What if your risk management efforts are perfect - well if not perfect, then operating pretty well?

You've identified the threats and opportunities, prioritised the list so that you can focus your resources appropriately, identified actions to promote or mitigate the risk, as well as determining action owners and completion dates.

Job's done, right?

Wrong!

Aside from the fact that you need to continuously monitor and review your risk environment and maintain regular communications on changing or emerging risks with key stakeholders, there is one other question that should also be on every managers mind.

Do we have the necessary capability to manage the change, innovation, transformation and execution needed as a result of the risks we are addressing?

The operating environment for most firms has become increasingly complex in recent years. Change used to be something that happened periodically and tended to be incremental rather than a step change.

Today, change truly is the only constant. And it's not just big data and analytics or cybersecurity - think artificial intelligence, nano-technology, robotics, bio-technology, quantum computing, disruptive market entrants, agile competitors, flexible labour models, fickle consumers and legislation unable to keep up with all the changes.

We are now in the early stages of the 4th Industrial Revolution. How do you keep up, let alone get ahead of the curve?

Key to solving this dilemma is how an organisation manages its capability development program.

Recently, I have had the pleasure of working with Dr Paul Guignard of the Capability Institute to deliver Capability Development & Transformation workshops which focus on both performance and risk in organisations.

This is achieved through a focus on individual capability, team capability and organisational capability - in Paul's words 'magnifying the impact of the human mind'.

Your business may be great at operational functions, have a stellar marketing team and have a robust supply chain. But what about your governance or project management skills? What about the development and maintenance of the desired culture? Ethics? People safety? Workplace relations?

An organisation needs to perform in all these areas and more in order to just survive, let alone thrive. The good news is that most of the answers reside in your people - they just need to be unleashed!

Get in touch to have a discussion about how your capability development efforts can be ramped up - contact me on 0404 829 040 or via email or my website

In my previous posts I've spoken about the origins of risk management, the terms and definitions associated with the profession and the reasons why organisations must manage risk.

And even though I have emphasised that risk is a two-dimensional concept - that is, there are threats and opportunities - there still seems to be an persistent assumption that a discussion about risk is a conversation focused in the negative.

As I've mentioned previously, organisations and risk teams that are solely directed at negative impacts are only doing half the job.

Risk management's most powerful element is the provision of better, more relevant data for decision making, or as some call it, informed risk taking.

Every decision is a risk decision - consisting of lots of minor or inconsequential decisions made almost automatically, right through to a very few significant, potentially life-changing choices. And this applies to us as individuals and to organisations.

I'm not suggesting for a moment that a risk management function that is well resourced, mature and supported by the C-Suite means decision makers will have perfect information for decision making.

In fact, those that have studied decision theory know that there is a cost benefit analysis to be done in the quest for perfect or near-perfect information. Sometimes, the cost of the additional information is not justified given the minor increase in certainty. A simple example of this analysis is at http://kfknowledgebank.kaplan.co.uk

No, what I am instead suggesting is that in many cases, information that is relevant or pertinent to the decision at hand is often ignored, overlooked or taken out of context. The discipline needed in risk management is in conducting risk identification, assessment and analysis in such a way that all the appropriate data is unearthed.

And of course, the situation needs to be continually monitored for any change in the environment or in the context of the risk itself.

The key to making the best of the conditions confronting the organisation, such as change, disruption, innovation and transformation, is to carefully consider the opportunities and the threats and the balance of benefits and potential downsides.

Andrew Martin's paper 5 startup tips for taking informed risks suggests 'Successful entrepreneurs are neither oblivious nor indifferent to risk; they understand the difference between assuming risk and engaging in risky behaviour'.

So once a conscious decision to take on the risk has been made, the focus can then move to actions that will maximise the chance of success, or controls that will mitigate the impact of a threat.

Yes, risk management has a role to play in preventing or minimising events that can have a detrimental impact on the organisation.

But even more importantly, the remit of risk management should be to better inform decision making - allowing organisations to more confidently take informed risks. The outcome? More reliable creation of value for the organisation.

My focus is on helping organisations up-skill and inform the operational business units on their role in informed decision making and the risk management process. Please visit my website, contact me via email or give me a call on 0404 829 040 to find out more.

In my last blog post, I spoke about the three lines of defence - the commonly adopted framework for providing assurance to those that govern and manage the organisation that the risks of doing business are being appropriately managed.

'Appropriate' in this context means taking advantage of opportunity risks and minimising the probability or impact of threat risks.

Within every organisation there is a latent capacity to achieve amazing things - the difference between those organisations that do and those that lag behind is the way the business leverages its greatest asset - its people.

If your organisation wants to turn 'our people are our greatest asset' from a throw away slogan that makes management feel good, to a true value and fundamental belief, then positive action needs to happen - now!

The benefit of this approach, for those firms willing to take it on, is that you will have a more resilient and agile organisation, able to change, innovate and transform itself even in the face of the continual disruption that is an ever-present feature of the modern world.

Unleashing this capacity means investing in the people who power the business. Frequently, when it comes to risk management, all the education and training goes to those that are in the 2nd and 3rd Line of Defence.

But what about those in the front line? Those that interact with clients, deal with the problems and develop workarounds and solutions to new and existing challenges - how deep is the investment in up skilling these people to understand and contribute to both value creation and value protection?

If you're not undertaking risk training and development (and safety is only a part of the overall risk environment) then you need to act. Consider the following:

1. Once you've made the decision to improve business outcomes, identify key stakeholders and

communicate the goals of the program i.e. to support achievement of business objectives

2. Train your people in what risk is, why its important and what part they should play -

particularly in the 1st line of defence

3. Align all elements of the Three Lines of Defence to maximise synergies, reduce duplication

and eliminate gaps in your risk assurance

There are 3 elements to the Three Lines of Defence model for a reason - none of them alone could produce the outcomes required to meet the organisation's expectations in terms of business results. They each need to perform their specific role in the management of risk whilst also working together with an understanding of the 'big picture'.

The organisation benefits, each level in the three lines are satisfied and rewarded, the Board and Senior Management sleep well at night and importantly all other stakeholders reap the rewards of a more resilient and agile organisation.

What are you waiting for? Take the first step - contact us to discuss your training needs and our for the 1st Line of Defence.

Anthony's mobile: 0404 829 040

Email: anthonyw@proximityriskassurance.com.au

Website: www.proximityriskassurance.com.au

For those working in financial services industries or involved in risk, compliance or audit functions, the term 'three lines of defence' is probably pretty familiar. But outside of these areas, this risk governance framework is frequently unheard of and often misunderstood.

