Multiple interests require multiple threads to weave into the intricate pattern of GRC. I will keep the articles coming on Effective Policy Management & Communication but also have sufficient requests to write more on risk management. So here we begin another series (which runs parallel to policy management) on Developing a Risk Assessment & Management Process. It is in this series we will look at risk management basics, what it is, how it is done, and best practices to implement risk management within your organization.
Everything I need to know about risk management I learned in . . . drivers education. Yes – it is true. Do not leave me now, I am serious. Well sort of serious. There is a lot of depth to risk management and how to conduct it in business that drivers education did not educate me on. But the basics, the fundamentals, of risk management were there.
This past year I have had the opportunity (or should we say threat or vulnerability or exposure) of sending my first two teenage sons to drivers education. One now has his license the other is just getting his permit. The older one who got his license six months a go already has his first accident under his belt (first snow of the year led to increased risk exposure which ended up in loss).
Risk management lessons for me (and anyone else) began at a very young age. One quickly learns not to touch hot things. There is the balance of opportunity and loss. As a toddler we do not get wrapped in protective bubble away from risk. Mom and dad guide us in our achievements and growth while monitoring and managing risk around us. The goal is to be able to function and thrive in a very risky world. Just as in business, risk management is something everyone does it is part of life. It is also part of business. Judge Mervyn King of the Infamous King 2 report on Corporate Governance stated it very well “Enterprise is the undertaking of risk for reward.” Basically business is about taking an managing risk to make money.
Back to drivers education . . . while mom and dad integrated risk management training into my child rearing, drivers education class was my first introduction into a formal risk assessment/management methodology. I was quite happy when my oldest son came home from drivers education a year a go and told me about IPDE. It took me back nearly 25 years (I am 39 and in Montana where I grew up you could drive at 14 and a half). IPDE was same acronym I learned in drivers education many years a go. It got me thinking as to how this first lesson in risk management has stood the test of time. It also integrates and can be mapped into broader risk management frameworks such as the new ISO 31000 standard. It is the functional basis for risk assessment.
The IPDE process is as follows:
- Interpret. Understand your surroundings. From a driving perspective it requires you understand your internal surroundings (the car), the external surroundings (what is happening in traffic and everything else around you), and your destination (where you are going and how that applies to the surroundings). In business it is about your internal business context, the external environment that business operates in, and your strategy as to where the business is heading.
- Predict. Once you understand your surroundings – the 360-degree situational awareness of your internal and external environment – you then can identify what can happen to help or hinder your objectives. The ISO 31000 definition of risk is the effect of uncertainty on objectives. An organization wants to identify the possibilities of outcomes to what can impact it achieving objectives.
- Decide. After the range of potential possibilities is understood, the organization (or the driver from the drivers education perspective) needs to decide what to do. What is going to be the best route for the organization to achieve objectives while minimizing loss/harm. This gets into risk measurement activities of understanding inherent and residual risk while looking at risk strategies of risk acceptance, risk transfer (insurance), risk avoidance, or risk mitigation (controls). The goal is to optimize value and return while keeping risk within acceptable levels of risk tolerance and appetite.
- Execute. The final step is to take action. I have seen a lot of risk assessments done with no follow through – a waste of time and resources. The decide process means nothing if there is no execution on the decision. Implementing the risk treatment and monitoring plans.
There is a lot more depth to risk management in business than these basic steps – but they do provide the most basic framework to think of risk management within.
One more fun tidbit from my drivers education experience as a teenager. As stated earlier, in Montana you can drive at 14 and a half (at least back in the 1980’s). The risk environment in Montana was also interesting with its approach to speed limit laws/regulations. Until 1974 Montana did not have speed limits, it was at this time the Federal Government threatened to withhold highway funds so Montana created a special ticket. If you were going below 90 on a highway during the day it was a $5 ticket called ‘wasting of public resources’ and did not go on your record. A teenage boys driving paradise – but also a risky one. Oh to be young and adventurous.
In addition to this series on policy management, Corporate Integrity is also offering a full-day workshop on the topic of Developing a Risk Assessment & Management Process.