Junita van der Colff – Managing Director, Protean Business Solutions
The uncertainties created by the Global Covid-19 pandemic has really put the management of risk in the spotlight. As we know, ISO31000 defines risk as “the effect of uncertainty on objectives”. While we are acutely aware of the many things that can go wrong at this time, very few of us are considering the opportunities that may emerge from the crisis.
King IV refers to the management of both risks and opportunities. Opportunity Management was previously included as part of risk management practices, but it was not explicitly named. The addition is important as risk has always been perceived as something negative. With the inclusion of ‘opportunity’ in Enterprise Risk Management (ERM) programmes, perhaps the perception of what Risk Management is will evolve from ‘tick the box’ compliance to an enabler to create enterprise value and improve organisational resilience.
As we now know, organisational culture is a key component in a company’s success – it is about much more than how staff go about their work. A risk and opportunity-aware culture will contribute to the successful achievement of strategic objectives, setting the tone for how we conduct our activities and interact with one another at work. When it comes to the successful implementation of ERM programmes, I believe one should apply the 80/20 percent rule. Some 20 percent of the programme should be about establishing methodology, tools, governance, and framework (the formalised risk management process) and 80 percent should be about creating a more risk and opportunity-aware culture. Ironically, we tend to spend 80 percent of our time and resources on establishing and formalising the ERM framework and methodology and only 20 percent on establishing a risk and opportunity-aware culture. This may be the reason why a lot of organisations feel they are not getting any value from an ERM programme but run it for the sake of compliance.
As an experienced consultant, I have identified a few factors that can drive a more risk and opportunity-aware culture in organisations.
- Tone at the top
If the leadership of an organisation does not buy in to the ERM programme, you are going to have a hard time getting anyone to make time to go through the process or update any information. Leaders who do not understand ERM tend to react defensively, fearing that the perception will be that they are not doing their job. A finger-pointing exercise misses the point and undermines the objective of risk and opportunity management.
On the other hand, if leaders consider risk and opportunity as part of their decision-making process and acknowledge the value the ERM programme adds to the organisation, their staff will follow their example. If leaders are accessible and approachable, staff members are
more likely to emphasise and share opportunities with them. If leadership is feared, this is unlikely to occur.
- Strategic direction and objectives
It is important to communicate strategic objectives clearly and well at all levels of the organisation, so staff can understand where the company is headed. This will help them to assist in identifying the risks and opportunities that will prevent or aid the achievement of objectives. When staff members have a holistic view of the value they add, a sense of purpose is created.
There is a perception that the ERM function/risk manager of an organisation ‘owns’ the risk. For some reason, if something in the organisation goes wrong, it is the risk manager who must field the question, “Why did this happen?” Risk and opportunity management is the responsibility of all staff. Levels of authority and responsibility differ but staff ultimately need to understand that they have a part to play in the organisation’s success. It is not the responsibility of the ERM function to identify and manage risk, although it does provide the necessary platform, tools, and framework to do so. Risk managers must be change agents. They need to have the capability to empower all levels of staff to manage risks in their areas and emphasise team effort in the process.
- Risk appetite, tolerance setting and communication
I have engaged with many organisations that can show me a risk register with risk ratings but have not paid any attention to risk appetite and tolerance setting. I believe this should be the starting point. Without establishing an organisation’s risk appetite and tolerance levels, it is impossible to effectively rate or prioritise risks. The communication of risk and tolerance levels will help staff to understand boundaries and limitations. Fewer organisations have risk tolerance for reputational risk, and this only the importance of communicating risk appetite to all staff. For example, staff members should think twice before they post something on social media relating to the organisation, considering the impact this may have on reputation and company brand.
- The complexity of ERM programmes
I believe we overcomplicate ERM. The less complex the programme, the more buy-in one can get. Focus on quality of the information rather than quantity. If staff members understand the ERM process and can see the value the information adds to the organisation they will be more likely to want to participate.
- Integrating risk and opportunities into day-to-day activities
All staff are identifying and dealing with risks and opportunities on a day-to-day basis, even if they are not aware of it. It is important to make staff more conscious of the risks and opportunities as well as the consequences thereof, so driving behavioural change. We often think that ‘training and awareness’ sessions are the answer to all deficiencies, but I do question their effectiveness. People go into these training sessions because they have to, not because they want to. They also have preconceived ideas that are very difficult to change. Yes, we need to run awareness sessions, but I believe good leadership is more important. Appointing the right people in the right positions is key. Good leaders inspire change, influence the way others think, and challenge the way things are done. With the movement to include opportunities in the risk process, leadership becomes ever more important as we seek to drive innovation and growth.
To ensure that organisations derive maximum value from the risk and opportunity management process, there must be greater focus on creating a risk and opportunity-aware culture. For organisations to create enterprise value, grow, create trust, and drive a sustainable organisation, they will need the right people, culture, and leadership.