So what is the 'Three Lines of Defence' model?

Put simply, the model establishes responsibilities for risk management across the organisation and from top to bottom. The idea is to ensure that there are no 'gaps' in understanding who does what and likewise, that there are no overlaps which only lead to inefficiency and confusion.

The diagram below is from the Institute of Internal Auditors in the UK. There are plenty of different versions out there but this represents the key principles pretty effectively.

https://www.iia.org.uk/resources/audit-committees/governance-of-risk-three-lines-of-defence/

In the Three Lines of Defence (3LOD) model, the 1st Line of Defence are the business units or operations departments of the organisation. It's the 1st Line of Defence that owns and manages its risks. These can be the strategic risks it takes to create value, the external risks that are inflicted upon it and to which it has to respond, and the operational risks that are part of business as usual.

Part of the 1st line responsibilities with regards to risk are to develop and implement control mechanisms to reduce the likelihood or consequences of unwanted risks or, developing plans and initiatives to realise the benefit of upside risks. Naturally, they may be assisted in these areas by subject matter experts that may sit in the 2nd line of defence or be external to the organisation.

The 2nd Line of Defence is made up of the areas of the business that are often labelled support functions. Per the diagram above, there are a few different areas in the 2nd line. Not all of those shown will be in all organisations and in reality, some businesses will have additional 2nd line functions.

The primary role of the 2nd Line of Defence is to monitor risks and the risk environment. These functions serve as an 'overwatch' on the implementation and effectiveness of the controls implemented by the 1st Line in reducing threats or effectiveness of projects and initiatives undertaken to maximise opportunity.

The 2nd line functions will typically play an advisory role to the business where required - for instance, providing technical advice when developing a quality management system.

The 2nd line, or more specifically the risk management function, is often responsible for coordinating risk management activities across the organisation such as scenario analysis, developing simulation models and monitoring external and emerging risks. This should always be done in close cooperation with the business units and in the context of the organisation's objectives.

So, what is the role of the 3rd Line of Defence?

Internal Audit is the 3rd line and its primary purpose is to provide independent assurance that risk is managed. It does this by evaluating the adequacy and effectiveness of the controls implemented by the 1st line and monitored by the 2nd line. It also assesses management's approach to maximising opportunities through the application of sound project and change management disciplines.

Internal Audit may on occasion provide consulting services to the business on improving the effectiveness and efficiency of the control environment but must never take management responsibility for any part of the organisation other than its own function.

It is Internal Audit's independence that distinguishes it from the 1st and 2nd Line of defence. The first two lines report, and are responsible to, the senior management of the organisation. In well governed organisations, Internal Audit has functional reporting lines to the Audit Committee and an administrative reporting line only to the CEO. This is designed to achieve assurance that is independent from management.

The 3LOD model is generally a suitable model to adapt to most organisations. Whilst no model is perfect, it is generally well regarded and often referred to by professional organisations such as the Institute of Internal Auditors (IIA) and the Australian Prudential Regulatory Authority (APRA).

My view is that the biggest opportunity lays not with the 3LOD model itself, but rather with its application in businesses. Often, lots of effort and resources go into training and developing risk capability in the 2nd line of defence and to a lesser degree in the 3rd line.

It is my contention that there is an underinvestment generally in up-skilling the 1st line of defence with the capability they need to better play their part in the risk management program. This doesn't require turning business unit managers into pseudo risk managers but rather equipping them to be considering risk when making decisions.

At Proximity, we offer a one day training course for 1st line of defence managers, supervisors, team leaders and those that would like to be involved as risk 'champions' in their business unit. Visit the website to see further details on the program or check out the program flyer Alternatively, give me a call to discuss your needs - Anthony Wilson 0404 829 040

Organisations today, big or small, can no longer function or indeed survive on their own. Business partners, vendors, third party providers - all manner of relationships are required for the modern business to operate.

For some, the attraction of engaging with these partners is to reduce their costs - a partner with scale in the particular area of expertise can almost always do it more effectively and efficiently.

For others, there is a desire to outsource or contract out anything that is not considered 'core' business for the organisation. This too has some logic as the organisation can focus the mind of its team on the things it does best.

More organisations are utilising third parties to perform function as diverse as IT network management, payroll, call centre operations right through to cleaning the floors and maintaining property, plant and equipment.

But what happens when that provider doesn't perform their obligations as agreed in the contract or some negative event occurs in their business?

This week we saw a major incident with many Woolworths customers being charged a second time for a previous transaction. Note that I have no information on this incident other than what I have seen in the media.

Woolies has been quick to point out that the problem lay with their financial processing provider, Cuscal and to their credit, Cuscal has been open and upfront in admitting that the problem was at their end. They have apologised profusely to the customers affected.

This is just one example of many where a business's reputation has been tarnished by the performance of a third party.

So what has all this got to with risk management?

Risk management is about making business decisions that take advantage of opportunities and minimise the threats. So when the opportunity to engage a third party to perform the function means a cheaper and more efficient provision of that service, the threats should also be considered (what if they don't perform, do they have the capacity? etc) and actions taken to mitigate them.

These business relationships need to be the subject of just as much scrutiny when considering an organisation's risks as anything that occurs within the business. And there should be a concerted effort to understand how big the issue could be. For instance:

Does the organisation have a listing of key third party relationships?Is there a formal, up to date agreement in place that guides performance expectations and critically, does it include a 'right to audit' clause?Do the organisation understand which relationships could cause major impacts to business as usual operations or to its reputation?Who in the organisation is responsible to manage and monitor each of these risks? Is there sufficient budget allocated to the Internal Audit function to include audits of the highest risk third party relationships?Is a risk assessment performed before a new outsourcing arrangement is considered?What arrangements are in place with third party providers for business interruption events? Have these been tested?Are regular performance reports received from the third party provider and how do you determine that the information is factual and complete?What process is taken to review previous performance before an arrangement is renewed or extended?

This is not an exhaustive list - each organisation should determine the key services / functions provided by third parties and evaluate how the relationships are being managed for the benefit of both parties.

Most organisations will have auditors at their disposal and should have a risk function active in the business - if you haven't done it already, now is the time to call on their expertise in evaluating the potential risks.

Better to manage the problem up front than to try and do it in front of the cold, hard glare of the TV cameras. Telling the world it was someone else's fault, even if it's true, is not going to help much in the court of public opinion.

