Understand, identify, and control.
Look, we talk about risk a lot. But it is a concept that’s woven throughout so many different aspects of business governance—and a lot of what we do is aimed at identifying, managing, minimising, and controlling risk.
To give an idea of the scope of the matter, we’ve put together this guide to risk in business (not to be confused with Risky Business). Read on to discover the many types of risk that are on the table, why it’s so important to identify and control them, and how you can spot and reduce risk in your operations.
Understanding risk
It’s not all banana peels in walkways. In addition to safety risks (physical and psychosocial), there are employment risks, compliance risks, operational risks, financial risks, reputational risks, and more to worry about. There are generic risks and ones that are very particular to your industry or even company. You might risk missing an opportunity or losing profit—you might even risk being fined.
When imagining risks, you are exploring possible outcomes. If this happens, then this might happen. How can we prevent the first so we don’t have to deal with the second? Planning for worst case scenarios and managing potential risk means we are prepared and have a plan for events that may occur. It also means productivity and profitability in the long term.
It’s important to understand that no plan, control, or procedure is foolproof. That’s why we create layers of risk management! In the Swiss Cheese model, an organisation's defences against failure are modeled as a series of barriers, represented as slices of the cheese. The holes in the cheese slices represent individual weaknesses in individual parts of the system, and are continually varying in size and position in all slices. When layered, the holes (weak points) are covered by the solid sections of other slices.
Why do we need to identify and control risks?
There are many benefits to good risk management. We understand that identifying risks, deciding on controls, implementing and enforcing them, and reviewing policies regularly is time-consuming and can seem like a wasted resource. However, you may very unexpectedly find your business in a situation when the controls become all that’s standing in the way of serious injury, loss of life, major financial loss, or a reputation-ruining scandal of some sort. And in that moment, it will seem like time and money well spent.
Here’s a personal anecdote from Emma to bring it home: in the early days of her career, she was once told by an auditor that her risk assessment was not sufficient because she hadn’t taken everything into account—for example, bomb threats. She thought that was a bit over the top, and brushed him off. A week later, the road on which the business was located was closed. Due to a bomb threat.
Learn from Emma’s experience rather than your own! If nothing happens, so be it. If it does happen and you aren’t prepared, that’s when the sh*t will hit the fan. In the past two decades, New Zealand has experienced a major earthquake, a pandemic, a deadly volcanic explosion, and its largest terrorist attack. You never know what’s on the horizon.
It is the responsibility of company directors to do their “due diligence” and take reasonable care to ensure the business is complying with all relevant laws—including health and safety standards. A recent Supreme Court decision ruled that Mainzeal directors had breached their duties and were personally responsible for debt totalling many millions of dollars. In the USA, the Deepwater Horizon fire and resulting oil spill left BP liable for 11 counts of manslaughter and breaching the country’s Clean Water Act with fines to the tune of more than US$4.5 billion.
These real-life examples demonstrate the very real financial and reputational risk taken on by those in authority—and why it’s crucial to do all possible to avoid these worst-case scenarios.
Practical ways to identify and control risks
Get the team involved
Thinking through all of the “what-ifs” should be done by those who run the risks as part of their work. Shop-floor risk is best identified by those on the shop floor, not directors in a boardroom.
Get everyone involved, and make it fun (or interesting, at the very least). Engaging your employees makes them much more likely to be aware of the risks and proactive in the controls. You can treat risk identification as a bit of a drama exercise, asking people to take any given situation through to the worst-case scenario. How bad could this be broken? How badly can we c*ck this procedure up? Include contractors and anyone who is involved in any given work.
If risk assessments are new to your team, start by simply brainstorming. Throw ideas up on a whiteboard, write them on a bit of paper, or even make a quick clip on your phone to capture the conversation. All of this is evidence you have taken the time to do something, and something is always better than nothing.
The health and safety jargon can get a bit much, so leave it behind if you want. Ask them to come up with five ways to make an action movie out of the next job. For each movie, they should then find one plot twist (control) that will bring the story back on track to something less “thriller/disaster” and a bit more “Disney happy ending”.
