Scroll Top

RiskWorks Insights

What is risk management anyway?

Risk management is the process of thinking systematically about all the possible threats, problems or opportunities before they happen and responding to the ones that really matter. It means setting up procedures to avoid or minimise a threat or problem, as well as seeking ways to improve things or benefit from an opportunity.

Risk management is also about making a realistic evaluation of the true level of risk. The chance of a lightning strike disrupting your power supply is fairly slim. The chance of losing a key supplier or your computer system being infected by a virus is somewhat more likely.

Before we begin the risk management process, we first need to understand what we want to achieve: What is the goal/objective or purpose statement that we are applying our risk thinking to?

Once the context is established, the risk management process then essentially asks the following questions:

  1. What could happen?
  2. Why could it happen?
  3. What would be the result of it happening?
  4. How bad / good could it be?
  5. What can we do about it?
  6. What will we do about it?

The best practice process of risk management is described in the international standard ISO31000:2018 Risk Management – Principles and Guidelines and outlined in the diagram below.

 

Managing risks is subject to what you know at the time of identifying and assessing risks. It’s important to regularly review risks to take account of new information and changing circumstances.

Want to know more or get some expert support? Contact RiskWorks.

Where do I look for risks?

Managing risk is not just about responding to running out of budget, a key team member resigning or a natural disaster event. It means continually being on the lookout – both internally and externally – to see what is changing that might affect your people, assets and/or services.

Looking for potential risks to your business or organisation, also means considering as many different viewpoints as possible.

The list below provides prompts to stimulate risk thinking and discussion.

Ask yourself (or your team) – what are my (our) risks when we consider:

Services

  • Delivering quality service
  • Supply chain reliability
 Technology

  • IT system security
  • Protecting privacy / personal data
Finance

  • Managing cashflow / profitability
  • Potential for fraud or corruption
 Business management

  • Director obligations / liability
  • Regulations / compliance requirements
People

  • Key people being available
  • Skilled and reliable staff
 Reputation

  • Complaint management
  • On-line presence

Businesses and organisations already have many ways in which they currently manage risk: hazard warning signs, two-factor identification requirements, servicing machinery to ensure it works properly, or automatic IT back-up to protect data. But this doesn’t mean our risk management work is done. It requires a systematic approach to identifying, assessing and prioritising risks to make sure our risk information is up to date.

Effective risk management has no final destination. It won’t stop risks eventuating but it will help you manage uncertainty and prepare for any major disruption to your plans.

Want to know more or get some expert support? Contact RiskWorks.

How does a Risk Register help manage risk?

A Risk Register is a live record of risk information. The format can range from using a simple spreadsheet to operating specialised software.

The RiskWorks Risk Register template provides a user-friendly example suitable for straightforward (non-complex) situations. It follows the initial steps of the best practice risk management process* and can easily be extended to record all important risk details in one place.

Noting answers to the key questions prompts thinking about the causes and consequences of a risk event. Underlying the High / Medium / Low rating approach will be a classification system for determining the frequency and impact of the risk occurring. Risks can then to be prioritised to provide visibility of high-level risks, and focus the risk response effort on what matters most.

The Risk Register should be updated on a regular basis to:

  • monitor the current state of each risk
  • reflect any changes to the risk information
  • check the effectiveness of risk treatments (actions).

* As described in ISO31000:2018 Risk Management – Principles and Guidelines

Want to know more or get some expert support? Contact RiskWorks.

Risk Register Template – view.

Why have a risk management framework?

A risk management framework is a foundational plan which sets out a structured (consistent and coordinated) approach to protecting staff and business assets, and ensuring financial sustainability – the what, why and how of managing risk across and through the organisation.

A risk framework helps keep our thinking aligned, makes risk real, promotes a pro-active approach, and empowers staff to make good decisions.

A good risk management framework:

  • provides guidance and tools to support decision making
  • is tailored to the business operating environment
  • sets out risk roles and responsibilities
  • facilitates continuous improvement
  • is an essential reference document for staff and managers.

The risk management framework should include:

  • an overarching policy statement
  • a system for recording risk information (the risk register)
  • a method for rating risks (such as a likelihood and consequence matrix)
  • guidance for how risks will be managed
  • a reporting schedule for monitoring risk activity.

Effective risk management has no final destination. It won’t stop risks eventuating but it will help you manage uncertainty and prepare for any major disruption to your plans.

You need an organised and systematic approach to make risk management integral to business as usual. At Risk Works we take account of the practical problems you face and deliver risk frameworks and processes to improve and protect your business.

Want to know more or get some expert support? Contact RiskWorks.

Why not just take out insurance?

Insurance is one of the ways to respond to risk. Purchasing insurance transfers some of the financial risk of loss to the insurer.