Feel free to contact me if you'd like to review your organisation's third party exposures or to discuss any other risk issues. My mobile is 0404 829 040 or contact me via email or my website.

In my last blog, I spoke about the importance of having a Crisis Management plan in place to respond to major issues affecting the organisation - anything from a significant natural disaster to the kidnapping of a senior member of staff.

This is an absolute must have - the last thing you want to be doing in the face of a crisis is figuring out how you are going to respond. But the Crisis Management arrangements should be one component of a larger Business Resilience plan.

If you look at a dictionary definition of resilience it will say something like 'the capacity to recover quickly from difficulties'. And that just what Business Resilience is - if the business is hit by an unexpected event, it's about how well and how quickly it can restore 'business as usual' operations.

Like most things in business, there won't be one absolutely correct way of structuring your business to maximise resilience. But there are a few common components that should exist in all plans.

Many people will be familiar with the traditional model of business resilience which typically included four key elements - Business continuity plans, IT disaster recovery plans, Emergency Response plans and Crisis Management plans.

Today however, these plans have been complimented by additional resilience tools.

Mainly, Cybersecurity Incident Response plans and Critical Infrastructure protection plans.

So lets review each of the elements, new and old, in more detail.

Business continuity plans - these plans are designed to ensure that key business locations within the organisation are able to respond to a local crisis situation and get back to 'business as usual' as rapidly as possible. The plan will allocate responsibilities and roles to key people in the team and will generally feature a generic approach capability rather than event specific responses.

Critical Infrastructure Plans - may be considered a sub-set of the business continuity plans. These target critical infrastructure rather than specific sites - for instance, communications or energy networks. They can feature specific responses to known potential events or generic response plans for unknown challenges.

Emergency Management Plans - are all about immediate actions when a critical event occurs. The event could affect one or multiple sites. These plans usually belong to the front line management teams as they are the first responders to any incident. Key to these plans is weathering the event and minimising further losses.

Occupant Emergency Plans - are a sub-set of Emergency Management plans in that they respond to events that primarily impact on your people, customers or contractors. An unfortunate example in this day and age is the rogue shooter episodes that occur frequently in the USA. Protection of human life is obviously the key goal.

Information Technology Disaster Recovery - is more frequently being broken into two sub-sets:

Crisis Management Plans - readers will recall that I covered Crisis Management plans in my previous blog so I won't repeat the message here. I will stress however that a key component of Crisis Management planning is to have thought about your Crisis Communications well in advance of an incident occurring.

Organisations need to think through their own situation and determine what effort is required for business resilience planning given their own operating model. This should also include an analysis of what key functions are being performed by third party providers.

It is not unusual to find a majority of IT services outsourced, with many key functions and critical data being sourced or stored via the Cloud. Does your business resilience planning phase include these service providers as responses are developed?

Some organisations have no choice but to have robust business resilience plans in place - it can be mandated by regulators, shareholders or financiers.

Other businesses have a choice - choose wisely as these plans may be the only thing between a profitable recovery and the end of an otherwise successful business!

To discuss business resilience or any of your other risk management needs, please feel free to contact me on 0404 829 040 or via my email, anthonyw@proximityriskassurance.com.au

You're feeling pleased with all the focus and effort being given to risk management in your organisation.

The business units have taken responsibility for the risks in their operations, and the Board and Senior Executive monitor the external environment regularly for threats and opportunities whilst applying solid risk evaluation techniques to the overall strategic plan.

And the risk team monitor and report on key risks and their status regularly. Even other teams in the second line of defence understand what they need to do, and are doing it, to enable effective risk management across the organisation.

Then, disaster strikes! A product has quality issues and is recalled, a senior executive's relationship with a staff member is called into question or a natural disaster impacts a key facility.

This is reality - despite the best efforts of everyone involved, sometimes stuff happens.

Believe it or not there are organisations that eschew a formal risk management program and choose simply to deal with a crisis if and when it arises.

Whilst I don't agree that this is a sustainable strategy, I do wonder how much effort these organisations put into their Crisis Management arrangements.

This blog will examine the key elements that should exist in a Crisis Management Plan for any organisation - whether they have a formalised risk management program or not.

In his article in the Harvard Business Review*, Norman Augustine outlines six stages of Crisis Management:

Avoiding the Crisis Preparing to Manage the CrisisRecognising the CrisisContaining the CrisisResolving the CrisisProfiting from the Crisis

Avoiding the Crisis is self-explanatory. It is far better for the organisation to take the time and effort to prevent a crisis happening in the first place than it is trying to deal with the consequences. I have written before of the need to maintain a 'healthy unease' when thinking about risk - especially during the good times when all seems to be working out as planned.

An effective Enterprise Risk Management framework is a great start.

Preparing to Manage the Crisis is all about planning. Taking the time to think about who needs to do what and when before a crisis occurs. Understanding key responsibilities, which facilities are critical to business operations, and how to respond to certain scenarios is all part of the process.

And the time to test that the plan works? Before a crisis! Rehearse the plan, adjust as necessary and then rehearse some more. Most organisations will hold a crisis management exercise at least annually.

And be sure to include key 3rd parties in the rehearsals - the first time you meet the head of an emergency services branch shouldn't be in the middle of a crisis!

Recognising the Crisis surprisingly, can take way longer than it should. Sometimes executives will struggle to accept that in fact they are in a crisis. This is commonly the case where the company is in the right regarding a technical issue but has completely misjudged the public reaction to it.

In today's world of social media and the fact that anyone carrying a smartphone is a potential broadcaster, organisations need to be quicker than ever at recognising a groundswell of public discontent rapidly building into a crisis. Whilst 'jumping at shadows' is not the answer, management needs to monitor incident reporting trends and feedback from the public to recognise a potential issue in a timely manner.

Containing the Crisis means, in Augustine's words '...triage: stopping the haemorrhaging'. And the difficult part is that to some degree you are flying blind. All the information about the crisis issue is not yet available and much of what is available is speculation and opinion.

But this is not the time to wait for perfect information. Decisions need to be made and they need to be made quickly. The public, regulators, shareholders, the media and other stakeholders are looking for decisive leadership at this time. Doing something is generally better than no response at all. And the additional challenge for CEO's at this time is that they have a barrage of advisors all telling them how they think the crisis should be handled.

Along with acting, the organisation needs to communicate and communicate a lot. In the absence of this, the media will find someone who has an opinion on the crisis and it may not be even close to the truth of the matter. Having a trained and professional company spokesperson is essential for getting out your key messages in a timely and consistent manner.

