Are you in control of your risk profile?
So how do I know if I am prepared and in control of my risk profile for my business?
Some of the key questions we find many organisations – even the largest and most well managed – benefit from asking are:
- Do I know what the most important controls are in my organisation?
- Is it clear who is accountable for all of these controls?
- How do I know that these controls are the right controls?
- How do I know if these controls are working the way they should?
If you don’t know the answers to the four questions above, then you would likely benefit from an assessment of controls current state.