An often overlooked step in conducting any risk management activity is putting it in the context of the business unit, project or organisation. In ISO3100, this step in the process is called 'Establish the Context'.
The Standard talks about the context using three 'lenses' - the strategic context, the organisational context and the risk management context. Let's look at each briefly:
Strategic context - this lens look at the organisation and its interactions with the environment within which it operates. Some things to consider are the macroeconomic environment, competitive position, social and community expectations, technology developments and legal / regulatory constraints. Identifying key stakeholders and their interests is also a primary focus.
Organisational context - its important to understand the goals and objectives of the organisation before a risk activity is undertaken. What strategies have been implemented to achieve these goals? Does the organisation have the capability (financial resources, commitment, leadership support, capable and enabled people, the right systems and process) to succeed in its mission?
Risk management context - here we look at the parameters for the risk activity. What are we trying to achieve? What is in and out of scope? Which parts of the organisation will be involved? What are the projected costs and benefits and who needs to be involved? This element is critical in setting expectations about the purpose of the exercise and what will and won't be addressed.
Hopefully the benefit of conducting this step in the risk management process is obvious - the clarity it provides is invaluable and it helps ensure that the subsequent steps are focussed and in line with the organisational context.
As almost a by-product of the exercise however are two incredibly valuable insights into the organisation - its appetite for risk and a view of its risk culture or attitude.
We'll cover risk appetite more in a subsequent post but for now lets define this as the amount of risk the organisation (or an individual for that matter) is prepared to accept in order to achieve their objectives. This is influenced by the risk culture / attitude.
Again, we'll talk about risk culture more later but in short, there are three generally accepted descriptions for risk attitude:
risk averse - where risk is generally avoided
risk seeking - where risk is actively sought
risk neutral - where risk is neither actively sought nor avoided
Naturally, some organisations and individuals will be extremely conservative in their risk taking (e.g. a charity or aged care facility) and others will embrace risk (Tech startups, Innovators). Most organisations will sit somewhere in the middle and adapt to the situation or circumstances confronting them at the time.
Understanding the risk appetite and risk culture in an organisation at the start of any risk management activity is going to ensure a successful start. And it all comes from spending a bit of time and effort up front to 'Establish the Context'.
Don't underestimate the importance - establishing the context when conducting a risk management exercises is not only key, but needs to be done every time.
Look at the outcome of this week's US elections - for some organisations, not much will have changed. For many, the external environment will be in a state of flux - what will the risk context look like for them?