“Only those who will risk going too far can possibly find out how far it is possible to go.” — T.S. Eliot
- There is no such thing as a risk-free enterprise; all enterprises must identify, understand, mitigate and manage risk to achieve their goals.
- An enterprise must comply with regulatory corporate governance codes – these require executives to robustly identify, assess, control and mitigate risk.
- Always ensure that effective processes and mechanisms exist in your Management System to identify, evaluate and act on enterprise level risk of all types.
- Recognise that risk comes in many forms – political, economic, export, regulatory, competitive, technological, reputational, workforce, environmental, safety, security, privacy, contract execution, financial, and so on.
- Risk sources can be external or internal – but, regardless of source, if risk is not managed it will ultimately adversely impact the financial well-being of the enterprise.
- Contract execution is an ever-present source of risk to an enterprise; ensure a proper analysis of the benefit of a contract to the enterprise is performed in the sales process and be conscious of, and avoid, the Abilene Paradox.
- Focus on risk in contracted work as part of standard business operations.
- Enterprise risk management is as much about identifying upside or opportunity as it is about identifying and mitigating downside threats.
- Ensure that risk identification, evaluation, and follow up action/mitigation is owned by business and function leaders.
- Ensure business and function leaders discuss and agree threats, mitigations and the ownership of actions with their own local leadership teams.
- Have a documented overall enterprise risk register; ensure it has appropriate risk categories, identifies individual threats, the likelihood of the event happening and its potential impact, the ownership of follow-up action/mitigation and the current status of the item.
- Review and update the enterprise register at least annually; review the register more frequently when urgent, unexpected external events unfold.
- Maintain comprehensive, auditable records of risk assessments, formal risk reviews, the risk register (and changes to it), mitigation responsibility (and changes to it) and formal risk reporting to executive leadership.
- Good enterprise risk management is about proactive action to address both threats and opportunities; never consider it as a compliance reporting or tick-box exercise.
- Encourage a positive, open, ‘risk-aware’ rather than ‘risk avoidance’ culture throughout the enterprise; ‘risk avoidance’ leads to stagnation, competitive disadvantage and a declining business.