Resolving the Crisis is the phase where you try to get back to business as usual as quickly as possible. The sooner you can show the public or other stakeholders that you are on top of the situation and have taken appropriate actions, the quicker the crisis situation will subside.

Whether this is recalling a defective product, disciplining or separating the wayward executive or looking after staff and customers affected by a natural disaster, any hostility or anger will tend to abate once stakeholders see that the organisation has taken the situation seriously and responded accordingly.

But how do you end up Profiting from the Crisis? Going over and above the expectations of stakeholders is a lot of the answer. Where a business recognises that the trust of it's customers is key to future success, the cost of these additional actions - which might be measured in many millions of dollars - shows that the organisation is prepared to put people before profit.

Not every crisis will present such an opportunity, but in the noise of the lawyers telling you not to take action because of potential litigation or the CFO forecasting the grave impact on results, sometimes a leader has to stand up and do what they are paid to do - lead!

Crisis Management forms part of a broader Business Resilience Framework - generally made up of Business Continuity Planning, Emergency Response Plan, It Disaster Recovery and Crisis Management.

We'll review Business Resilience in a later blog.

As always, should you wish to discuss any of your risk management needs, please contact me on 0404 829 040 or via my website www.proximityriskassurance.com.au

* Managing the Crisis You Tried to Prevent Augustine, N. Harvard Business Review Press, 2000

During our review of the 7 steps of the risk management process, we identified the crucial role that controls play in mitigating threat risks to the organisation.

Recall that for those risks where the inherent risk level was unacceptable, we needed to take certain actions to mitigate the risk. Some people keep the term 'action' until such time that they have been fully implemented at which point they are called 'controls'. There are, of course many existing controls in organisations that have been developed over time as risks have been identified.

Where the risk identified is an opportunity for the organisation, there are also actions identified and put in place, with the intention being to increase the likelihood and impact of the risk event.

So what are controls?

If we recall the definition from the International Standard ISO31000:2009, risk is 'the effect of uncertainty on objectives'.

A control therefore is an activity designed to prevent or detect errors that may lead to the risk eventuating. These measures or actions taken to modify the risk typically include physical things like equipment or technology, or 'soft' controls like policies, procedures, techniques or methods.

Controls generally fall into one of three categories:

In the area of safety of people, many will be familiar with the Hierarchy of Controls (shown below) which rates the effectiveness of the various controls options from most effective to least effective. Naturally, these controls are all preventative in nature.

Like the Hierarchy of Controls in safety, controls used to modify other risks will vary in their effectiveness.

Those controls relying on people to follow a process or procedure (people-based) will typically be less effective than a system or engineering (automated) control.

Some examples of people based controls include:

Segregation of Duties - for instance, one person cannot raise a purchase order and make a paymentReconciliations - where two sets of numbers that should balance are tested, ensuring data is sourced from different systems or recordsManagement review - a person superior to the preparer reviews the evidence and processes performed, for instance, reviewing reconciliations

System or automated controls can include things like:

Password resets - scheduled changes to user passwords to reduce risk of unauthorised system access'Deadman' switch - on equipment to automatically shut down if operator let's go or is incapacitatedException reporting - system generated reports indicating variations outside of acceptable parameters

Having controls in the business comes at a cost - implementation, review and auditing all cost the company resources. But there are very good reasons why all business need a good control environment. Good controls help businesses to:

Protect value and create value for the organisationSet the culture to deter, prevent and detect theft / fraud and human errorMake sure policies and procedures are observed in practiseAchieve effectiveness and efficiency in business operationsPromote accurate and reliable financial records and reporting

To achieve these benefits, controls should be regularly assessed for effectiveness. This can be via self assessment in the first line of defence and/or through monitoring by the second line of defence.

For truly independent and objective feedback, the controls should be tested by the organisations Internal Audit function (noting the external auditors will also test internal controls related to the financials and of material values).

In order for clarity amongst all stakeholders, there should be some agreed rating level of control strength in order for the business to prioritise responses to control weaknesses. Below is an example Control Effectiveness Assessment:

Like every other aspect of the risk management process, controls should be regularly and critically reviewed. In some organisations, controls can be easy to design and implement but harder to retire once they have outlived their usefulness.

Ineffective or outdated controls waste time and effort and lead employees to wonder whether management really does understand the current business environment. Clear lines of communication, especially during the risk assessment process, should avoid this becoming an issue.

My focus at Proximity Risk & Assurance is to work with the first line of defence, the business operations, to better play their part in the risk management process. Please contact me to discuss how I can assist in your business - via this email link or on mobile - 0404 829 040.

In my previous blog posts we've spoken about the origins of risk management, some of the confusing terminology, why it's important for organisations to manage risk and most recently, the 7 steps in the risk management process.

In today's post, I wanted to talk about something that has more general application across many fields but is especially important to be aware of in all phases of the risk management process.

And that is cognitive biases. According to Wikipedia(1), a cognitive bias refers to the systematic pattern of deviation from norm or rationality in judgment, whereby inferences about other people and situations may be drawn in an illogical fashion. Individuals create their own "subjective social reality" from their perception of the input.

So how does this behaviour manifest itself in our thinking?

Verywell.com(2) states 'When we are making judgments and decisions about the world around us, we like to think that we are objective, logical, and capable of taking in and evaluating all the information that is available to us. The reality is, however, that our judgments and decisions are often riddled with errors and influenced by a wide variety of biases. The human brain is both remarkable and powerful, but certainly subject to limitations. Cognitive biases are just one type of fundamental limitation on human thinking.'

As we have discovered in our journey through the various stages of the risk management process, determining the threats and opportunities that make up the risks to the organisation is part science and part art. In other words, there are quantitative elements and qualitative components.

The diagram below, developed by John Manoogian III, shows 180 different biases grouped into four categories - What Should We Remember, Too Much Information, Not Enough Meaning and Need To Act Fast.

By Jm3 (Own work) [CC BY-SA 4.0 (http://creativecommons.org/licenses/by-sa/4.0)], via Wikimedia Commons(3)

Whilst it is beyond the scope of this blog to examine all of the biases, there are six that we will look at that may be particularly relevant to the risk management process:

Confirmation bias - this type of cognitive bias involves favouring information that confirms previously existing beliefs or biases. If the CEO for instance forms a view that an acquisition will be good for the company before doing the analysis, they will tend to look for evidence that supports their view and disregard people and information that counter it.