The fact that a risk is insurable does not necessarily mean that it should be insured. You should expect to reduce the risk in the first instance – decrease the likelihood (frequency) or consequence (impact) of the risk – usually by addressing the causes that could lead to the risk event occurring.

For each risk identified in the risk register, the two key questions relating to insurance are:

  1. Is the risk insurable?
  2. If so, should it be insured and to what level?

The level or amount of insurance should be based on the availability and cost of insurance, and the type and scale of risks you are prepared to accept. Most insurance policies specify a minimum value of loss and / or an excess that the insurer will not pay. A higher minimum value or excess will usually reduce the premium but exposes you to a larger loss if the risk occurs.

Remember that not all risk can be transferred, nor is it always cost beneficial to do so. Insurance may only cover the financial loss, potentially leaving you still to deal with business downtime, lost customers and reputational damage.

A basic cost‐benefit analysis of possible options in responding to business risks (with insurance being one of them) will help with decision making about the best risk response action to take.

Want to know more or get some expert support? Contact RiskWorks.

What is a risk appetite and why does it matter?

Making good decisions in important and critical situations is difficult if you haven’t considered how much risk you want to take. Understanding your risk appetite helps avoid making random or conflicting choices that are not aligned to your goals or objectives.

In a risk context, appetite refers to how much we want to get involved with an uncertain situation. What is our willingness to take on a particular risk? Generally this applies to business thinking at a strategic level. Risk appetite is sometimes defined by terms such as being risk seeking, risk averse, risk avoiding or risk neutral.

A risk appetite statement expresses an organisation’s attitude to risk-taking which:

  • Cultivates a positive risk culture
  • Indicates the appropriate risk response
  • Guides risk engagement
  • Assists in better decision making

For example: My objective is to improve my financial situation. What is my risk appetite when choosing an investment option – do I buy lottery tickets, invest in shares or leave my money in a bank savings account? What level of return on investment do I want and how much risk am I prepared to take to achieve it?

Methods for expressing risk appetite include:

  • Profit and loss measures (e.g. ‘Operating profit margins exceed the previous year’s performance by a minimum 5%.’)
  • Limits or targets for key indicators (e.g. ‘Quality performance must be within a 5% margin of the benchmark standard.’)
  • Qualitative statements (e.g. ‘We have a zero tolerance for regulatory breaches or causing harm to people.’)

Want to know more or get some expert support? Contact RiskWorks.

What is risk management anyway?

Risk management is the process of thinking systematically about all the possible threats, problems or opportunities before they happen and responding to the ones that really matter. It means setting up procedures to avoid or minimise a threat or problem, as well as seeking ways to improve things or benefit from an opportunity.

Risk management is also about making a realistic evaluation of the true level of risk. The chance of a lightning strike disrupting your power supply is fairly slim. The chance of losing a key supplier or your computer system being infected by a virus is somewhat more likely.

Before we begin the risk management process, we first need to understand what we want to achieve: What is the goal/objective or purpose statement that we are applying our risk thinking to?

Once the context is established, the risk management process then essentially asks the following questions:

  1. What could happen?
  2. Why could it happen?
  3. What would be the result of it happening?
  4. How bad / good could it be?
  5. What can we do about it?
  6. What will we do about it?

The best practice process of risk management is described in the international standard ISO31000:2018 Risk Management – Principles and Guidelines and outlined in the diagram below.

 

Managing risks is subject to what you know at the time of identifying and assessing risks. It’s important to regularly review risks to take account of new information and changing circumstances.

Want to know more or get some expert support? Contact RiskWorks.

Where do I look for risks?

Managing risk is not just about responding to running out of budget, a key team member resigning or a natural disaster event. It means continually being on the lookout – both internally and externally – to see what is changing that might affect your people, assets and/or services.

Looking for potential risks to your business or organisation, also means considering as many different viewpoints as possible.

The list below provides prompts to stimulate risk thinking and discussion.

Ask yourself (or your team) – what are my (our) risks when we consider:

Services

  • Delivering quality service
  • Supply chain reliability
Technology

  • IT system security
  • Protecting privacy / personal data
Finance

  • Managing cashflow / profitability
  • Potential for fraud or corruption
Business management

  • Director obligations / liability
  • Regulations / compliance requirements
People

  • Key people being available
  • Skilled and reliable staff
Reputation

  • Complaint management
  • On-line presence

Businesses and organisations already have many ways in which they currently manage risk: hazard warning signs, two-factor identification requirements, servicing machinery to ensure it works properly, or automatic IT back-up to protect data. But this doesn’t mean our risk management work is done. It requires a systematic approach to identifying, assessing and prioritising risks to make sure our risk information is up to date.

Effective risk management has no final destination. It won’t stop risks eventuating but it will help you manage uncertainty and prepare for any major disruption to your plans.

