Transformation can be defined as “a marked change, as in appearance or character, usually for the better”. Risk management transformation is the process of changing the character (not just the appearance) of your risk management, always for the better.
In order to transform, you need to:
- Know where you are now
- Have a reason and motivation to transform
- Know what you wish to transform to
- Have practical steps which map out the transformation.
This smells of risk management maturity analysis, and in many ways it is. The difference is to focus on the practical steps which will achieve the right transformation. The following article attempts to answer the why? what? and how? of risk transformation.
We transform to get better. In simple terms it is to maximise the return of your risk management investment. Risk management is often considered just compliance, insurance, an overhead, an annoyance etc. This attitude drives the inevitable desire to curtail risk management to the bare minimum required. Risk management becomes risk minimisation. This attitude misses the fact that risk is “the effect of uncertainty on objectives” implying that risk management is the management of uncertainty on objectives further implying that risk management is really objectives or outcomes management. It is hard to argue that managing objectives and outcomes is not an enabler. When risk management is positioned in this light, it becomes by default, an enabler. The key to risk transformation is therefore to position it as a key enabler of your business using a process that is well understood, fully embedded in the business and efficient and effective to use.
Transform to what?
The first step is a stocktake of where you are at present. A maturity analysis is useful. Most process maturity models recognise 5 stages of maturity, as in Fig 1, from “Initial” where risk management is performed by your heroes in a crisis, all the way through to optimised where risk management is fully embedded into everything that you do, is proactive and is fully supporting the success of the business outcomes.
Fig 1: Risk Management Maturity
The key components to assess are:
- People and Culture
- Governance Structures
- Risk Processes
- Risk Systems
- Risk Outputs
- The degree to which risk management is used on the business.
The key is to determine a blueprint of where do you want to get to and by when. What does each of the above components look like in your blueprint?
How to transform
The first step to making risk management transformation happen is to determine the gaps between where you are now and your blueprint.
These gaps should then be broken down into management steps and a project plan created. It is about making it happen. To successfully transform you need to focus on the following key elements:
- Is the blueprint and gap analysis clear, concise and practical?
- Is the blueprint realistic given the time period involved or is it aspirational? It must be realistically achievable.
- Do you have a mandate and commitment from the Board and Senior Management? Without it you will fail.
- Do you have the right people to make it happen? This includes your own internal resources and external providers.
- You need to focus on no more than 3 things at a time. Make the transformation agile so that it is seen, makes a difference early and is easily understood.
- Take the business with you. This require you to gain engagement with the business. Communication, training, and the generation of real excitement of where you are going and what it will give the business will make this happen.
- Apply robust project management and risk management principles to control the transformation.
- Lastly but most importantly “keep it real”. Eliminate risk management speak and adopt business speak.