Optimism bias - this bias is about overestimating a positive and pleasing outcome to situations. For instance, when launching a new product the marketing manager may confidently predict that his product will be better accepted by consumers than a competitors similar product and that the chances of any problems with the product will be much lower.

Availability heuristic - is relying on things that immediately come to mind as a kind of mental shortcut. As an example, when participating in a risk identification workshop you might be asked for potential threats to the organisation. If there have been several building fires reported in the press recently, your mind will readily recall 'fires' as a potential threat and put higher weight on its likelihood.

Normalcy bias - this bias is simply the refusal to plan for, or react to, a risk that has never happened before. If you have always run projects a certain way and never had a major failure, the chances are that you will not be open to any suggestions of possible risks that haven't occurred previously (sometimes known as the 'ostrich effect').

Anchoring effect - is a bias in which people tend to use the first piece of information they receive on a subject and overlook subsequent data. When a manager is pressed for information from his supervisor on how much financial impact a risk will have, whatever number he says becomes the 'anchor' in the supervisors mind and anything more will disappoint even if new data comes to light that supports a higher number.

Neglect of probability - is the tendency to completely disregard probability when making a decision under uncertainty. The challenge of this bias is that when people have to estimate the probability of an event occurring they tend to rely on 'gut feel' or emotions and will typically disregard the statistics or records of actual occurrences over time.

These are just some biases at play in risk management - it would be wise to explore these further and think about how they may be playing a factor in your risk decision making.

If you are looking for further explanation on these and other biases in risk management, Alex Sidorenko of the Risk Academy has a series of short YouTube videos - the 1st is at:

Biases colour all our opinions when making decisions. The key for us is to be aware of these biases and try to take measures to mitigate them. Techniques can include involving several people in key decisions and making sure all opinions are heard. Also, writing down the reasons for the decision you have reached and looking back at it to see if there are any assumptions rather than facts and if so, how you arrived at those assumptions.

When it comes to risk management, which is not an exact science, we always have to be cognisant of these 'beliefs' and the 'illogical fashion' in which we can interpret situations.

As always, should you wish to discuss your risk management challenges, please feel free to contact me at anthonyw@proximityriskassurance.com.au or via my website www.proximityriskassurance.com.au

1. https://en.wikipedia.org/wiki/Cognitive_bias

2. https://www.verywell.com/what-is-a-cognitive-bias-2794963

3. https://commons.wikimedia.org/wiki/File%3AThe_Cognitive_Bias_Codex_-_180%2B_biases%2C_designed_by_John_Manoogian_III_(jm3).png

You've done a great job to date with your risk management efforts - you've communicated extensively, established the context in which your risk process was conducted, identified, analysed and evaluated the risks and finally decided on which risks needed further treatment.

Does that mean you're done? No!

The very nature of the world we live in means that things change - some risks become less relevant and new risks emerge all the time. And the pace of change seems to be accelerating.

In short, managing risk is a never ending task - but it doesn't have to be a chore.

So what do the two elements - monitor and review - actually involve?

The monitoring component is about checking in and observing the organisation's risks to ensure that the performance is as expected - that is, no deviations from the planned outcomes. It should include checking that agreed risk treatments have been implemented, that they are understood and are being performed as required. If there are actions outstanding, there should be dates for completion and a responsible person nominated to complete them.

Monitoring should also test the effectiveness of these treatments along with the effectiveness of any existing controls. Importantly, this is where any identified Key Risk Indicators (KRI's) are tracked and form the basis of reporting for Management and the Board.

The review element of this step is about reviewing the applicability of the current risks - are they still relevant, and are the risk ratings still appropriate - and well as determining if there are new or emerging risks that need to be considered.

Should a new risk be identified, it should go through the whole assessment process to ensure it is rated and treated as appropriate.

If there has been a sub-standard performance with any of the identified risks, be they a threat or opportunity, the review step should also be used to analyse and document what went wrong. Learning lessons from these events or incidents further strengthens the risk management process. What has worked, what didn't - all contributes to better understanding of the businesses risk environment.

One other thing to keep in mind during the overall Monitor and Review step is that it is worth checking that the context hasn't changed - remember that the context in which the organisation, division, function or project operates is key to any successful risk activity.

As indicated earlier, one of the key functions of the Monitor and Review step is to provide the Board and Management with assurance about the effectiveness of the risk management framework and risk management process. As such, it's an on-going activity rather than an annual, twice yearly or quarterly event like the risk identification step tends to be.

This blog effectively concludes my review of the 7 steps in the risk management process - I hope it has in some small way provided clarity to your thinking about risk management.

My business, Proximity Risk & Assurance, has developed a training program called "Risk Basics" designed to educate and up-skill those in the first line of defence about their role in risk management. I can also assist these teams in implementing and embedding the risk management process into their function.

Please contact me via my website or my mobile (0404 829 040) should you wish to discuss your risk management challenge and how I may be able to assist.

Keep an eye out for my next blog post!

You've now analysed and evaluated the risks to the organisation, division, department or project. You should now have a pretty clear picture of the priorities of these risks and importantly, those that require a judgement to be made on treatment options.

There are seemingly a myriad of ways to treat risks - reducing the likelihood of a threat or increasing the impact of an opportunity, or getting rid of the risk all together. Generally you'll find that the options fall into one of four categories:

Avoid the riskReduce the riskTransfer the riskAccept the risk

So lets look at each option in a bit more detail.

Avoiding the risk is pretty straightforward. You avoid processes, systems or arrangements that give rise to the risk.

Say the organisation was looking to expand its operations to a new country. The opportunity is attractive as there is a large population and a demand for your product or service. However, corruption is rife and getting required permissions to establish a presence in the country will require frequent dealings with a variety of government departments and private entities.

For an organisation with zero tolerance for bribes, corruption or any form of illicit payments, this opportunity would not be worth the risk to their reputation so they would avoid the risk.

The above is a fairly complex case - frequently the avoid decision will be more straight forward. For example, if a task is unsafe for staff members, then eliminate the task or find another way to get it done.

Reducing the risk is the choice made where the threat (or opportunity) is one that is vital for the organisation to stay in business, therefore can't be avoided.

So the challenge for the organisation is to mitigate these risks to minimise the likelihood of the threat eventuating or maximise the chance of the opportunity being realised.

Efforts can also be focussed on minimising the impact should the threat materialise or maximising the benefit in the case of an opportunity.

Say for example our business operates in an area prone to earthquakes. Alternative sites are not an option and for the business to thrive and survive it needs to be located in this region.

