Objectives. Strategic Risks. Risk Appetite. Together, they form the Holy Trinity of risk management. And in Breakfast Briefing #13, RSM’s Matt Humphrey explains how these critical components can work together to create a whole greater than the individual parts.
This is the Gospel according to Matt.
All organisations have objectives and mission statements and values, often with words like ‘responsibility’ and ‘community’ proving particularly prevalent in housing.
However, only a small proportion of these are likely to have considered how they align with their strategic risks and risk appetite, leading to statements and declarations that might sound nice but offer little in the way of organisation applicability and functionality.
Remember, these three elements are supposed to work together, with each component influencing the other.
“Does it clearly identify the path that this business is on for the next three years?” asks Matt. “Would that make you different from the organisation down the road?”
2. Strategic risks
These are risks that will have a fundamental impact on the achievement of one or all of the organisation’s objectives.
The majority of strategic risks are the ‘business as usual’ type. These are fundamental risks that bear weight on everything your organisation does on a day-to-day basis.
The rest are ‘exceptional’. These are risks that you may not know how to control, but for which you need to take action to mitigate their impact. (See our earlier Briefing on Organisational Resilience.)
“Think about…the type of risk you’re looking at,” says Matt. “Don’t be thinking you’ve got to have risks on your strategic risk profile that are really out there and different. These risks are core to your organisation, its objectives and the boards outlook”
3. Risk appetite
Different areas and activities will be exposed to different types and levels of risk, so you need to adjust your risk appetite accordingly and determine what your risk-appetite themes are.
Determine your risk appetite and strategic risk by asking four key questions in the context of your objectives:
- What’s the worst thing that can happen within the next 12 months?
- What’s the greatest challenge we might face within the next 12-24 months?
- What opportunities exist within the next 12-36 months?
- What are the emerging risks?
Let’s pick up on that last one…
The three components of the Holy Trinity are mostly static, and that’s no bad thing. What good would it do to have your values, mission statement, and risk statement change on a monthly or weekly basis?
COVID-19: an emerging risk whose impact few could have envisioned
However, emerging risks, such as Brexit and COVID-19, can and will shake things up. You need to be cognisant of them and consider how they will interact with each of the three components and whether there will be any changes to them.
“My little snippet of advice,” says Matt, “is to always take time to look out, around, and see what’s going on. Grenfell is a great example. As dreadful as it may have been, a lot of organisations reacted to that.”
(The World Economic Forum’s global risk reports (see infographic below) will give you a good idea of wider issues that could arise in the near future. Think about how the risks highlighted in their report might affect your organisation and the way you operate.)
Now that we understand the three components of the Holy Trinity and how to integrate them effectively, it’s time to learn the rules by which you must operate.
DO consider how much risk appetite you want to be taking with each strategic risk.
Take safeguarding, for example. It’s critical to the board, so it’s not something you’d want to get wrong. Something like community cohesion, on the other hand, may have a different level of risk appetite. Each risk appears on a spectrum – averse, minimal, cautious, open, hungry – so consider where each one fits in.
DON’T waste time thinking about certain types of risk.
COVID-19, terrorism, flooding… these are all risks for which there’s little point being placed on the risk register and deliberating on where they sit on the risk-appetite spectrum. They are black-swan events for which direct planning provides little benefit.
“These are dynamics that play through into your strategic risk profile,” says Matt. “You need to accommodate them, and review and reflect on your strategic risks accordingly and change the way in which you respond.”
DO communicate your determined level of risk exposure to the rest of the organisation.
This could be in the form of a risk-appetite statement. But as Matt says, it’s probably better to embed that in the way your organisation thinks about risk.
“When they’re reporting to the board, when they’re putting together reports for committee, for decision, they should be reflecting that and referring to risk appetite,” he says.
“They should be referring to objectives and they should be referring to the way in which that paper or that risk or that activity will impact on the strategic risk profile.”
DON’T let services and activities drive your risk assessment.
Instead, let your strategic risks and your risk appetite take control. Collect and report risks that only fall in those two categories.
“Imagine you’re in an organisation where you’re able to capture that sort of information,” says Matt, “but you’re able to report in the context of the trinity: It’s naturally aligned with your objectives. Furthermore any risk exposures outside of this should be questioned – why and how have we become exposed to that risk if it doesn’t sit within the trinity – our organisation objectives, our strategic risks and our risk appetite? ”
If you ever find yourself losing faith, remember the following take-aways:
- How well aligned are your three pillars?
- How do your three pillars drive your agenda?
- How have you communicated the three pillars as part of your operating framework?