- Determine who is responsible—a CRO, key departments or others.
- Use ‘bottom-up’ and ‘top-down’ techniques to capture unexpected and strategic threats.
- Cast a wide net, making use of employees, partners, processes and risk models.
Odysseus lost six sailors and risked his life when he tried to navigate between Scylla and Charybdis. What Homer neglects to mention, however, is that our ancient hero lacked a system for gathering data on the two hazards and calculating a risk-reducing path between them.
Today, companies navigating uncharted commercial waters understand the need for effective risk management systems. Their first task is to decide who should be responsible for spotting risks. Much depends on the organisation’s size and culture, though similar sized companies in similar sectors disagree on the matter. Some firms have a dedicated risk function and a Chief Risk Officer on the management committee. Others split responsibility between departments, with Finance, Legal, Compliance and Operations usually playing a role.
The second task is to determine what techniques to use. Odysseus relied on eyes and ears. But generally, the more techniques used, the more comprehensive, diverse and reliable the resulting data will be. Of course, there’s always a balance to be struck between cost and reward, but remember: the costliest risk is often the one you hadn’t thought of.
‘Different techniques will suit different companies in different circumstances. But companies should at least combine bottom-up and top-down systems.’
Different techniques will suit different companies in different circumstances. But companies should at least combine bottom-up and top-down systems. The former rely on those individuals who are closest to threats to identify and report them. The latter require those with strategic responsibility to view the full range of risks, spot how these might flow from one business area into another, and see which threats have strategic significance.
Some of the techniques companies use—either alone or with specialist support—are listed below:
Your people and partners:
- Analysing past mistakes. Companies often start by looking to their own—or competitors’—histories for signs of what can go wrong. Institutional memory is crucial, so engage your long-serving staff members.
- Staff and stakeholders. Regional staff, suppliers and partners will have a distinct sense of local conditions and can pass these impressions up the chain informally or preferably through a systematic reporting process. A good example of a 'bottom-up' approach, it requires companies to foster a risk-awareness culture throughout the organisation, and create procedures that allow all employees to submit concerns. Remember, a shop floor worker in a remote manufacturing facility may perceive local threats more quickly than senior managers at HQ.
- Service providers. A company’s banks, external legal team and other services partners usually provide valuable market intelligence, albeit designed to sell their services.
- Buying specialist information. Independent third-party analysis on politics and business conditions in key markets can supplement and test the company’s own contacts on the ground, who may lack a macro perspective. This 'top-down' kind of intelligence will be generic, and you will still need to judge which risks are relevant to you and how they will affect your organisation.
- Brainstorming. Free-wheeling discussions with senior cross-functional teams can throw up risks that none might have considered alone.
- Strategic analysis. A company’s strategy process can be mined for risk implications. Explore the ‘Threat’ element of any SWOT (Strengths, Weaknesses, Opportunities, Threats) analysis. A PEST (Politics, Economics, Social, Technology) analysis may also throw up risk management issues.
- Project management. Most include a section on risks to the project. The tendency is to focus on single issues relevant only to that project, but this is an opportunity to capture broader threats that might spill over into this project. It is also worth considering how failing to execute the project would affect the rest of the business, and to make sure that this risk is captured outside the project itself.
- Regulatory requirements. Some companies or departments, such as IT, may engage in formal risk reporting to meet regulatory requirements, which should then be incorporated into the broader corporate risk framework.
- Scenario planning. Specialised external facilitators can help surface interconnected risks and plot their path through the company, and for ‘war-gaming’ the response. Methods run from loose narratives to complex statistical modelling, and it is important to identify a technique that is both relevant and practical.
- The Delphi method. A cross-functional panel responds independently to a questionnaire, and a facilitator consolidates the responses and issues subsequent rounds of questions, helps to avoid ‘group think’ and shares responsibility evenly.
- Fault Tree Analysis. FTA turns the risk identification process on its head by asking ‘what do we really want NOT to happen?’ and then investigating what would make it likely to occur. You DON’T want to be held up for bribing foreign officials, so asking what might lead staff or partners down such a path illuminates where the risk lies.
- Root Cause Analysis. This considers the deeper variables that underlie a headline threat. For instance, you might already understand how a transport workers strike would disrupt transit links to your factory. But thinking more deeply about the state of industrial relations ahead of a round of pay negotiations might provide an even earlier warning (not to mention help you forecast wage inflation).
- The Bowtie method. This examines how a single risk event might manifest across the organisation, usually resulting in a bow-tie shaped diagram. As well as a visual summary, it provides a systematic account of the contingent threats, and how failing to address the risk in one area could wend its way into others. The risk event sits in the middle; its possible causes and preventive actions sit on the left side; the consequences and post-hoc responses are on the right.