To reduce the risk, we build using earthquake resistant material and techniques (remember the hazard is the earthquake, the risk is the building collapsing as a result of an earthquake) therefore lessening the likelihood of the risk eventuating.

Organisations will also have strategies in place to minimise the impact of a risk should it eventuate. Often known by the term, Business Resilience, the elements are:

Emergency response plansBusiness Continuity plansIT Disaster Recovery plansCrisis Management plans

Transferring the risk means moving the impact of the risk, in part or fully, to a third party. There are a few different ways to accomplish this.

Insurance is the most well-known and common form of risk transfer. For the payment of a premium, the insurer will assume the consequences of the risk occurring. Usually there is also a deductible or excess payable in the event of a claim.

Hedging is a financial instrument used to transfer risk. For example, if the organisation buys goods from overseas, a significant movement in the exchange rate could seriously affect the business. To avoid this, organisations can buy a 'hedge' which locks in the exchange rate at the agreed amount.

Outsourcing or co-sourcing also enables risk transfer. Access to specialist skills, additional resources or just capability to do 'non-core' work reduces the risk to your firm of carrying out those activities itself.

Finally, joint ventures or partnerships are also ways of transferring risk, or specifically sharing risk. Bringing on board another party provides additional finances, people and skills, systems etc to improve the likelihood of the opportunity being realised. While sharing the benefits, any downside is also spread amongst the venturers.

When transferring risks, it's worth remembering that there is no such thing as a free lunch! There will be a financial impact on the organisation to transfer risks - the question is whether the cost is less than the impact of a risk being realised.

Accepting the risk means just that. There are some risks that the organisation will be able to do very little about. For others, the cost to treat the risk may be prohibitive (especially when compared to the potential impact).

In these cases, an organisation accepts that an uncertain outcome may occur. But this doesn't mean do nothing - at the very least, response plans should be thought through in the event that the risk eventuates.

Funding may need to be put aside to address potential losses and to recover the organisation back to 'business as usual'.

Whether a risk is accepted because it is not feasible to treat it, or it is considered a low risk, they should still be monitored on an ongoing basis in case the situation changes.

It is also worth having in place a process that determines who is allowed to accept a risk on behalf of the organisation - 'low' risks may be a functional managers call, whereas 'very high' or 'extreme' should be a CEO and Board approval.

-------------------------------------------------------------------

Treating risks may seem like the culmination of all of your risk work and in some ways it is. But it is not the end! How do you know the treatment is working? Or if the situation has changed? We'll review the next step, Monitor and Review, in the next post.

The final phase of the three-step risk assessment stage of the risk management process is about making choices about the threats and opportunities, collectively the risks, facing the organisation.

In the last post detailing risk analysis, we developed a prioritised list of risks for the organisation. This enabled us to discard the low rated risks from further analysis (but periodic monitoring) and left the higher rated threats and opportunities for further consideration.

Given that most organisations are limited as to how many resources can be directed to risk management, risk evaluation is about getting the most 'bang' for your risk management 'buck'.

In most cases, what's an acceptable risk and what is not will be determined by some sort of financial measurement - think commodity price movements, labour costs, theft or fraud and the like.

In other cases, acceptability will be determined by societal expectations - safety of people, environmental performance, not tolerating child labour in the supply chain - all potentially damaging to an organisations reputation if not directly to the bottom line.

Many organisations find that the number of individual risks can become overwhelming so they group them into categories and will set a risk appetite for the category. The risk consequence table that we saw in the last blog is one way of capturing the 'appetite' per category set by the Board or Senior Management.

For those risks selected for the evaluation phase, consideration is given to additional controls that can be introduced to minimise the threat (or maximise the opportunity).

So how do we know what's tolerable and what's not?

This is the topic for another blog but suffice to say, the risk appetite is generally described as the level and type of risks that the Board and Senior Management are willing to take in order to achieve the objectives and mission of the business.

The risk tolerance on the other hand, is the level of risk the organisation can bear beyond which the risk becomes unacceptable.

A brief example might be that the Board has an 'appetite' for staff turnover of 10% per annum but the 'tolerance' for this risk is a maximum turnover of 15% and a minimum of 5%.

In our risk register above, the evaluation of the 'Attract Key People' risk shows that it is not within tolerance. This means that this risk will require further decision making in the next phase of the risk management process - Treat Risks.

The evaluation phase of risk assessment is very important in determining where the organisation should focus its (usually) limited risk resources.

Some people combine the risk analysis and risk evaluation steps - there's no problem with this as long as the key objective is achieved - an understanding of the major risks to the organisation and whether enough is presently being done to manage them.

Next blog we'll look at treating risks - where organisations learn to live with the threats and opportunities they face.

In the last post, we reviewed the first step, Identify Risks, in the three phase Risk Assessment process. Now we'll have a look at what's involved in step two, Analyse Risks.

So, you have a list of risks you've identified that will normally consist of several threats to achieving your business objectives and hopefully, some opportunities to maximise the organisation's results. So what now?

Firstly, you need to analyse the risks. Why?

Because not all risks are created equal!

Some threats are large and imminent and therefore require immediate and decisive action. Some opportunities are small and unlikely so probably don't warrant precious resources being focussed on them.

So this critical step helps sort minor or negligible risks from the major / critical / catastrophic ones.

In doing so, the risk analysis phase endeavours to understand the nature, sources and causes of the risks identified. Importantly, it also studies the impacts or consequences should the risk eventuate and the likelihood or probability of it occurring.

The final step in the risk analysis process is to examine any controls currently in place to mitigate the risk. This will include a view on the controls effectiveness.

The effort required in this step will depend on the type of risks, comprehensiveness of information available and the resources dedicated to conducting the analysis.

There are a couple of key tools used to help to help rank the risks – a consequence table and a likelihood table (examples below). Naturally, the consequence and likelihood tables for your organisation will be customised to its risk environment and will be more comprehensive than these examples.

How do you rate the various risks? There should be multiple inputs in this process to ensure the widest possible range of data and people are consulted. Various methods used include:

Risk Workshops or brainstorming sessionsSubject Matter Expert (SME) inputPast audit report findingsHistorical incident records (including those affecting competitors or similar industries)Industry or external experts

Once you collate all of the inputs from the various analysis exercises you'll need to plot the risks onto a 'heat map' or risk matrix. This helps visualise the risks in terms of their consequence and likelihood but also in relation to each other - that is, you can start to see which are the greater threats or opportunities.

As a result of your analysis efforts, you'll produce the first stage of what will ultimately become your risk register (example below).

