A Risky Business
Why our risk software hasn't been good enough
Share this blog
I’ll first admit to failure.
For decades my company have profited from selling and implementing risk management software which I don’t think does a good enough job.
Let me explain. We have implemented traditional risk management software. Much better than tracking risks on a spreadsheet or on paper. Better process, automated emails, automated reporting, better looking, more engaging.
So, what’s been wrong with it?
We have supported the monthly, or worse quarterly (or in some cases annual) visit by the Risk Manager to the divisional manager and the board director to collect a list of possible things that might happen, to rate those on 5 x 5 matrix of Impact and Probability, to create a Risk Rating.
Often ignored but we have also supported adding the Risk Controls and the Risk Mitigations.
We have even supported one of my least favourite aspects of risk; the ‘untreated’ or ‘inherent’ risk. And we support risk type, risk treatment, risk targets, risk analysis, risk incident, risk cost, mitigation cost.
We have created on-line, automated, good looking risk register reports and progress on control and actions.
Job done, right?
Well, no. Perhaps job done badly, or at best adequately. Definitely not done right.
Even prior to the COVID-19 epidemic I had challenged my own internal complacency about risk management.
Are we: making risk a part of everybody’s everyday thinking? Are we ensuring risks are specific and related to each of the goals or core operations that the organisation is setting out to achieve? Are we ensuring wide-spread identification of risk and capture of control and mitigation? Are we even talking in a language that every manger and team member understands?
This is our first key take away: Traditional Risk Management systems are not sufficient.
And so we began a re-imagining of risk systems.
We haven’t perfected it yet, but the first step is recognising our own flaws and being creative about how we address them. We now have new ideas, and new ways we want to implement and improve risk management, and we are starting to implement with forward looking customers and work with strategic and operational thinkers and Risk Consultants to create a different approach to risk.
Today I am a hobbyist pilot, although I was trained within the RAF. Risk isn’t something you think about once a quarter or once a year. It is not a list I look at and see a report on monthly.
Here is a second key take away: Risk management is a continual mind set.
A pilot looks afresh every flight, every minute, at what typically might go wrong, at what new thing might go wrong, what might that affect that might then be an issue to address. How would I deal with it if it went wrong? What are my ‘really bad case’ responses? What other responses do I have as options?
In fact I have had things go wrong (most pilots have!) some have even been of my own making, and the knowledge of standard responses has helped, and also in the moment, you find other responses that are combinations or variants or completely novel solutions.
Which is how it needs to be with organisational risk.
Here is the third and final take away: I challenge myself, our team, and every management team, to achieve this capability and resilience in the business and risk systems we implement.
Let’s improve the relevance of risks, the awareness of ‘what would stop us achieving our goals’, let’s integrate risk thinking into every day work, as well as strategic planning, let’s route questions and capture suggestions, let’s relate specific risk to specific goals.
Let’s increase the frequency and pace of re-planning, let’s include more frequent horizon scanning. Look beyond the financial strength and regulatory reporting.
Let’s re-examine the core goals more routinely. Homelessness has been an issue for years, yet some councils managed to house / safeguard vulnerable individuals in days and weeks where before bureaucracy and cashflow prevented a multi-agency solution. Urgency and determination caused by COVID-19 has temporarily resolved that for now.
Let’s engage every team member in collaboration, discussion and integrated ways of working and reporting. Let’s not live in silos, and rather than have a ‘risk team’ that ‘manages risk’ let’s put risk identification and management on every person’s virtual ‘To Do’ every day.
How can we re-plan at speed when a future shock happens?
Let’s come up with new ideas!
What do you want that would help you improve risk management in a new COVID and post COVID world?