Ensure workers are authorised to mitigate risk
Often, taking action to control risk is beyond a worker’s authority. For example, a painter might find themselves in a situation where the safest way to paint something requires some extra PPE and tarpaulins, or a special low-VOC paint to minimise fumes. If they do not have the authorisation to go out and buy these things or make decisions like changing the plan slightly, time will be wasted—that, or safety will be disregarded.
The hierarchy of controls puts elimination at the top and less effective measures like PPE at the bottom. And while it’s a useful way to organise and direct your risk management, it’s probably not helpful for the people on the shop floor who are actually experiencing risk. The lower-level controls are often the only ones available to a worker without authorisation to make decisions and spend money.
For this reason, you should put careful thought into what leeway your employees have and what they need. This is not just about them, either—how much do you want to be involved at the management level? What is the productivity cost to you of having to make decisions constantly, as well as the productivity cost to them of having to constantly seek approval? If you’re happy with the status quo, that’s fine as long as you recognise that more time will be consumed by it. Deadlines to meet and places to be? You might want to place some balls in their court.
Ideally each person will be well trained in role-relevant risk management and have the authority, to a certain degree, to make decisions and spend agreed-upon money in the pursuit of it. Take the position description and add any decision-making power or general level of authority according to your risk matrix or role expenditure. As an example, a senior painter might be authorised to make decisions rated as “medium” or under 15 in our risk matrix, and spend up to $500 without prior approval. We often see decisions identified but not made—not because they have been told they can’t but because they haven’t been told they can. Good pre-emptive risk identification also helps in this regard; if you can predict the possible risky scenarios, you can have plans in place to mitigate them.
Make it clear that risk management is a priority
The attitude of management regarding risk will be reflected by the team. If taking unnecessary risks is just “the way we do things ‘round here”, it will remain that way until the culture changes. This is a top-down situation, starting with the directors. And as we demonstrated earlier with the Mainzeal example, directors have a very vested interest in reducing risk.
Weave risk management into your everyday operations so it becomes normal. Talk about it at team meetings, involve the team in risk identification (as we mentioned above), and make it very clear that it is of utmost importance.
TL;DR: the why and how of risk management
Risk comes in many forms: safety risks (physical and psychosocial), employment risks, compliance risks, operational risks, financial risks, reputational risks, and more. Identifying and controlling risk can save time, money, and even lives in the long term, and is also a crucial part of due diligence for company directors (which has been an expensive and difficult lesson for some).
You can never be sure what will happen, so it’s important to account for as many possible scenarios as possible. In February 2020, not many people would have predicted that the country would shut down for weeks on end, affecting many businesses in a very major way. But it happened, and now our risk assessments can take that possibility into account.
Here are a few ways you can identify and control risk in your operation:
- Get the team involved in risk identification. Have them catastrophise any given scenario, with their knowledge of how things work “at the coal face”. They have a better idea than management of how badly things could be c*cked up—take advantage of it.
- Make sure that people engaging in risky activities are educated and empowered to take (reasonable) action to mitigate risk. This means allowing some decision-making (and perhaps spending) authority where it will save time and/or money to take action immediately.
- Create a culture that prioritises risk management, from the top down. Weave it into day-to-day operations, discuss it regularly, and make it clear that it is important.
Get help when you need it
We’ve helped myriad companies get on top of their risk management: collaborating with their people to identify risk, creating appropriate controls, and nurturing a culture of safety and compliance. We can do the same for you!
Our Scorecard Assessment looks at the inner workings of organisations: not only at the frameworks they have in place but also how they link up (or don’t, leaving us exposed). Your peace of mind and way forward is in knowing what’s there, what’s well done, and what the next priorities are.
Take a look at our services that can provide valuable support at all levels, from staff workshops to equip and educate employees to advisory board arrangements which offer guidance and direction to directors and management.