Want to know more or get some expert support? Contact RiskWorks.

How does a Risk Register help manage risk?

A Risk Register is a live record of risk information. The format can range from using a simple spreadsheet to operating specialised software.

The RiskWorks Risk Register template provides a user-friendly example suitable for straightforward (non-complex) situations. It follows the initial steps of the best practice risk management process* and can easily be extended to record all important risk details in one place.

Noting answers to the key questions prompts thinking about the causes and consequences of a risk event. Underlying the High / Medium / Low rating approach will be a classification system for determining the frequency and impact of the risk occurring. Risks can then to be prioritised to provide visibility of high-level risks, and focus the risk response effort on what matters most.

The Risk Register should be updated on a regular basis to:

  • monitor the current state of each risk
  • reflect any changes to the risk information
  • check the effectiveness of risk treatments (actions).

* As described in ISO31000:2018 Risk Management – Principles and Guidelines

Want to know more or get some expert support? Contact RiskWorks.

Risk Register Template – view.

Why have a risk management framework?

A risk management framework is a foundational plan which sets out a structured (consistent and coordinated) approach to protecting staff and business assets, and ensuring financial sustainability – the what, why and how of managing risk across and through the organisation.

A risk framework helps keep our thinking aligned, makes risk real, promotes a pro-active approach, and empowers staff to make good decisions.

A good risk management framework:

  • provides guidance and tools to support decision making
  • is tailored to the business operating environment
  • sets out risk roles and responsibilities
  • facilitates continuous improvement
  • is an essential reference document for staff and managers.

The risk management framework should include:

  • an overarching policy statement
  • a system for recording risk information (the risk register)
  • a method for rating risks (such as a likelihood and consequence matrix)
  • guidance for how risks will be managed
  • a reporting schedule for monitoring risk activity.

Effective risk management has no final destination. It won’t stop risks eventuating but it will help you manage uncertainty and prepare for any major disruption to your plans.

You need an organised and systematic approach to make risk management integral to business as usual. At Risk Works we take account of the practical problems you face and deliver risk frameworks and processes to improve and protect your business.

Want to know more or get some expert support? Contact RiskWorks.

Why not just take out insurance?

Insurance is one of the ways to respond to risk. Purchasing insurance transfers some of the financial risk of loss to the insurer.

The fact that a risk is insurable does not necessarily mean that it should be insured. You should expect to reduce the risk in the first instance – decrease the likelihood (frequency) or consequence (impact) of the risk – usually by addressing the causes that could lead to the risk event occurring.

For each risk identified in the risk register, the two key questions relating to insurance are:

  1. Is the risk insurable?
  2. If so, should it be insured and to what level?

The level or amount of insurance should be based on the availability and cost of insurance, and the type and scale of risks you are prepared to accept. Most insurance policies specify a minimum value of loss and / or an excess that the insurer will not pay. A higher minimum value or excess will usually reduce the premium but exposes you to a larger loss if the risk occurs.

Remember that not all risk can be transferred, nor is it always cost beneficial to do so. Insurance may only cover the financial loss, potentially leaving you still to deal with business downtime, lost customers and reputational damage.

A basic cost‐benefit analysis of possible options in responding to business risks (with insurance being one of them) will help with decision making about the best risk response action to take.

Want to know more or get some expert support? Contact RiskWorks.

What is a risk appetite and why does it matter?

Making good decisions in important and critical situations is difficult if you haven’t considered how much risk you want to take. Understanding your risk appetite helps avoid making random or conflicting choices that are not aligned to your goals or objectives.

In a risk context, appetite refers to how much we want to get involved with an uncertain situation. What is our willingness to take on a particular risk? Generally this applies to business thinking at a strategic level. Risk appetite is sometimes defined by terms such as being risk seeking, risk averse, risk avoiding or risk neutral.

A risk appetite statement expresses an organisation’s attitude to risk-taking which:

  • Cultivates a positive risk culture
  • Indicates the appropriate risk response
  • Guides risk engagement
  • Assists in better decision making

For example: My objective is to improve my financial situation. What is my risk appetite when choosing an investment option – do I buy lottery tickets, invest in shares or leave my money in a bank savings account? What level of return on investment do I want and how much risk am I prepared to take to achieve it?

Methods for expressing risk appetite include:

  • Profit and loss measures (e.g. ‘Operating profit margins exceed the previous year’s performance by a minimum 5%.’)
  • Limits or targets for key indicators (e.g. ‘Quality performance must be within a 5% margin of the benchmark standard.’)
  • Qualitative statements (e.g. ‘We have a zero tolerance for regulatory breaches or causing harm to people.’)

Want to know more or get some expert support? Contact RiskWorks.