The risk analysis step takes some effort but the more time and energy spent on this the better the quality of the output and the greater the level of assurance that the businesses risks are now prioritised according to the potential opportunity or threat.

In the next post we'll look at the Risk Evaluation phase - the concluding step to the overall Risk Assessment element of the Risk Management Process.

In the last blog, we saw that the effort taken to establish the context of risk for the organisation is critical. We'll now start to explore the next phase in the risk management process which is actually three steps bundled under a broader heading called Risk Assessment. Those steps are:

Identify RisksAnalyse RisksEvaluate Risks

It should be remembered that risks may be assessed by individual project or process, by department, division or even the organisation as a whole. In each case, you'll want to consider the appropriate tools and techniques for the situation.

The Risk Assessment component of the risk management process is designed to assist in understanding the impact or consequences of risks and the likelihood or probability of them occurring. With this understanding, their effect on the achievement of objectives, and therefore whether treatment is required, can be determined.

The International Standard ISO 31010 - Risk management - Risk Assessment techniques offers the following:

Risk assessment provides an understanding of risks, their causes, consequences and their probabilities. This provides input to decisions about:

whether an activity should be undertaken;how to maximise opportunities;whether risks need to be treated;choosing between options with different risks;prioritising treatment options;the most appropriate selection of risk treatment strategies that will bring adverse risks to a tolerable level.

Risk assessment therefore is a powerful tool and organisations should get into the habit of performing them regularly and diligently.

A properly executed risk assessment process also considers the existing controls that are in place and their adequacy and effectiveness.

So let's consider the first step in the risk assessment process.

Risk Identification

The purpose of this step is to understand what risks might affect the organisation (or department, division, process or project) in achieving its objectives.

As risks are identified they should be documented and the nature of any existing controls should also be recorded. For instance, with a safety related risk, reference should be made to the Hierarchy of Controls. Similar principles can be applied to most risks i.e. do they rely on human actions, physical or system controls etc.

The purpose of the identification exercise is to understand the cause and source of the risk and under what circumstances or in what situations may they occur. These could be risks that are one off and occur as a result of a specific event (e.g. a natural disaster) or they could be the outcome of deteriorating conditions (e.g. major equipment failure).

This is the stage where the risk assessor will initially consider materiality of the risks in the context of the organisation although deeper analysis of this occurs in the next step, risk analysis.

So how does one go about identifying risks? Well, there are a multitude of techniques that can be adopted for the purpose. There is no right or wrong tool - it really just has to meet the needs of the users and the organisation.

Complexity of business operations and related data may require a quite sophisticated risk identification technique. More straightforward processes may use a fairly basic tool. Whatever the choice, it needs to identify as many risks as possible.

As a result, many firms will use multiple tools in the risk identification process and will include people from as many different parts of the operation as possible to get a wide range of views and experiences. Some will engage external subject matter experts or consultants to help facilitate a deeper exploration of potential threats and opportunities.

Some of the more popular techniques and tools include brainstorming sessions (also known as risk workshops), interviews with key staff, historical incident analysis (including incidents affecting competitors or similar industries), scenario analysis and root cause analysis.

We'll examine some of the more common techniques in further detail in a later blog.

In the next post, we'll move onto the Risk Analysis and Risk Evaluation steps of the overall risk assessment process.

An often overlooked step in conducting any risk management activity is putting it in the context of the business unit, project or organisation. In ISO3100, this step in the process is called 'Establish the Context'.

The Standard talks about the context using three 'lenses' - the strategic context, the organisational context and the risk management context. Let's look at each briefly:

Hopefully the benefit of conducting this step in the risk management process is obvious - the clarity it provides is invaluable and it helps ensure that the subsequent steps are focussed and in line with the organisational context.

As almost a by-product of the exercise however are two incredibly valuable insights into the organisation - its appetite for risk and a view of its risk culture or attitude.

We'll cover risk appetite more in a subsequent post but for now lets define this as the amount of risk the organisation (or an individual for that matter) is prepared to accept in order to achieve their objectives. This is influenced by the risk culture / attitude.

Again, we'll talk about risk culture more later but in short, there are three generally accepted descriptions for risk attitude:

risk averse - where risk is generally avoidedrisk seeking - where risk is actively soughtrisk neutral - where risk is neither actively sought nor avoided

Naturally, some organisations and individuals will be extremely conservative in their risk taking (e.g. a charity or aged care facility) and others will embrace risk (Tech startups, Innovators). Most organisations will sit somewhere in the middle and adapt to the situation or circumstances confronting them at the time.

Understanding the risk appetite and risk culture in an organisation at the start of any risk management activity is going to ensure a successful start. And it all comes from spending a bit of time and effort up front to 'Establish the Context'.

Don't underestimate the importance - establishing the context when conducting a risk management exercises is not only key, but needs to be done every time.

Look at the outcome of this week's US elections - for some organisations, not much will have changed. For many, the external environment will be in a state of flux - what will the risk context look like for them?

There are a lot of elements that must come together to make an effective risk management program. The tone from the top, regular and clear communications with team members, training, engagement & involvement in the risk management process and solid linking with strategic planning activities are just some key elements.

Assuming that it all comes together, what features would we expect a well established and embedded risk management program to have?

Firstly, there would be clarity about what risk the business can tolerate and what it needs to do to manage this risk. This wouldn't be confined to the Board room or the risk department, but would be understood by the entire team.

Secondly, armed with this awareness, there would be an expectation that staff would proactively think about risk and respond appropriately and in a timely manner. First line of defence participation and ownership would be high.

Next, in this environment there would be an expectation of a disciplined and structured approach to risk - everybody would know their responsibilities for risk management enabling a coordinated and effective response to risk.

All of the above should lead to what many would call a risk aware culture.

The Risk Management Process

*Source: Based on CAN/CSA-ISO 31000-10, Risk Management – Principles and Guidelines, International Standards Organization/Canadian Standards Association, 2009

The above diagram is from the ISO31000 standard. In future posts we'll talk about each of the elements in turn but for now, assuming an organisation had adopted this approach to risk management, we would expect to see certain attributes:

future focussed - anticipate and manage uncertaintytransparent - open dialogue with stakeholders about risksconstructive - as much about realising opportunities as mitigating threatsconsistent & comprehensive - uniformly applied across all business unitsstrategic - drive RM process by aligning with business objectivesreflective - maintain a healthy unease by regularly evaluating the processagile - adaptive to the business as it grows and evolves

Imagine the benefits that would flow to an organisation that was able to get this right. It takes an investment of time and resources but most importantly, leadership from the very top.

