“It is not the manager’s job to prevent risks. It is the manager’s job to make it safe to take them,” Said Ed Catmull, co-founder of Pixar Animation Studios, president of Pixar Animation and Disney Animation.
There are hundreds of inspirational quotes from great civic, sporting, and business leaders about the value and importance of taking risks. But what few of them acknowledge is what Catmull says here: Risks need to be managed. While it’s aspirational to shoot for the stars, it’s irresponsible to do so without counting the cost first.
Risk is unavoidable in business, but that doesn’t mean it’s a roll of the dice whether a project, product, or entire business will succeed. Risk management is a key activity in any enterprise that values change and innovation. It involves predicting and managing any risks that could get in the way of the organization achieving its goals.
An ongoing practice of managing risks and processes
Risk management isn’t a one-time deal. It’s an ongoing cycle of activities that looks for threats to business success and what can be done about them. It begins with risk assessment.
Risk assessment is asking the question, ‘What could go wrong?’ It examines the risks the business is facing, and how realistic they are. It determines the likelihood of the event, and the severity of the consequences, and defines the risk accordingly.
This flows into risk decision making. The organization must review the risks defined and decide what its ‘risk appetite’ is. How willing is the organization to shoulder risks? Are the risks growing, or declining? How well resourced is the practice of risk management when you consider what needs managing?
With those decisions in mind, the business then identifies the controls necessary to reduce risks to acceptable levels. That may mean avoiding the risk through new approaches, mitigating the risk through additional measures, or accepting the risk as a reasonable possibility in the ongoing operation.
The scale of risk
Not all risks are created equal. The risk of someone burning themself on the coffee machine is unlikely to bring the business to its knees. The risk of sensitive client information being accessed by unauthorized people could be catastrophic. That’s why risks are often categorized as enterprise or operational.
Enterprise risk management is being aware of those risks that could put the company in jeopardy. These are the large-scale risks that include products, key information, and financial controls.
Operational risks are the day-to-day risks inherent in running the business. They cover a wider spectrum, and while they may include serious and significant consequences, if they aren’t well managed they are unlikely to spell an end to the company. This is a much more commonly understood category of risk than enterprise risks, but both are significant in the life of an organization.
Turning theory into practice
Traditionally, the risk register is where an organization collects and categorizes its risk information. This includes the controls and responsible parties and forms a complete record of the risk exposure the business faces.
An organization will also likely have policy and procedure manuals. These are the documented processes that dictate how to achieve key business goals, including steps and instructions to ensure the appropriate measures are taken to reduce risks.
Finally, operations are where those processes are carried out. This is the practical exercise, the day-to-day completion of the tasks and activities that keep the business moving.
Unfortunately, these three elements which relate to one another in vital ways are often disconnected in the business, which can create significant problems.
The risk register needs to connect with and relate to the process and procedure documentation to have an impact on how the business responds to and handles the risks it outlines. And both of those need to be available to the front-line staff who are using the processes daily, or there will be a disconnect between what should be done and what actually happens.
When those three strands of business knowledge are connected, auditors, compliance experts, and management can review the risk register with confidence and know that what it contains filters through the actual life of the organization.
That’s what Nintex Promapp® does.
Look out for part 2 of this blog to read how Nintex Promapp® connects identified business risks with the core processes that they affect and makes that information visible and relevant for the people who need to see it.
Interested in learning more about the Nintex Platform and how it can help your business navigate risk management? Click here to request a live demo to see what Nintex can do for you.