2. AGENDA
Focus on managing risk
How risk management is relevant to leaders
Talk about culture
Think about risk-taking
And more…
3. RISK MANAGEMENT PROCESSES
Talk to your neighbour
3 minutes each way
How is risk managed in your organisation?
HOW DO YOU DO IT?
4. TRADITIONAL APPROACHES
Identify all the risks you can think of
Rank them for impact and likelihood
Multiply the factors to prioritise risks
Present in a risk register
Variations on this?
RISK REGISTERS
8. LEADING RISK MANAGEMENT
Trustees
Audit committee
Middle managersSenior managers
Strategic risks
• External
• Outside your control
• Possibly high impact
Operational risks
• Internal
• Within your control
• Possibly high probability
Mitigation
Response plans
Reduce likelihood
Framework of controls
Management
assurance on
control
Active,
regular
monitoring
9. STRATEGIC RISKS
Often external
Need to monitor regularly
Focus on high impact risks and scrap the
ranking
Talk about how you would respond if that risk
event materialised – rehearse
Clear responsibility for developing response
plans and implementing
11. OPERATIONAL RISK ASSURANCE
Managing day-to-day risks is part of the
normal management job
Describe the actions and processes in place to
manage risk
Map to the risks
Identify gaps or overlaps
Notes on further actions or changes
Annual sign off
Provide training and coaching
12. RISK POLICY
Policy should describe attitude to different
areas of risk
Where it is appropriate to take risks
Level of risk that is acceptable in different
scenarios
Communicate the risk policy
Review strategic and operational risk in the
context of the policy
RISK-TAKING – NOT RISKY
13. RISK FOR INNOVATIVE ORGANISATIONS
Starts with risk policy
Project management tools
Pilots
Feedback mechanisms
Pre-mortems
Multi-disciplinary teams
Finance team engagement
14. RISK CULTURE IN INNOVATIVE
ORGANISATIONS
Feedback not failure
Fail quickly
Reward the right behaviours
People are well-intentioned
Talk about the strategy
Devolved structures
Theory Y organisations as described by Douglas McGregor in “The Human
Side of Enterprise” 1960
15. SUMMARY
Do you discuss your big risks regularly with senior
managers and the Board?
Do you have response plans for major strategic
risks?
What is the culture being created by your approach
to risk management? What do you want your
culture to be?
Where do you want to be risk-taking?
Where should you accept risk?
QUESTIONS FOR LEADERS
16. MORE INFORMATION
Rethinking risk: beyond the tickbox
Free to download on our website
www.sayervincent.co.uk
Contact
Kate.Sayer@sayervincent.co.uk
Do risk management processes work? More precisely, do the processes you have in place actually manage risk? And what do we mean by ‘manage risk’?
Putting a risk on your risk register does not necessarily mean that you are managing it.
There are many flaws with the process and with risk registers – I won’t go through all of those here
Focuses on the negative
Fails to say where risks will be actively taken
Risk management is seen as a separate activity
We imagine we can think of all the risks
And consequently we often find three things:
The risk register is a list of things that we are worried about
It doesn’t contain the biggest risks your organisation faces
Often it doesn’t reflect the risks around missed opportunities
Yet, people do talk to us about their biggest risks and opportunities when we engage them in conversation. So just take a moment now to jot down
What is the biggest risk your organisation faces?
What is the biggest opportunity?
I often hear charities complaining that Boards are risk averse – and attribute this to the individuals on the board. But what if it is not caused by the individuals bringing a risk averse mindset to the board table, but the way that we undertake risk management and the way that we communicate it?
And there is different problem which I have only recently been learning about – risk assessment puts you in a mindset of “loss”. This triggers a fear of loss – so we are then operating in a mode of fear, protection, hanging on to what we have. It is all about AVOIDING.
A different part of our brain is activated when we consider the rewards associated with risk-taking. This makes us feel joyful, positive towards those around us. It often makes us feel more confident and we can feel more capable – “in flow”. Energised is the word people often use. This is about APPROACH.
Now, the tricky thing is that fear of loss or harm has several times more power than a reward. Daniel Kahnemann in his experiments showed that people hated loss. Less inclined to move to action to claim a reward.
Combine that with a bias towards keeping the status quo.
Compliance-focussed - tick box mentality
Complacent – assume that they can identify all risks and that all risks are knowable
Organisation is cautious and feels that things happen to it – e.g. cuts to funding
Top-down processes for risk, planning and budgeting
Hierarchical – decisions have to be passed up the line
Staff follow procedures without question – you are told off if you don’t follow procedures, so even if it does not make sense, they follow procedures
Staff don’t use their initiative
Difficult to get change accepted
This sort of organisation is described in Matthew Syed’s book ‘Black Box Thinking’. Where people feel that they will be punished for errors, they go unreported, so improvements are not made. A classic example is healthcare, where managers and clinicians are defensive, but often are not even aware of the impact on the culture that this has.
This is what you should be talking to the Board about
Integrate into strategic planning, Board agendas
This helps to identify where you should not over-control
Take risks – e.g. in advocating for your cause
Accept risk – where it is part of achieving outcomes e.g. You make grants to refugee groups. There is a risk that they will not deliver all the outcomes. This is a risk worth taking and you can accept it because it is your policy to take risks in grant-making for hard-to-reach groups.
Effective risk management should enable organisations to take risk
Having basics of strong risk management – communicated thru the organisation breeds confidence in taking risks
“Brave and rigorous”