Risk management...back to basics — Hill Professional Services

Due to my professional background, I often get asked about risk management frameworks, software and practices. I try to avoid getting into the nitty-gritty (unless that’s the job requirement) because my main advice is to keep it simple and maintain focus on the people involved. Also, every organisation is different so what works in one may not work in the other.

If you are saving lives, powering cities, investing billions or selling products across the globe, I understand that you will be more interested in a solution that caters to your operational complexity. However, if you are a small or medium-sized government agency, not-for-profit organisation or company, you could benefit from keeping things simple. This is especially valid for organisations with lower risk maturity.

Don’t overcomplicate things.

There is no point in creating an elaborate risk management framework that will be a chore to maintain and that no one will engage with. The aim is to manage risks, not tons of paperwork.

Less is more.

I know it’s easier said than done (speaking from painful experience here, believe me) but when you are identifying risks try to capture only the top risks or try to group them in some logical way so that you are monitoring a smaller list of risks.

There is no use having a risk register with hundreds of risks that no one will ever track. It’s certainly no way to manage them.

Like with any business process, resources are limited so you will need to make a choice about how many you can actively monitor. For a strategic risk register, for example, this should be less than ten, if possible.

Don’t worry about getting it perfect the first time…or ever.

Come up with something that is clear, manageable and that sparks conversation. If it’s a new process, you can review it in three- or six-months’ time and yearly from then on.

Accept that it’s an evolving thing, a live document that is meant to be reviewed regularly.

Focus on the culture, not the tools.

The point is for people to engage with the process in a sustainable manner so your focus should be on improving the underlying risk culture, not on developing fancy tools. Spend your time communicating and building relationships with stakeholders to build their engagement and risk awareness.

I know that this approach is more difficult than emailing out requests and keeping a spreadsheet updated but it’s necessary if you want to make a real impact. As such, I plan to explore influencing for introverts in a future post. In the meantime, check out my recent post on influencing without direct authority for some additional tips.

Any thoughts?

Have you ever been tasked with improving the risk culture in your organisation? What worked and what didn’t? Contact me and share your thoughts.

Thanks for your time.