How do you effectively identify the risks threatening your organisation so that you can plan to mitigate those risks and avoid disaster, or even a relatively minor incident that could derail your normal operations and take time, energy and money to correct?
It is just common sense to avoid yet another bushfire if you can. Identifying the variety of risks that could mean significant delays, or worse, is part of Risk Management Planning.
Risk Management Planning is the process of:
- Identifying the risks that threaten your organisation,
- Analysing what effects those risks could have on the organisation,
- And then developing strategies to manage or mitigate those risks.
A Risk Management Plan is an important tool for your organisation and helps to support operational continuity when events threaten part of your operations, or even the whole organisation itself.
While the risks – or even the types of risks – can vary from organisation to organisation or within an organisation from program to program, the process of preparing a Risk Management Plan is a logical step-by-step process that anyone can follow.
By understanding what these risks are, and what the risk events mean to your organisation, you can find ways to reduce their impact before they happen. Therefore, the first step in preparing your Risk Management Plan is to identify your organisation's risks.
It is important not only to identify the cause of the risk (for example, “Change in government policies”) but also the actual risk to your organisation resulting from the cause (for example, “Change in government policies leading to a change in government priorities, leading to a loss of government funding for our services”).
As you can see in the above example, having identified the real risk (loss of government funding for our services) you can better understand the scope of the cause of the risk and therefore prepare a strategy aimed at managing a loss of government funding rather than simply managing changing government policies.
It is important to include all the types of risks that might affect your organisation - think broadly - rather than identify the more obvious or pressing concerns like fire, theft or staff health and safety. There are some hidden risks that may seem not relevant or not likely, but could be catastrophic, like say a global pandemic!
It is advisable to brainstorm ideas with your teams as well as with your Board. You want an open and honest contribution where there is no stupid suggestion or where one suggestion is better than another – the time to assess the risks for the nature of their importance will come later. The critical objective here is to capture all the potential risks to the organisation.
However, we do not suggest the usual workshop brainstorming method of standing in front of a whiteboard while your team shout out their ideas. This could lead to some risks being left out in this informal process, or not exploring beyond the cause ("change in government policy") to find the real risk ("loss of government funding").
A more formal process to follow when you brainstorm to identify risk is to first review your organisation’s activities:
- What are your key business systems?
- What are your core services and administration activities?
- How is your staff organised and managed?
- What are some critical resources you use?
- What could negatively affect your systems, services and activities, staff or resources?
Next, you might want to review social and economic trends affecting your organisation:
- What is happening to other organisations in your field of activity?
- What is the trend for the need or demand for your services?
- What is the media saying about organisations like yours?
- What is happening with the local, national and world economies?
Assessing both your operational model and the world around your organisation will help you think about:-
- What you cannot do without in order to provide your services and do your work?
- What would happen to these critical resources or activities if something bad happened?
- What work procedures (checklists, processes etc.) or organisational arrangements are open to risk?
Then, use the following risk categories to develop a list of risks that could negatively affect your operational model: -
- Strategic Risks – big-picture risks such as those caused by the state of the economy or your industry/services, epidemics, natural disasters, and so on;
- Compliance Risks – risks around your legislative and statutory compliance such as audit requirements and qualified reports, non-lodgement of statutory returns and tax returns, poor records of Board meetings, and so on;
- Operational Risks – risks affecting operations like health and safety, computer maintenance, record-keeping, service delivery, human resources issues;
- Financial Risks – risks around your finances such as poor internal controls and fraud, theft, poor cash management, insolvency;
- Reputational Risks – risks that affect your reputation and credibility such as lingering member or Board disputes, poor governance, poor communications, and so on.
Taking each category in turn ask questions such as:
- Where in your organisation are risk events likely to happen?
- When might they happen and why?
- How are those risk events likely to start manifesting when they do happen?
- What parts of your organisation might be affected?
- Who in your organisation might be affected?
- Have any previous unexpected events taken place? What happened and could they or something similar happen again?
It may be useful at this stage, when identifying risks, to also consider the types of consequences if those risks happen. They might be consequences to:
- health and safety;
- people and corporate culture;
- quality of service or operations;
- operational sustainability;
- time spent; and
- corporate reputation.
When you are doing this, make sure that you ask plenty of “what-if” questions. It is also useful to consider the worst-case scenario, because having considered the worst-case, you can focus on smaller risks within that scenario.
Once you have adequately identified all the risks that could have consequences to your organisation, you can then go through the other logical steps of Risk Management Planning, which are:-
- Assessing the risks identified
- Evaluating the risks using a Risk Matrix tool
- Designing strategies to manage or mitigate the risks
- Managing the whole Risk Management Plan, and
- Monitor, test and evaluate the strategies in your Plan.
If you would like to know more about Risk Management Planning for your organisation, you can download our free Whitepaper on "Understanding and Managing Risk in an Indigenous Organisation here.
Or you can email us at or call us on 08 9242 2085.
If you are ready to start your own Risk Management Planning project, you can do it for yourself, following our tested methodology by getting our online program called Risk Management Planning for Indigenous Organisations. Find out more here.