In this video, David Tattam breaks down the questions you should be asking to better integrate risk management in your organisation's decision making.
Is risk management front and centre in your decision making?
Hi, I'm David Tattam, Director of Research and Training at Protecht Group.
One of the favorite challenges I have in risk management is the "So What?" question. Often we hear the why do we do risk management, because we have a risk register, because we have a heat map. The real question to ask is "So What?"
It really has to be focused on the outcomes of risk management rather than the process. One of the big answers I think, to the "So What" question in risk management is to help organisations make better decisions.
The question really is how can risk management be integrated into better decision making?
The approach we take at Protecht is to think about decision making at three levels. The first one is the "Can I" question, the second one is the "Should I" question and the final one is the "Would I" question.
If we take the "Can I" question, it's really a question of, is the level of risk and the decision that I'm looking to make within my, or our organisation's, risk appetite? Our risk appetite there is to provide a boundary around what we are able to do in order to achieve our objectives.
The first test really is a risk appetite test. If the level of risk in the decision we are making is outside of appetite, the answer should be simply, "I can't" and that is it, unless of course we can change the risk appetite. If it is within risk appetite, then the answer is "I can but I might not wish to", so we move onto the second question, which is the "Should I" question.
With the should I question we now bring in the partner to risk, which is reward. Rather a narrow focus, primarily focused on the shareholder, so financial rewards, financial risks, maybe employee risk, to weigh out whether the reward to the organisation is worth it for the level of risk we take.
Now if the reward is worth it, then "I should". If the reward is not worth it and it's lower than the risk we are taking, the answer is "I should not". If the answer is now "I should", we still might do it.
Why, the third test, and the third test is the "Would I" test. This is where we personalise the decision. This is where we start thinking about the rewards and risk at a wider level, at a wider audience, the wider group of stakeholders. What is the reward and risk to my customers? What is the reward and risk to society, to the environment and this now takes the final check is, is the level of reward greater than the level of risk for all of my stakeholders?
If we pass that test we now have the "Can I", "Yes I can", "Should I", "Yes I should" and "Would I", "Yes I would". Now the final "Would I" I is really about personalising.
In the financial services sector we often ask the question, would you do this transaction with your family? Would you do this mortgage with your mother and your father? If the answer is yes, it passes the "Would I" test, if it doesn't, it does not pass the "Would I" test.
If you are looking to get a better answer about "So What" with your risk management, try looking at integrating it into your decision making.
In order to do that what do we need, we need good data. We need good data around a risk we are taking and the rewards we are taking. This then requires a good risk management framework collecting good risk information and dare I say, good enterprise risk management framework and system.
If you'd like to know more, please, please go look at our website. Also feel free to connect with me on LinkedIn. See you later and until next time, take care.