A simple, disciplined approach to risk management
Every organization faces risks, from long-term strategic challenges to short term disruptions to natural disasters. Within your Phrontex system, risk management means —
- Making sure that you and your people are thinking about the risks of what they do. Any person who is accountable for an objective is responsible for identifying the risks of failing to meet that objective.
- Recording the risk and documenting the steps taken to reduce the likelihood or mitigate the consequences.
Phrontex provides a risk management framework based on the requirements of ISO 31000:2009 Risk management — Principles and guidelines. The risk register provides a simple way to define, track, and manage your organization’s risks. This is not just good management; it can also help manage the owners’ and directors’ legal liabilities, by providing evidence that they have taken reasonable steps to ensure that the organization’s activities are legal and safe.
Phrontex supports this approach to risk management —
Define your risk management policy
The aim is to ensure that the organization has a reasonable expectation of meeting its objectives. The policy might specify the risk assessment criteria (such as with a likelihood-consequence matrix) and stipulate the level of management required for significant risks.
Identify and assess your risks
Good management practice means that risk assessment is built in, as a core component of how the organization functions. Your risk assessment points will depend on the nature of your organization and its activities. They might include these —
- As part of your planning, before committing to an objective: what is the risk of failing to meet this objective?
- As part of your sales, before submitting a proposal: what is the risk that we will fail to deliver or the client will fail to pay?
- As part of your decision approval, before signing a contract: what is the risk that we or the other party will fail to meet the terms?
Each significant risk should be recorded in the Risk Register.
Manage your risks
The risk register entry should record, or cross-reference, the actions and controls used to manage the risk. These might include —
- Procedure changes to eliminate the risk, reduce the likelihood, or mitigate the consequences.
- Business changes to transfer the risk, such as through insurance or indemnity agreements.
- Training and awareness programs, to modify behaviour in relation to high-risk activities.
- Response plans for emergencies and uncontrollable external events.
Review and learn
If something goes wrong, or there is a failure to meet an objective, the circumstances should be reviewed against the risk register to consider if there were risks not identified, not recorded, incorrectly assessed, or inadequately managed.
Business planning and risk management
When you submit a business plan to potential investors, you hope to persuade them that you can achieve the planned objectives. A big question in their minds is: What are the risks? Even if you haven’t thought about it, they certainly will. What happens if the equipment fails? you have a fire? the senior manager gets sick?
You don’t normally include a risk register in business plan; but it might be appropriate to summarize it. New business is always risky: and if there’s no denying the risks, there can be advantage in addressing them head-on: Here are the key risks we face, and here’s how we will manage them... The fact of having a risk register at all will set you apart from many start-ups.