Don’t confuse risk identification with risk management
In these uncertain times, more and more organisations are looking at how they manage risks.
For many NGOs working in the humanitarian sector, effective risk management is a contractual requirement imposed by donors.
While most organisations understand how to list their risks in a database or spreadsheet, many struggle with how to manage risks in real terms.
Risk management is much more than just listing a set of potential problems. Many risk registers contain too many minor issues that can easily be managed via business as usual.
Good risk management should identify the root cause of the issue and seek to resolve that root cause, instead of merely identifying a symptom and eliminating that – at best that is a sticking plaster approach.
Developing proactive treatment plans to reduce the likelihood of risks materialising and reactive treatment plans to reduce the impact if the risk does materialise is key to effective risk management.
Moreover, identification of treatment plan owners, and requiring them to regularly report on how their treatment plans are being managed, develops a sense of accountability and ownership of risk treatment plans within the organisation.
Taking this approach will assist your organisation to develop its risk reflex. Over time, risk management becomes business as usual and is an ongoing way of thinking and behaving that is part of the muscle memory of your organisation.
Too many organisations will say they have done risk management as a one-off exercise. For example, they might say ‘we have put together a risk register so we don’t need to keep doing risk management’.
In reality risk management is a daily business as usual activity that needs to be habitual, or, as we say, reflexive.
Building a ‘risk reflex’ is part of ongoing culture development within an organisation.
Sometimes external specialists such as OSACO Group can be useful catalysts for such a culture shift.
I used to invite myself to meetings and the question was asked “why is the risk guy here, we’ve done risk, haven’t’ we?” I then used to listen to the conversation and observe which risks had been managed (that the team had not even realised they were managing).
I would then say, for example, “As a result of the decisions made here in this meeting, you have managed to reduce the likelihood of risk number 123 from occurring, because you have effectively developed a risk treatment plan without even realising it. So I can see you are now integrating a risk reflex into your day-to-day business. However, you should also look at these other two risks that are linked to this work stream and think about how you might apply resources to reducing the impact of that risk or look at ways to react should that risk occur”.
Over time, I would encourage meetings to have the risk register available, and to have the treatment plan owner to speak to whatever risk the team was trying to manage and to comment on progress.
Developing a risk reflex doesn’t just happen. It needs development and encouragement to become second nature. It’s not a magic scale or system, but a way of behaving.
As experienced risk advisory consultants OSACO Group is able to support organisations to develop their risk management strategies, to identify what issues may hurt them, what actions can be taken to reduce harm, and to conduct periodic health checks to ensure organisational risk strategies remain on track.
We can provide risk management training, we can engage with functional teams in an organisation to provide specific risk assessments for projects, work streams, and departments and we can work with you to develop risk strategies to identify harm, develop actions to reduce harm, and report on progress.