Risk management is a way for you as an organisation to identify, assess and manage risk. It involves setting up processes that allow your business to anticipate what might go wrong, and assist in minimising the likelihood of those things going wrong.
As a follow up to our webinar in October entitled "Navigating risks in challenging times and beyond" (which you can watch here), we set out below some "top tips" which may be helpful to remember when establishing a risk management process for your business.
In our webinar, we polled our attendees to rank seven key risk areas for their organisations in order of importance. The results show just how varied and wide-ranging the risks for your organisation can be:
- Cyber security;
- Geopolitical / market conditions;
- Reputation management;
- Contract management;
- Supply Chain management;
- New technologies and Generative AI; and
- ESG and Net Zero.
They also demonstrate how risk management, including identifying and mitigating risks, is a constantly evolving process, and that organisations need to adapt to the changing realities of our world. Our poll highlights just how different the challenges organisations face are (and their relative importance to each other) to what they were even five years ago. A good, flexible process can help tackle these new, shifting challenges as they come along.
Top Tip #1: Risk management does not mean eliminating risk altogether.
When planning and implementing your risk management processes keep in mind that these cannot, and should not try to, eliminate risk altogether, as risk will always be inherent in every business. In fact, choosing to avoid taking any risks would be as bad as ignoring risk altogether – your business needs to take some risks in order to succeed. Risk management therefore means being aware of the risks that you face, and then managing those at a level that your organisation can feasibly tolerate and is comfortable with. Keep in mind that issues which are beyond your control (pandemics, wars, government changes) could still crop up despite having implemented a robust risk management process. However, having an effective risk management process puts you in the best place to tackle the issues that they present.
Top Tip #2: There is no "one size fits all" approach to risk management.
Your organisation, depending on its sector, type (e.g., public/private) and size, might already be subject to strict corporate governance and reporting requirements. Alternatively, it might have more flexibility around the structure it puts in place for monitoring and reporting risk and may be able to set up risk management and controls in a way that is much more agile. Either way, the risk management process should not be unduly complex – over-engineering is likely to lead to missed issues. The approach adopted needs to be effective and work in practice for your organisation.
Top Tip #3: Speak to people across the business when establishing procedures to manage risk.
This will help to identify the wider risks that are seen on a day-to-day basis by different business units/teams and that are not just team, product or supplier specific, and are not risks that have already crystallised after something has gone wrong. There may be 'near misses' for example where controls need to be firmed up or adequate controls need to be put in place. This can also assist with getting buy-in and support for the risk management framework from across different business units/teams.
Top Tip #4: Keep an eye on the future.
Assign responsibility internally or externally to someone to look at what is coming down the line and keep up to date, for example, on any new legislation and/or regulations that your business may be caught by and which could affect how you run your business. With such a "tracker" in place you will be able to update your risk assessment processes to build in the specific criteria that any such new legislation/regulations may require and implement these in plenty of time ahead of the deadline.
Top Tip #5: Think carefully about reputation management.
Reputation is a key asset for any business – it can take years to build but seconds to ruin. Attacks on social media or being the victim of cyber-crime or even being involved in litigation can have an impact on reputation in a way that may become business-critical. Since reputation is fundamental to enhancing business value, it should be protected on a daily basis and the early identification and management of reputational risks is therefore essential.
Top Tip #6: Contract management: involve the right people from the outset.
Before entering into a new contract or business opportunity you need to involve the right people. Identify key stakeholders from the outset and ensure they understand and can determine the nature and extent of any principal risks your business could face and what your attitude is to these. Involving those key stakeholders from the start will help identify any key risk areas and allow you to deal with those proactively from the beginning. Key stakeholders would likely include the business team leading the project, the legal team who will be structuring the contractual documents and identifying legal risks, and the operational team who will be ensuring that what is down on paper is being carried out on the ground.
Top Tip #7: Contract management: Create and use standard terms where possible.
Creating and using standard terms for your business will expediate contract discussions and negotiations allowing you to allocate more time to dealing with other key issues. It will allow you to commence any contract negotiations with the starting position already in your favour, and help reduce risk as your standard terms should be aligned to your risk profile. Of course, you may have to negotiate some of those terms, but having standard terms or firm commercial positions in advance puts you in a better position to negotiate with an eye on managing your key business risks.
Top Tip #8: Contract management: Don't forget about your signed contracts!
All too often once all the negotiating has concluded and terms have been agreed, contracts are signed and then filed away and forgotten about. Businesses should designate "contract owners" who are responsible for ensuring the contract is seen through and managed, including keeping on top of key dates such as termination and renewal dates. Too often a business may be party to a a contract which they want to exit but where they do not have sufficient evidence to terminate for poor performance. They decide to wait for it to run its course but the date by which to give notice to exit the contract is missed because it has not been diarised, leaving the business stuck in that contract until the next renewal date, sometimes another year down the line, and with an increasing number of contract management or performance issues to manage.
The contract owner should also track the requirements of the contract. This would include ensuring that services are delivered on time, that SLAs have been met, and that the business has been paid or has paid on time. By having someone monitoring your contract requirements, your business can assess its options in real-time if any requirements are not being met. You might decide that nothing needs to be done in the situation, but at least you would be making that decision consciously and with the relevant evidence to inform that decision.
Top tip #9: Consider external assurance.
External assurance can be a really important tool and can be undertaken on a range of risks and compliance issues within your business as well as across jurisdictions. For example, it can help to check the measures your organisation has in place and review and report on compliance with specific laws or regulations. It might also be required or preferred because of the impact it has on investments or growth of your organisation, or perhaps assist with regulatory oversight since it can demonstrate an audit of compliance with regulatory standards.
It is especially useful to provide an important sense check that your organisation is doing the right things and that no blind spots have been missed. It also provides an objective analysis and can offer different insights and perspectives as others may see risk through a different lens.
Top tip #10: AI and risk management
When used correctly, AI technology can save time and money in the implementation and running of effective risk management systems. It can assist in monitoring and preventing cyber-attacks, and managing supplier and customer risk (for example, by providing more accurate predictions about the likelihood of a business defaulting on a payment). Keep in mind however that AI systems can also present new risks (including financial, reputational, and legal). For example, AI applications that process large amounts of personal data (e.g. of consumers) may not always comply with current data protection framework such as the EU and UK GDPR. Businesses should therefore ensure that such risks are identified and clearly understood before deciding to implement any new AI technologies.