Some organisations seem to manage their risk with ease, some do a great job at one element (e.g. safety) and are not so good at the rest. Others are yet to formally start the journey to realising the benefits of good risk management. Whatever stage of the risk journey your organisation is at, it's worth continuing the conversation.

Next time, we'll discuss the first component of the process - Establish Context.

Sounds pretty obvious but some organisations still don't get the connection between proactive risk management and achievement of company objectives. As mentioned in an earlier post, risk definitions are many and varied but they all have the same general theme - uncertainty of outcomes that can have a positive or negative effect on objectives.

So where do risks come from? What generates risks to the organisation?

It is said that risk arises when there is a change in the environment in which an organisation operates or the organisation is out of line with the value demands of its stakeholders. Therefore we have two sources of risk - those generated externally to the organisation and to which management must respond, and those whose origins emanate from within the company itself.

Appropriately managing both of these sources of risk is critical. Why? Because organisations need resources (people, equipment, financing, partnerships etc) to achieve their objectives and unmanaged risks make it difficult for organisations to secure these resources.

Not all risks are created equal so we can break them down into categories to further understand their nature. Broadly, these are 'Dynamic' versus 'Static' risks and 'Speculative' versus 'Pure' risks.

Dynamic Risks:

These risks arise from the external environment - for example, economic conditions, the operations of the financial markets, competitor initiatives and customer preferences. It's managements job to respond to these risks in a way that creates value for the organisation (or at least minimises losses).

Static Risks:

Whilst not related to the organisations operating environment, these risks can and often are externally generated. Natural disasters or frauds are examples of static risks - they occur on a semi-regular basis.

From these examples, it can be seen that static risks lend themselves to being an insurable risk whereas dynamic risks are not insurable (but may have other risk treatments which we'll discuss in a future post).

Speculative Risks:

Are just what the title suggests - a manager speculates that an initiative will provide a gain for the business, but there is also the possibility of a loss. Another example is a gambler who speculates that they will pick a winner but could clearly walk away out of pocket.

Pure Risks:

A pure risk on the other hand has only two possibilities - a loss or no loss. Think about the possibility of a company building being affected by fire - it will either happen or it won't.

As per the Dynamic / Static relationship, Pure risks are generally insurable (car insurance, building insurance etc) whilst Speculative risks tend not to be insurable.

Historically, risk management has focussed almost exclusively on Pure / Static risks - that is, it has largely been a discussion about having appropriate insurance coverage.

Risk Management in the modern era has to be different - speculative risks are where value can be created for the organisation so management of these opportunity risks is at least as important as the more traditional exposure risks.

There is no choice - organisations who want to survive in the long term must manage risk!

Risk affects virtually every aspect of our lives and in turn, virtually every aspect of business. Managing risk therefore is a key activity for us all.

Organisations are about creating value and the way they respond to risks affects their strategies, structure and operating activities. If we recall the definition then we know probability plays a large part in the effort required by organisations to respond to risks.

In theory, the probability of a risk is assigned a score from 0 to 1 - with, for example 0.5 representing an equal chance of the risk occurring or not occurring. Just for clarity, a score of zero means there is no risk - the risk will not occur. Likewise a score of 1 is not a risk - it is certain to happen.

Most organisations score this probability or uncertainty as the likelihood on a risk matrix (more on risk matrices in a later post). So, frequently terms like 'very unlikely', 'unlikely', 'possible', 'likely' and 'almost certain' appear as a proxy for the theoretical score for likelihood.

There are pros and cons for using either numbers or descriptors to describe the probability of a risk. Using numbers implies a precision that is probably not realistic whilst the use of words opens the likelihood to interpretation by the individual user. Therefore it is important to clarify with users the limitations and encourage thorough analysis to determine an appropriate likelihood rating.

The importance of getting this right is clear - a risk with a low likelihood rating will get little, if any management attention in terms of mitigation effort. On the other hand, a high likelihood rating will attract significant scrutiny from not only management but typically the Board.

Whilst it's not an exact science, ensuring an appropriate level of due diligence in evaluating and rating the likelihood of identified risks is key to the way an organisation responds and ultimately, creates value.

In many ways, the lack of acceptance and implementation of good risk management practices in organisations comes down to not being able to clearly define exactly what risk or risk management is. If for instance you look up 'what is risk management' in a popular search engine, you will get a staggering 222,000,000 entries! No wonder there is confusion.

To add to the problem, we have Risk Management, Enterprise Risk Management and Strategic Risk Management (and probably others being conceived as we speak). Let's look at some commonly used definitions:

Risk management (RM) is the identification, assessment, and prioritisation of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events* or to maximise the realisation of opportunities.

Enterprise risk management (ERM) in business includes the methods and processes used by organisations to manage risks and seize opportunities related to the achievement of their objectives.

Strategic risk management (SRM) can be defined as the process of identifying, assessing and managing the risk in the organisation's business strategy including taking swift action when risks are realized.

The Risk Management Standard, ISO 31000:2009 defines risk as the effect of uncertainty on objectives. Personally, I find this very useful - concise, incorporates probability / likelihood and allows for upside and downside risks.

So what should we take from all of the above? When constructing your risk management program, don't rely on finding certainty when it comes to risk definitions. Organisations should build a glossary of risk terms that suit their business and ensure they are published, communicated and most importantly, explained to teams across the organisation. Failing to do so will lead to a similar level of variations in meanings inside your organisation as there are in the outside world.

*Hubbard, Douglas (2009). The Failure of Risk Management: Why It's Broken and How to Fix It.

Risk Management as we think of it in organisations today is still a relatively new development. We shouldn't forget however that risk management activities have been around as long as mankind itself. The very pressing requirement for survival dictated that our earliest ancestors became proficient risk managers in order to feed themselves, provide shelter and avoid the many hazards of the era.

As time progressed, mankind adopted and learnt better techniques for mitigating risks, such as:

banding together to defend against attackssaving assets, resources, and eventually money for a later needimplementing laws to govern acceptable behaviours

Further developments for mitigating risk followed - insurance emerged as an early form of transferring risk as well as the concept of joint ventures where risk could be shared. The evolution continued - the modern company structure is a sharing of risk among shareholders and ultimately a limiting of losses.

Now, as it has been for an eternity, old risks disappear and new ones arise - think cyber risk, environmental, discrimination, privacy and corporate governance to name a few. However, there is not much risk of getting eaten by a dinosaur anymore!

For a discussion on how we can assist with your risk challenges please contact us.