#69 – SETTING THE ORGANIZATION’S RISK MANAGEMENT CONTEXT – ROD FARRAR

Rod FarrarThere is considerable confusion in the risk world in relation to terms such as risk appetite, risk tolerance, risk acceptance, risk threshold and risk attitude.  These are defined differently by organisations and there is no guidance in ISO31000 that clarifies this, so the confusion becomes a distraction.

No matter what it is called – all organisations need to specify the parameters within which they are going to manage their risks.  In order to do this there a number of fundamental questions that you need answered.

  1. What is the level of risk that I’m willing to accept against all my particular categories?

It is important to look at all categories individually as certain categories may be different. You may have a very low acceptability for safety risks and reputation, but slightly more than performance or financial management. Identify what level of risk you are willing to accept for each category and this becomes your target level of risk. Therefore when you identify a risk and analyse it, if it’s sitting above that target, straight away you know you have to take steps to reduce it down to that target.

Farrar

2.  What am I going to measure my consequences against? What are my critical success factors?

Ask yourself what categories, impact areas or critical success factors am I going to measure my consequence against? In determining what success looks like for your organisation, you can devise the critical success factors for your consequence matrix.

Some common critical success factors include (but are not limited to):

  • Financial
  • Reputation
  • Legal
  • Compliance
  • Schedule (Projects)
  • Safety
  • Environment
  • Quality/Performance
  • Political3. What does severe look like against every one of those critical success factors?

Analyse each category and ask “what does a severe consequence look like to us as an organisation against each of those categories?” This will express your threshold for pain in terms of incidents that may occur.

4.  What does almost certain look like against from a likelihood perspective?

Is it more than once a year, is it a hundred in a thousand, or is it once in three months? This is an important question to ask because if you get this wrong, or if you have an inappropriate likelihood matrix, you are also going to see some real problems with your risk assessments.

5.   What does my matrix look like? What is its size (3×3, 5×5 .etc.)? What is the level of each of the squares represent?

The way you structure your matrix is going to determine how conservative your organisation is and if you choose the wrong type of matrix and you have incorrect squares, e.g. if you’re a highly conservative organisation but you’ve got a lot of squares at the medium or the low level rather than the high or extreme level, your matrix isn’t actually reflective of the nature of the business that you’re doing.

Too many people and too many organisations are scrambling around asking ‘what’s my risk appetite?’ or ‘what’s my risk tolerance?’ There’s a void of knowledge that exists around appetite and tolerance that people are filling with their own opinions. There is one fundamental outcome that you want: to actually set your risk context – and if you ask the above five questions you’ll be able to.

Bio:

Paladin Risk Management Services is the brainchild of Rod Farrar, who founded the company in 2007 as a result of his passion and skill for managing risk. Rod’s extensive experience in assisting organisations to mitigate and eliminate professional risks they may encounter is at the core of Paladin Risk Management Services.

The core service offering is risk management training workshops.

The Risk Management Diploma is a broad based program aimed at risk management and business continuity professionals or those aspiring to fill roles in these industries. After the four day course, attendants have six months to complete the assessment activities, at which point they will be awarded the Diploma.

The Paladin Risk Management Academy Advanced Diploma of Governance Risk and Compliance is fully accredited by the Australian Skills Quality Authority (ASQA). The four day course is the only offering in Australia which covers governance, risk, compliance and business resilience.

If you have any burning questions on risk management, Rod Farrar is always ready for a friendly chat.  Contact him at rod@paladinrisk.com.au or 0400 666 142.

Leave a Reply

Your email address will not be published. Required fields are marked *