Every profession has that one test they will always use: doctors check blood pressure, accountants do the acid ratio test, and governance auditors check your risk management process. And much like a blood pressure or acid ratio will not tell you the whole story, a risk management programme does not automatically mean the company is healthy, governed well, or compliant. However, a poor risk programme does indicate that an organisation is poorly governed.
Just knowing what risks your organisation faces, is simply not enough for a good risk management programme. An auditor will not only want to see that you have identified and assessed your specific risks, but that they are actively being managed and reviewed as well.
Evaluating risks is not fun but, by doing regular risk assessments, you strengthen your business. It also puts your organisation in an overall better position to tackle any unforeseen circumstances.
So how do you go about implementing a robust risk management process?
1. Start with the basics
The first step to getting the basics in place, is to develop a risk matrix. This table will contain the identified risks and additional information pertaining to each risk. The more data you have and the better it is, the more robust your risk management.
To start populating your risk matrix, start with brainstorming as many risks as possible. Inputs to this brainstorm could include previous incidents, threats to your industry, environmental issues, and – of course – supply chain concerns. It is also imperative that you include as many people as possible from across your organisation to participate in this process.
Once you have a list of possible risks, you need to know how each one will impact your organisation. Impacts are generally financial, but do not limit yourself to this. Include other costs, such as hours lost, reputational damage, or additional labour requirements.
To complete your basic risk matrix, assess each risk. I generally recommend rating each risk by the following:
- How severely will it impact the organisation?
- How likely is it to occur?
- How easily can it be detected?
For instance, the likelihood of having a piece of metal in your chocolate is very small, but the bad publicity it will incur is why most manufacturers have metal detectors on their manufacturing lines.
Based on the assessment, each risk can be categorised as either negligible, minor, major, or extreme.
2. Put a game plan in place
Now that you have identified and assessed your risks, you can expand the risk matrix. This is done by adding a plan of action for each risk. Start by identifying what could cause each threat, remembering that any risk can have multiple causes. For instance, ransomware could be caused by an email attachment or a website that someone clicks on using a company computer.
Then, based on each cause, mitigation actions can be put in place. The ideal mitigation is to prevent the risk from occurring entirely. So you may want to ban any metal from entering your chocolate factory, but this is not financially feasible. Rather, you would put in multiple feasible, realistic mitigations, such as ensuring machinery is well maintained, staff is educated, and having a metal detector on the line before final packaging.
As with any good action plan, these actions must be written down. Best practice indicates that each action must have:
- A clear description of what needs to be done
- The person who will ensure it will be done
- The expected completion date
3. Stepping it up
Everything so far makes for a very good basic risk management process. To step it up, you will want to know as soon as possible when a causal event has occurred. From our examples above, you will know you have been hit by ransomware when you are shut out of your systems, but how will you know if there is a piece of metal in your chocolate? As a further example, what about new laws being passed that may affect you? Do YOU review the government gazette regularly?
You may have to ensure that there are tests put in place to alert you to any possible causal event. For our legal example, this may mean assigning someone in the legal or HR department to review the government gazette.
Now that you have mitigations and indicators in place, for when something happens, the next step is to review your risks all over again.
4. Level up further
But why do you need to re-evaluate the risks? Now that you have mitigations in place, the severity and/or likelihood of the risk occurring should be lower. With the indicators you have put in place, the detectability has improved. But has this lowered the risk assessment sufficiently?
Not every risk can be negated. Some mitigations may be too expensive, or the risk too low to warrant implementation. Should the mitigation become cheaper, for instance using a metal detector, instead of an X-ray machine, to find metal in chocolate, the action plan may need to be updated. Or, if the black hats come up with new ways to introduce ransomware, faster than firewalls update, it may mean having full back-ups to restore data and systems or having insurance in place to pay the ransom.
From the above, it is clear that regular risk review meetings should be held. The agenda for these meetings should include reviewing and reassessing risks, and ensuring progress is made on the action items. Any new risks must be added, new mitigations and indicators put in place, and the processes repeated.
These regular review meetings also give you the opportunity to review the learnings from any incidents that have occurred, as per this article.
A final recommendation is to invite outside specialists to assist with identifying new risks. For instance, a business insurance specialist can share all manner of possible risks. Lawyers, IR specialists, or supply chain consultants will also happily assist with this.