Risk nuggets from the information badger

“Only those who will risk going too far can possibly find out how far it is possible to go.” — T.S. Eliot

  • There is no such thing as a risk-free enterprise;  all enterprises must identify, understand, mitigate and manage risk to achieve their goals. 
  • An enterprise must comply with regulatory corporate governance codes – these require executives to robustly identify, assess, control and mitigate risk.
  • Always ensure that effective processes and mechanisms exist in your Management System to identify, evaluate and act on enterprise level risk of all types.
  • Recognise that risk comes in many forms – political, economic, export, regulatory, competitive, technological, reputational, workforce, environmental, safety, security, privacy, contract execution, financial, and so on.
  • Risk sources can be external or internal – but, regardless of source, if risk is not managed it will ultimately adversely impact the financial well-being of the enterprise.
  • Contract execution is an ever-present source of risk to an enterprise; ensure a proper analysis of the benefit of a contract to the enterprise is performed in the sales process and be conscious of, and avoid, the Abilene Paradox.
  • Focus on risk in contracted work as part of standard business operations.
  • Enterprise risk management is as much about identifying upside or opportunity as it is about identifying and mitigating downside threats.
  • Ensure that risk identification, evaluation, and follow up action/mitigation is owned by business and function leaders.
  • Ensure business and function leaders discuss and agree threats, mitigations and  the ownership of actions with their own local leadership teams.
  • Have a documented overall enterprise risk register; ensure it has appropriate risk categories, identifies individual threats, the likelihood of the event happening and its potential impact, the ownership of follow-up action/mitigation and the current status of the item.
  • Review and update the enterprise register at least annually; review the register more frequently when urgent, unexpected external events unfold.
  • Maintain comprehensive, auditable records of risk assessments, formal risk reviews, the risk register (and changes to it), mitigation responsibility (and changes to it) and formal risk reporting to executive leadership.
  • Good enterprise risk management is about proactive action to address both threats and opportunities; never consider it as a compliance reporting or tick-box exercise.
  • Encourage a positive, open, ‘risk-aware’ rather than ‘risk avoidance’ culture throughout the enterprise; ‘risk avoidance’ leads to stagnation, competitive disadvantage and a declining business.