Most organisations I work with would say they ‘do risk management’…but often, when I dig a little deeper, I find either their practices aren’t adequate, or their systems and processes are letting them down.
And sometimes it’s both!
So what about your organisation?
How are you managing risk to protect your staff, the people and causes you serve, and your organisation’s future?
It doesn’t have to be complicated, but it does have to be thorough…and ongoing.
I always suggest starting with culture – ask yourselves, do we actively foster an organisational culture where it is safe for people to proactively raise concerns and report risks?
And the answer to this question does not lie around the Board table or in the CEOs office – it sits in the hearts and minds of the staff and volunteers and service recipients that are impacted by the work you do.
So that is where you need to go to ask about risk management and the culture that surrounds it in your organisation. And not just once – you need to do this regularly and cyclicall.
By promoting this culture of openness and honesty you set the scene to then start working through the three simple steps of risk management.
Step One
Explore (with all your stakeholders!) this couple of key questions that will help you better identify the risks your organisation is facing:
- What’s gone wrong before?
- What are we quietly hoping doesn’t happen?
The answers to these questions will provide you with the grist for your risk management mill.
These are the things that need to appear in your Risk Register (and be revisited and reassessed on a regular basis).
Step Two
Once you’ve got your list of risks, you need to work out what matters most – not everything will deserve the same amount of attention.
For each risk ask two things:
- How likely is this to happen?
- How bad would it be if it did?
Get yourselves a simple risk matrix (a 5 by 5 matrix is the minimum standard these days), and plot each of your risks on the matrix.
This will show you what to tackle first.
Step Three
Put the risks you need to deal with into a plan of action – your Risk Management Plan.
And make sure someone (or a team of ‘someones’) has responsibility to drive the plan and make sure it gets implemented.
Probably the most important part after that is making sure these three steps then get repeated regularly and that the cycle continues.
Boards don’t need to drill down to the minutiae of every single risk. But they do need to know that somebody is! And they need to know in detail about the big-ticket risks that could seriously impact the organisation’s functioning, effectiveness or reputation.
