Wednesday, 23 April 2014

Risk Management: Finding agreement on risk and controls

One of the primary activities of a risk management professional is to have conversations with organisation stakeholders to understand risks and what needs to be done to manage these risks.

These conversations can involve trying to reach agreement on the existence of risks and then subsequent risk management activity required. Recognising a risk and working out what to do about it requires, at times, considerable effort that could otherwise go into delivery of mission critical projects and business as usual activity that stakeholders' performance is measured against. Why would a stakeholder spend time on activities they are not measured against?

As a risk management professional, you need to answer this "Why?" question in a compelling way. To answer this question you need to understand the organisation's objectives. You then need to couch your risk analysis and articulation of the risk and impact in terms of how these will impact the organisation's objectives. When I talk about organisation objectives, these may be top level or lower level objectives from the top level organisation or a single department within the organisation. Selection of the appropriate objectives depends on your stakeholder. You need to identify an objective as close as possible to your stakeholder. This is easier if you have a mandatory policy framework that has been approved at the highest levels and that all staff must comply with, but becomes challenging where this doesn't exist or is evolving. If you have a mandatory policy it will generally have an objective that everyone must support. If this doesn't exist or is evolving you need to outline what the objective is and link it to the stakeholder's objective in a clear, compelling and self evident way. This is where good risk articulation is important and understanding that risk is the effect of uncertainty on objectives, comes into play.

Understanding this, the conversation needs be be preceded with youself understanding the relevant objectives, articulating a baseline risk that makes it very clear what the effect on the objectives might be; and as much as possible quantify this with relevant facts such as estimated loss or frequency of similar risks materialising in the organisation or industry. This helps to paint the picture for the stakeholder.

One thing you need to remember is not to ne wedded to your initial risk articulation. Your conversations with stakeholders will provide you with valuable insights that need to be incorporated into your risk analysis and associated risk articulation. Your stakeholders will also likely have pragmatic and valuable suggestions for controlling the risks they deal with day to day. You need to seriously consider this. One of the biggest causes of disagreement I have seen in my experience is risk professionals swooping in with theoretical notions of risk and controls without considering what happens on the ground already to address risks or suggesting best practice controls while not considering pragmatism and sizing.

You need to work side by side with your stakeholders to understand their objectives and how these tie into the objective of the organisation to manage risks. You need to understand their business and how they may already be managing their risks and try to leverage this where feasible. And finally, keep the conversations going to identify any gaps as they arise and opportunities to make risk management more efficient and effective, alongside your stakeholders.

Failing all of the above, if you find yourself dealing with an intransigent stakeholder, sometimes the best way to advance is to escalate your case and follow the same approach with the next level up. If you have the support of a broader risk management function then use this also as good working relationships may already exist at your management's level.